"text":"Install using pip , including any optional packages you want... pip install djangorestframework\npip install markdown # Markdown support for the browsable API.\npip install django-filter # Filtering support ...or clone the project from github. git clone git@github.com:tomchristie/django-rest-framework.git Add 'rest_framework' to your INSTALLED_APPS setting. INSTALLED_APPS = (\n ...\n 'rest_framework',\n) If you're intending to use the browsable API you'll probably also want to add REST framework's login and logout views. Add the following to your root urls.py file. urlpatterns = [\n ...\n url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))\n] Note that the URL path can be whatever you want, but you must include 'rest_framework.urls' with the 'rest_framework' namespace. You may leave out the namespace in Django 1.9+, and REST framework will set it for you.",
"text":"Let's take a look at a quick example of using REST framework to build a simple model-backed API. We'll create a read-write API for accessing information on the users of our project. Any global settings for a REST framework API are kept in a single configuration dictionary named REST_FRAMEWORK . Start off by adding the following to your settings.py module: REST_FRAMEWORK = {\n # Use Django's standard `django.contrib.auth` permissions,\n # or allow read-only access for unauthenticated users.\n 'DEFAULT_PERMISSION_CLASSES': [\n 'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'\n ]\n} Don't forget to make sure you've also added rest_framework to your INSTALLED_APPS . We're ready to create our API now.\nHere's our project's root urls.py module: from django.conf.urls import url, include\nfrom django.contrib.auth.models import User\nfrom rest_framework import routers, serializers, viewsets\n\n# Serializers define the API representation.\nclass UserSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = User\n fields = ('url', 'username', 'email', 'is_staff')\n\n# ViewSets define the view behavior.\nclass UserViewSet(viewsets.ModelViewSet):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n\n# Routers provide an easy way of automatically determining the URL conf.\nrouter = routers.DefaultRouter()\nrouter.register(r'users', UserViewSet)\n\n# Wire up our API using automatic URL routing.\n# Additionally, we include login URLs for the browsable API.\nurlpatterns = [\n url(r'^', include(router.urls)),\n url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))\n] You can now open the API in your browser at http://127.0.0.1:8000/ , and view your new 'users' API. If you use the login control in the top right corner you'll also be able to add, create and delete users from the system.",
"title":"Example"
},
{
"location":"/#quickstart",
"text":"Can't wait to get started? The quickstart guide is the fastest way to get up and running, and building APIs with REST framework.",
"title":"Quickstart"
},
{
"location":"/#tutorial",
"text":"The tutorial will walk you through the building blocks that make up REST framework. It'll take a little while to get through, but it'll give you a comprehensive understanding of how everything fits together, and is highly recommended reading. 1 - Serialization 2 - Requests Responses 3 - Class based views 4 - Authentication permissions 5 - Relationships hyperlinked APIs 6 - Viewsets routers There is a live example API of the finished tutorial API for testing purposes, available here .",
"title":"Tutorial"
},
{
"location":"/#api-guide",
"text":"The API guide is your complete reference manual to all the functionality provided by REST framework. Requests Responses Views Generic views Viewsets Routers Parsers Renderers Serializers Serializer fields Serializer relations Validators Authentication Permissions Throttling Filtering Pagination Versioning Content negotiation Metadata Format suffixes Returning URLs Exceptions Status codes Testing Settings",
"text":"General guides to using REST framework. Documenting your API Internationalization AJAX, CSRF CORS HTML Forms Browser enhancements The Browsable API REST, Hypermedia HATEOAS Third Party Resources Contributing to REST framework Project management 3.0 Announcement 3.1 Announcement 3.2 Announcement 3.3 Announcement Kickstarter Announcement Mozilla Grant Funding Release Notes",
"text":"See the Contribution guidelines for information on how to clone\nthe repository, run the test suite and contribute changes back to REST\nFramework.",
"title":"Development"
},
{
"location":"/#support",
"text":"For support please see the REST framework discussion group , try the #restframework channel on irc.freenode.net , search the IRC archives , or raise a question on Stack Overflow , making sure to include the 'django-rest-framework' tag. Paid support is available from DabApps , and can include work on REST framework core, or support with building your REST framework API. Please contact DabApps if you'd like to discuss commercial support options. For updates on REST framework development, you may also want to follow the author on Twitter. Follow @_tomchristie !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=\"//platform.twitter.com/widgets.js\";fjs.parentNode.insertBefore(js,fjs);}}(document,\"script\",\"twitter-wjs\");",
"title":"Support"
},
{
"location":"/#security",
"text":"If you believe you\u2019ve found something in Django REST framework which has security implications, please do not raise the issue in a public forum . Send a description of the issue via email to rest-framework-security@googlegroups.com . The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.",
"text":"Copyright (c) 2011-2016, Tom Christie\nAll rights reserved. Redistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this\nlist of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this\nlist of conditions and the following disclaimer in the documentation and/or\nother materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
"text":"Quickstart\n\n\nWe're going to create a simple API to allow admin users to view and edit the users and groups in the system.\n\n\nProject setup\n\n\nCreate a new Django project named \ntutorial\n, then start a new app called \nquickstart\n.\n\n\n# Create the project directory\nmkdir tutorial\ncd tutorial\n\n# Create a virtualenv to isolate our package dependencies locally\nvirtualenv env\nsource env/bin/activate # On Windows use `env\\Scripts\\activate`\n\n# Install Django and Django REST framework into the virtualenv\npip install django\npip install djangorestframework\n\n# Set up a new project with a single application\ndjango-admin.py startproject tutorial . # Note the trailing '.' character\ncd tutorial\ndjango-admin.py startapp quickstart\ncd ..\n\n\n\nNow sync your database for the first time:\n\n\npython manage.py migrate\n\n\n\nWe'll also create an initial user named \nadmin\n with a password of \npassword123\n. We'll authenticate as that user later in our example.\n\n\npython manage.py createsuperuser\n\n\n\nOnce you've set up a database and initial user created and ready to go, open up the app's directory and we'll get coding...\n\n\nSerializers\n\n\nFirst up we're going to define some serializers. Let's create a new module named \ntutorial/quickstart/serializers.py\n that we'll use for our data representations.\n\n\nfrom django.contrib.auth.models import User, Group\nfrom rest_framework import serializers\n\n\nclass UserSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = User\n fields = ('url', 'username', 'email', 'groups')\n\n\nclass GroupSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = Group\n fields = ('url', 'name')\n\n\n\nNotice that we're using hyperlinked relations in this case, with \nHyperlinkedModelSerializer\n. You can also use primary key and various other relationships, but hyperlinking is good RESTful design.\n\n\nViews\n\n\nRight, we'd better write some views then. Open \ntutorial/quickstart/views.py\n and get typing.\n\n\nfrom django.contrib.auth.models import User, Group\nfrom rest_framework import viewsets\nfrom tutorial.quickstart.serializers import UserSerializer, GroupSerializer\n\n\nclass UserViewSet(viewsets.ModelViewSet):\n \"\"\"\n API endpoint that allows users to be viewed or edited.\n \"\"\"\n queryset = User.objects.all().order_by('-date_joined')\n serializer_class = UserSerializer\n\n\nclass GroupViewSet(viewsets.ModelViewSet):\n \"\"\"\n API endpoint that allows groups to be viewed or edited.\n \"\"\"\nqueryset=Group.objects.all()\nserializer_class=GroupSerializer\n\n\n\nRatherthanwritemultipleviewswe'regroupingtogetherallthecommonbehaviorintoclassescalled\nViewSets\n.\n\n\nWecaneasilybreakthesedownintoindividualviewsifweneedto,butusingviewsetskeepstheviewlogicnicelyorganizedaswellasbeingveryconcise.\n\n\nURLs\n\n\nOkay,nowlet'swireuptheAPIURLs.Onto\ntutorial/urls.py\n...\n\n\nfromdjango.conf.urlsimporturl,include\nfromrest_frameworkimportrouters\nfromtutorial.quickstartimportviews\n\nrouter=routers.DefaultRouter()\nrouter.register(r'users',views.UserViewSet)\nrouter.register(r'groups',views.GroupViewSet)\n\n#WireupourAPIusingautomaticURLrouting.\n#Additionally,weincludeloginURLsforthebrowsableAPI.\nurlpatterns=[\nurl(r'^',include(router.urls)),\nurl(r'^api-auth/',include('rest_framework.urls',namespace='rest_framework'))\n]\n\n\n\nBecausewe'reusingviewsetsinsteadofviews,wecanautomaticallygeneratetheURLconfforourAPI,bysimplyregisteringtheviewsetswitharouterclass.\n\n\nAgain,ifweneedmorecontrolovertheAPIURLswecansimplydropdowntousingregularclassbasedviews,andwritingtheURLconfexplicitly.\n\n\nFinally,we'reincludingdefaultloginandlogoutviewsforusewiththebrowsableAPI.That'soptional,butusefulifyourAPIrequiresauthenticationandyouwanttousethebrowsableAPI.\n\n\nSetti
"text":"Create a new Django project named tutorial , then start a new app called quickstart . # Create the project directory\nmkdir tutorial\ncd tutorial\n\n# Create a virtualenv to isolate our package dependencies locally\nvirtualenv env\nsource env/bin/activate # On Windows use `env\\Scripts\\activate`\n\n# Install Django and Django REST framework into the virtualenv\npip install django\npip install djangorestframework\n\n# Set up a new project with a single application\ndjango-admin.py startproject tutorial . # Note the trailing '.' character\ncd tutorial\ndjango-admin.py startapp quickstart\ncd .. Now sync your database for the first time: python manage.py migrate We'll also create an initial user named admin with a password of password123 . We'll authenticate as that user later in our example. python manage.py createsuperuser Once you've set up a database and initial user created and ready to go, open up the app's directory and we'll get coding...",
"text":"First up we're going to define some serializers. Let's create a new module named tutorial/quickstart/serializers.py that we'll use for our data representations. from django.contrib.auth.models import User, Group\nfrom rest_framework import serializers\n\n\nclass UserSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = User\n fields = ('url', 'username', 'email', 'groups')\n\n\nclass GroupSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = Group\n fields = ('url', 'name') Notice that we're using hyperlinked relations in this case, with HyperlinkedModelSerializer . You can also use primary key and various other relationships, but hyperlinking is good RESTful design.",
"text":"Right, we'd better write some views then. Open tutorial/quickstart/views.py and get typing. from django.contrib.auth.models import User, Group\nfrom rest_framework import viewsets\nfrom tutorial.quickstart.serializers import UserSerializer, GroupSerializer\n\n\nclass UserViewSet(viewsets.ModelViewSet):\n \"\"\"\n API endpoint that allows users to be viewed or edited.\n \"\"\"\n queryset = User.objects.all().order_by('-date_joined')\n serializer_class = UserSerializer\n\n\nclass GroupViewSet(viewsets.ModelViewSet):\n \"\"\"\n API endpoint that allows groups to be viewed or edited.\n \"\"\"\n queryset = Group.objects.all()\n serializer_class = GroupSerializer Rather than write multiple views we're grouping together all the common behavior into classes called ViewSets . We can easily break these down into individual views if we need to, but using viewsets keeps the view logic nicely organized as well as being very concise.",
"text":"Okay, now let's wire up the API URLs. On to tutorial/urls.py ... from django.conf.urls import url, include\nfrom rest_framework import routers\nfrom tutorial.quickstart import views\n\nrouter = routers.DefaultRouter()\nrouter.register(r'users', views.UserViewSet)\nrouter.register(r'groups', views.GroupViewSet)\n\n# Wire up our API using automatic URL routing.\n# Additionally, we include login URLs for the browsable API.\nurlpatterns = [\n url(r'^', include(router.urls)),\n url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))\n] Because we're using viewsets instead of views, we can automatically generate the URL conf for our API, by simply registering the viewsets with a router class. Again, if we need more control over the API URLs we can simply drop down to using regular class based views, and writing the URL conf explicitly. Finally, we're including default login and logout views for use with the browsable API. That's optional, but useful if your API requires authentication and you want to use the browsable API.",
"title":"URLs"
},
{
"location":"/tutorial/quickstart/#settings",
"text":"We'd also like to set a few global settings. We'd like to turn on pagination, and we want our API to only be accessible to admin users. The settings module will be in tutorial/settings.py INSTALLED_APPS = (\n ...\n 'rest_framework',\n)\n\nREST_FRAMEWORK = {\n 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',),\n 'PAGE_SIZE': 10\n} Okay, we're done.",
"text":"We're now ready to test the API we've built. Let's fire up the server from the command line. python ./manage.py runserver We can now access our API, both from the command-line, using tools like curl ... bash: curl -H 'Accept: application/json; indent=4' -u admin:password123 http://127.0.0.1:8000/users/\n{\n \"count\": 2,\n \"next\": null,\n \"previous\": null,\n \"results\": [\n {\n \"email\": \"admin@example.com\",\n \"groups\": [],\n \"url\": \"http://127.0.0.1:8000/users/1/\",\n \"username\": \"admin\"\n },\n {\n \"email\": \"tom@example.com\",\n \"groups\": [ ],\n \"url\": \"http://127.0.0.1:8000/users/2/\",\n \"username\": \"tom\"\n }\n ]\n} Or using the httpie , command line tool... bash: http -a admin:password123 http://127.0.0.1:8000/users/\n\nHTTP/1.1 200 OK\n...\n{\n \"count\": 2,\n \"next\": null,\n \"previous\": null,\n \"results\": [\n {\n \"email\": \"admin@example.com\",\n \"groups\": [],\n \"url\": \"http://localhost:8000/users/1/\",\n \"username\": \"paul\"\n },\n {\n \"email\": \"tom@example.com\",\n \"groups\": [ ],\n \"url\": \"http://127.0.0.1:8000/users/2/\",\n \"username\": \"tom\"\n }\n ]\n} Or directly through the browser... If you're working through the browser, make sure to login using the control in the top right corner. Great, that was easy! If you want to get a more in depth understanding of how REST framework fits together head on over to the tutorial , or start browsing the API guide .",
"text":"This tutorial will cover creating a simple pastebin code highlighting Web API. Along the way it will introduce the various components that make up REST framework, and give you a comprehensive understanding of how everything fits together. The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started. If you just want a quick overview, you should head over to the quickstart documentation instead. Note : The code for this tutorial is available in the tomchristie/rest-framework-tutorial repository on GitHub. The completed implementation is also online as a sandbox version for testing, available here .",
"text":"Before we do anything else we'll create a new virtual environment, using virtualenv . This will make sure our package configuration is kept nicely isolated from any other projects we're working on. virtualenv env\nsource env/bin/activate Now that we're inside a virtualenv environment, we can install our package requirements. pip install django\npip install djangorestframework\npip install pygments # We'll be using this for the code highlighting Note: To exit the virtualenv environment at any time, just type deactivate . For more information see the virtualenv documentation .",
"text":"Okay, we're ready to get coding.\nTo get started, let's create a new project to work with. cd ~\ndjango-admin.py startproject tutorial\ncd tutorial Once that's done we can create an app that we'll use to create a simple Web API. python manage.py startapp snippets We'll need to add our new snippets app and the rest_framework app to INSTALLED_APPS . Let's edit the tutorial/settings.py file: INSTALLED_APPS = (\n ...\n 'rest_framework',\n 'snippets.apps.SnippetsConfig',\n) Okay, we're ready to roll.",
"text":"For the purposes of this tutorial we're going to start by creating a simple Snippet model that is used to store code snippets. Go ahead and edit the snippets/models.py file. Note: Good programming practices include comments. Although you will find them in our repository version of this tutorial code, we have omitted them here to focus on the code itself. from django.db import models\nfrom pygments.lexers import get_all_lexers\nfrom pygments.styles import get_all_styles\n\nLEXERS = [item for item in get_all_lexers() if item[1]]\nLANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS])\nSTYLE_CHOICES = sorted((item, item) for item in get_all_styles())\n\n\nclass Snippet(models.Model):\n created = models.DateTimeField(auto_now_add=True)\n title = models.CharField(max_length=100, blank=True, default='')\n code = models.TextField()\n linenos = models.BooleanField(default=False)\n language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100)\n style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)\n\n class Meta:\n ordering = ('created',) We'll also need to create an initial migration for our snippet model, and sync the database for the first time. python manage.py makemigrations snippets\npython manage.py migrate",
"text":"The first thing we need to get started on our Web API is to provide a way of serializing and deserializing the snippet instances into representations such as json . We can do this by declaring serializers that work very similar to Django's forms. Create a file in the snippets directory named serializers.py and add the following. from rest_framework import serializers\nfrom snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES\n\n\nclass SnippetSerializer(serializers.Serializer):\n pk = serializers.IntegerField(read_only=True)\n title = serializers.CharField(required=False, allow_blank=True, max_length=100)\n code = serializers.CharField(style={'base_template': 'textarea.html'})\n linenos = serializers.BooleanField(required=False)\n language = serializers.ChoiceField(choices=LANGUAGE_CHOICES, default='python')\n style = serializers.ChoiceField(choices=STYLE_CHOICES, default='friendly')\n\n def create(self, validated_data):\n \"\"\"\n Create and return a new `Snippet` instance, given the validated data.\n \"\"\"\n return Snippet.objects.create(**validated_data)\n\n def update(self, instance, validated_data):\n \"\"\"\n Update and return an existing `Snippet` instance, given the validated data.\n \"\"\"\n instance.title = validated_data.get('title', instance.title)\n instance.code = validated_data.get('code', instance.code)\n instance.linenos = validated_data.get('linenos', instance.linenos)\n instance.language = validated_data.get('language', instance.language)\n instance.style = validated_data.get('style', instance.style)\n instance.save()\n return instance The first part of the serializer class defines the fields that get serialized/deserialized. The create() and update() methods define how fully fledged instances are created or modified when calling serializer.save() A serializer class is very similar to a Django Form class, and includes similar validation flags on the various fields, such as required , max_length and default . The field flags can also control how the serializer should be displayed in certain circumstances, such as when rendering to HTML. The {'base_template': 'textarea.html'} flag above is equivalent to using widget=widgets.Textarea on a Django Form class. This is particularly useful for controlling how the browsable API should be displayed, as we'll see later in the tutorial. We can actually also save ourselves some time by using the ModelSerializer class, as we'll see later, but for now we'll keep our serializer definition explicit.",
"text":"Before we go any further we'll familiarize ourselves with using our new Serializer class. Let's drop into the Django shell. python manage.py shell Okay, once we've got a few imports out of the way, let's create a couple of code snippets to work with. from snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\nfrom rest_framework.renderers import JSONRenderer\nfrom rest_framework.parsers import JSONParser\n\nsnippet = Snippet(code='foo = \"bar\"\\n')\nsnippet.save()\n\nsnippet = Snippet(code='print \"hello, world\"\\n')\nsnippet.save() We've now got a few snippet instances to play with. Let's take a look at serializing one of those instances. serializer = SnippetSerializer(snippet)\nserializer.data\n# {'pk': 2, 'title': u'', 'code': u'print \"hello, world\"\\n', 'linenos': False, 'language': u'python', 'style': u'friendly'} At this point we've translated the model instance into Python native datatypes. To finalize the serialization process we render the data into json . content = JSONRenderer().render(serializer.data)\ncontent\n# '{\"pk\": 2, \"title\": \"\", \"code\": \"print \\\\\"hello, world\\\\\"\\\\n\", \"linenos\": false, \"language\": \"python\", \"style\": \"friendly\"}' Deserialization is similar. First we parse a stream into Python native datatypes... from django.utils.six import BytesIO\n\nstream = BytesIO(content)\ndata = JSONParser().parse(stream) ...then we restore those native datatypes into a fully populated object instance. serializer = SnippetSerializer(data=data)\nserializer.is_valid()\n# True\nserializer.validated_data\n# OrderedDict([('title', ''), ('code', 'print \"hello, world\"\\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')])\nserializer.save()\n# Snippet: Snippet object Notice how similar the API is to working with forms. The similarity should become even more apparent when we start writing views that use our serializer. We can also serialize querysets instead of model instances. To do so we simply add a many=True flag to the serializer arguments. serializer = SnippetSerializer(Snippet.objects.all(), many=True)\nserializer.data\n# [OrderedDict([('pk', 1), ('title', u''), ('code', u'foo = \"bar\"\\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')]), OrderedDict([('pk', 2), ('title', u''), ('code', u'print \"hello, world\"\\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')]), OrderedDict([('pk', 3), ('title', u''), ('code', u'print \"hello, world\"'), ('linenos', False), ('language', 'python'), ('style', 'friendly')])]",
"text":"Our SnippetSerializer class is replicating a lot of information that's also contained in the Snippet model. It would be nice if we could keep our code a bit more concise. In the same way that Django provides both Form classes and ModelForm classes, REST framework includes both Serializer classes, and ModelSerializer classes. Let's look at refactoring our serializer using the ModelSerializer class.\nOpen the file snippets/serializers.py again, and replace the SnippetSerializer class with the following. class SnippetSerializer(serializers.ModelSerializer):\n class Meta:\n model = Snippet\n fields = ('id', 'title', 'code', 'linenos', 'language', 'style') One nice property that serializers have is that you can inspect all the fields in a serializer instance, by printing its representation. Open the Django shell with python manage.py shell , then try the following: from snippets.serializers import SnippetSerializer\nserializer = SnippetSerializer()\nprint(repr(serializer))\n# SnippetSerializer():\n# id = IntegerField(label='ID', read_only=True)\n# title = CharField(allow_blank=True, max_length=100, required=False)\n# code = CharField(style={'base_template': 'textarea.html'})\n# linenos = BooleanField(required=False)\n# language = ChoiceField(choices=[('Clipper', 'FoxPro'), ('Cucumber', 'Gherkin'), ('RobotFramework', 'RobotFramework'), ('abap', 'ABAP'), ('ada', 'Ada')...\n# style = ChoiceField(choices=[('autumn', 'autumn'), ('borland', 'borland'), ('bw', 'bw'), ('colorful', 'colorful')... It's important to remember that ModelSerializer classes don't do anything particularly magical, they are simply a shortcut for creating serializer classes: An automatically determined set of fields. Simple default implementations for the create() and update() methods.",
"text":"Let's see how we can write some API views using our new Serializer class.\nFor the moment we won't use any of REST framework's other features, we'll just write the views as regular Django views. We'll start off by creating a subclass of HttpResponse that we can use to render any data we return into json . Edit the snippets/views.py file, and add the following. from django.http import HttpResponse\nfrom django.views.decorators.csrf import csrf_exempt\nfrom rest_framework.renderers import JSONRenderer\nfrom rest_framework.parsers import JSONParser\nfrom snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\n\nclass JSONResponse(HttpResponse):\n \"\"\"\n An HttpResponse that renders its content into JSON.\n \"\"\"\n def __init__(self, data, **kwargs):\n content = JSONRenderer().render(data)\n kwargs['content_type'] = 'application/json'\n super(JSONResponse, self).__init__(content, **kwargs) The root of our API is going to be a view that supports listing all the existing snippets, or creating a new snippet. @csrf_exempt\ndef snippet_list(request):\n \"\"\"\n List all code snippets, or create a new snippet.\n \"\"\"\n if request.method == 'GET':\n snippets = Snippet.objects.all()\n serializer = SnippetSerializer(snippets, many=True)\n return JSONResponse(serializer.data)\n\n elif request.method == 'POST':\n data = JSONParser().parse(request)\n serializer = SnippetSerializer(data=data)\n if serializer.is_valid():\n serializer.save()\n return JSONResponse(serializer.data, status=201)\n return JSONResponse(serializer.errors, status=400) Note that because we want to be able to POST to this view from clients that won't have a CSRF token we need to mark the view as csrf_exempt . This isn't something that you'd normally want to do, and REST framework views actually use more sensible behavior than this, but it'll do for our purposes right now. We'll also need a view which corresponds to an individual snippet, and can be used to retrieve, update or delete the snippet. @csrf_exempt\ndef snippet_detail(request, pk):\n \"\"\"\n Retrieve, update or delete a code snippet.\n \"\"\"\n try:\n snippet = Snippet.objects.get(pk=pk)\n except Snippet.DoesNotExist:\n return HttpResponse(status=404)\n\n if request.method == 'GET':\n serializer = SnippetSerializer(snippet)\n return JSONResponse(serializer.data)\n\n elif request.method == 'PUT':\n data = JSONParser().parse(request)\n serializer = SnippetSerializer(snippet, data=data)\n if serializer.is_valid():\n serializer.save()\n return JSONResponse(serializer.data)\n return JSONResponse(serializer.errors, status=400)\n\n elif request.method == 'DELETE':\n snippet.delete()\n return HttpResponse(status=204) Finally we need to wire these views up. Create the snippets/urls.py file: from django.conf.urls import url\nfrom snippets import views\n\nurlpatterns = [\n url(r'^snippets/$', views.snippet_list),\n url(r'^snippets/(?P pk [0-9]+)/$', views.snippet_detail),\n] We also need to wire up the root urlconf, in the tutorial/urls.py file, to include our snippet app's URLs. from django.conf.urls import url, include\n\nurlpatterns = [\n url(r'^', include('snippets.urls')),\n] It's worth noting that there are a couple of edge cases we're not dealing with properly at the moment. If we send malformed json , or if a request is made with a method that the view doesn't handle, then we'll end up with a 500 \"server error\" response. Still, this'll do for now.",
"text":"Now we can start up a sample server that serves our snippets. Quit out of the shell... quit() ...and start up Django's development server. python manage.py runserver\n\nValidating models...\n\n0 errors found\nDjango version 1.8.3, using settings 'tutorial.settings'\nDevelopment server is running at http://127.0.0.1:8000/\nQuit the server with CONTROL-C. In another terminal window, we can test the server. We can test our API using curl or httpie . Httpie is a user friendly http client that's written in Python. Let's install that. You can install httpie using pip: pip install httpie Finally, we can get a list of all of the snippets: http http://127.0.0.1:8000/snippets/\n\nHTTP/1.1 200 OK\n...\n[\n {\n \"id\": 1,\n \"title\": \"\",\n \"code\": \"foo = \\\"bar\\\"\\n\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n },\n {\n \"id\": 2,\n \"title\": \"\",\n \"code\": \"print \\\"hello, world\\\"\\n\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n }\n] Or we can get a particular snippet by referencing its id: http http://127.0.0.1:8000/snippets/2/\n\nHTTP/1.1 200 OK\n...\n{\n \"id\": 2,\n \"title\": \"\",\n \"code\": \"print \\\"hello, world\\\"\\n\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n} Similarly, you can have the same json displayed by visiting these URLs in a web browser.",
"text":"We're doing okay so far, we've got a serialization API that feels pretty similar to Django's Forms API, and some regular Django views. Our API views don't do anything particularly special at the moment, beyond serving json responses, and there are some error handling edge cases we'd still like to clean up, but it's a functioning Web API. We'll see how we can start to improve things in part 2 of the tutorial .",
"text":"Tutorial 2: Requests and Responses\n\n\nFrom this point we're going to really start covering the core of REST framework.\nLet's introduce a couple of essential building blocks.\n\n\nRequest objects\n\n\nREST framework introduces a \nRequest\n object that extends the regular \nHttpRequest\n, and provides more flexible request parsing. The core functionality of the \nRequest\n object is the \nrequest.data\n attribute, which is similar to \nrequest.POST\n, but more useful for working with Web APIs.\n\n\nrequest.POST # Only handles form data. Only works for 'POST' method.\nrequest.data # Handles arbitrary data. Works for 'POST', 'PUT' and 'PATCH' methods.\n\n\n\nResponse objects\n\n\nREST framework also introduces a \nResponse\n object, which is a type of \nTemplateResponse\n that takes unrendered content and uses content negotiation to determine the correct content type to return to the client.\n\n\nreturn Response(data) # Renders to content type as requested by the client.\n\n\n\nStatus codes\n\n\nUsing numeric HTTP status codes in your views doesn't always make for obvious reading, and it's easy to not notice if you get an error code wrong. REST framework provides more explicit identifiers for each status code, such as \nHTTP_400_BAD_REQUEST\n in the \nstatus\n module. It's a good idea to use these throughout rather than using numeric identifiers.\n\n\nWrapping API views\n\n\nREST framework provides two wrappers you can use to write API views.\n\n\n\n\nThe \n@api_view\n decorator for working with function based views.\n\n\nThe \nAPIView\n class for working with class based views.\n\n\n\n\nThese wrappers provide a few bits of functionality such as making sure you receive \nRequest\n instances in your view, and adding context to \nResponse\n objects so that content negotiation can be performed.\n\n\nThe wrappers also provide behaviour such as returning \n405 Method Not Allowed\n responses when appropriate, and handling any \nParseError\n exception that occurs when accessing \nrequest.data\n with malformed input.\n\n\nPulling it all together\n\n\nOkay, let's go ahead and start using these new components to write a few views.\n\n\nWe don't need our \nJSONResponse\n class in \nviews.py\n anymore, so go ahead and delete that. Once that's done we can start refactoring our views slightly.\n\n\nfrom rest_framework import status\nfrom rest_framework.decorators import api_view\nfrom rest_framework.response import Response\nfrom snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\n\n\n@api_view(['GET', 'POST'])\ndef snippet_list(request):\n \"\"\"\n List all snippets, or create a new snippet.\n \"\"\"\n if request.method == 'GET':\n snippets = Snippet.objects.all()\n serializer = SnippetSerializer(snippets, many=True)\n return Response(serializer.data)\n\n elif request.method == 'POST':\n serializer = SnippetSerializer(data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data, status=status.HTTP_201_CREATED)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)\n\n\n\nOur instance view is an improvement over the previous example. It's a little more concise, and the code now feels very similar to if we were working with the Forms API. We're also using named status codes, which makes the response meanings more obvious.\n\n\nHere is the view for an individual snippet, in the \nviews.py\n module.\n\n\n@api_view(['GET', 'PUT', 'DELETE'])\ndef snippet_detail(request, pk):\n \"\"\"\n Retrieve, update or delete a snippet instance.\n \"\"\"\ntry:\nsnippet=Snippet.objects.get(pk=pk)\nexceptSnippet.DoesNotExist:\nreturnResponse(status=status.HTTP_404_NOT_FOUND)\n\nifrequest.method=='GET':\nserializer=SnippetSerializer(snippet)\nreturnResponse(serializer.data)\n\nelifrequest.method=='PUT':\nserializer=SnippetSerializer(snippet,data=request.data)\nifseriali
"text":"REST framework introduces a Request object that extends the regular HttpRequest , and provides more flexible request parsing. The core functionality of the Request object is the request.data attribute, which is similar to request.POST , but more useful for working with Web APIs. request.POST # Only handles form data. Only works for 'POST' method.\nrequest.data # Handles arbitrary data. Works for 'POST', 'PUT' and 'PATCH' methods.",
"text":"REST framework also introduces a Response object, which is a type of TemplateResponse that takes unrendered content and uses content negotiation to determine the correct content type to return to the client. return Response(data) # Renders to content type as requested by the client.",
"text":"Using numeric HTTP status codes in your views doesn't always make for obvious reading, and it's easy to not notice if you get an error code wrong. REST framework provides more explicit identifiers for each status code, such as HTTP_400_BAD_REQUEST in the status module. It's a good idea to use these throughout rather than using numeric identifiers.",
"text":"REST framework provides two wrappers you can use to write API views. The @api_view decorator for working with function based views. The APIView class for working with class based views. These wrappers provide a few bits of functionality such as making sure you receive Request instances in your view, and adding context to Response objects so that content negotiation can be performed. The wrappers also provide behaviour such as returning 405 Method Not Allowed responses when appropriate, and handling any ParseError exception that occurs when accessing request.data with malformed input.",
"text":"Okay, let's go ahead and start using these new components to write a few views. We don't need our JSONResponse class in views.py anymore, so go ahead and delete that. Once that's done we can start refactoring our views slightly. from rest_framework import status\nfrom rest_framework.decorators import api_view\nfrom rest_framework.response import Response\nfrom snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\n\n\n@api_view(['GET', 'POST'])\ndef snippet_list(request):\n \"\"\"\n List all snippets, or create a new snippet.\n \"\"\"\n if request.method == 'GET':\n snippets = Snippet.objects.all()\n serializer = SnippetSerializer(snippets, many=True)\n return Response(serializer.data)\n\n elif request.method == 'POST':\n serializer = SnippetSerializer(data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data, status=status.HTTP_201_CREATED)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) Our instance view is an improvement over the previous example. It's a little more concise, and the code now feels very similar to if we were working with the Forms API. We're also using named status codes, which makes the response meanings more obvious. Here is the view for an individual snippet, in the views.py module. @api_view(['GET', 'PUT', 'DELETE'])\ndef snippet_detail(request, pk):\n \"\"\"\n Retrieve, update or delete a snippet instance.\n \"\"\"\n try:\n snippet = Snippet.objects.get(pk=pk)\n except Snippet.DoesNotExist:\n return Response(status=status.HTTP_404_NOT_FOUND)\n\n if request.method == 'GET':\n serializer = SnippetSerializer(snippet)\n return Response(serializer.data)\n\n elif request.method == 'PUT':\n serializer = SnippetSerializer(snippet, data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)\n\n elif request.method == 'DELETE':\n snippet.delete()\n return Response(status=status.HTTP_204_NO_CONTENT) This should all feel very familiar - it is not a lot different from working with regular Django views. Notice that we're no longer explicitly tying our requests or responses to a given content type. request.data can handle incoming json requests, but it can also handle other formats. Similarly we're returning response objects with data, but allowing REST framework to render the response into the correct content type for us.",
"text":"To take advantage of the fact that our responses are no longer hardwired to a single content type let's add support for format suffixes to our API endpoints. Using format suffixes gives us URLs that explicitly refer to a given format, and means our API will be able to handle URLs such as http://example.com/api/items/4/.json . Start by adding a format keyword argument to both of the views, like so. def snippet_list(request, format=None): and def snippet_detail(request, pk, format=None): Now update the urls.py file slightly, to append a set of format_suffix_patterns in addition to the existing URLs. from django.conf.urls import url\nfrom rest_framework.urlpatterns import format_suffix_patterns\nfrom snippets import views\n\nurlpatterns = [\n url(r'^snippets/$', views.snippet_list),\n url(r'^snippets/(?P pk [0-9]+)$', views.snippet_detail),\n]\n\nurlpatterns = format_suffix_patterns(urlpatterns) We don't necessarily need to add these extra url patterns in, but it gives us a simple, clean way of referring to a specific format.",
"text":"Go ahead and test the API from the command line, as we did in tutorial part 1 . Everything is working pretty similarly, although we've got some nicer error handling if we send invalid requests. We can get a list of all of the snippets, as before. http http://127.0.0.1:8000/snippets/\n\nHTTP/1.1 200 OK\n...\n[\n {\n \"id\": 1,\n \"title\": \"\",\n \"code\": \"foo = \\\"bar\\\"\\n\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n },\n {\n \"id\": 2,\n \"title\": \"\",\n \"code\": \"print \\\"hello, world\\\"\\n\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n }\n] We can control the format of the response that we get back, either by using the Accept header: http http://127.0.0.1:8000/snippets/ Accept:application/json # Request JSON\nhttp http://127.0.0.1:8000/snippets/ Accept:text/html # Request HTML Or by appending a format suffix: http http://127.0.0.1:8000/snippets.json # JSON suffix\nhttp http://127.0.0.1:8000/snippets.api # Browsable API suffix Similarly, we can control the format of the request that we send, using the Content-Type header. # POST using form data\nhttp --form POST http://127.0.0.1:8000/snippets/ code=\"print 123\"\n\n{\n \"id\": 3,\n \"title\": \"\",\n \"code\": \"print 123\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n}\n\n# POST using JSON\nhttp --json POST http://127.0.0.1:8000/snippets/ code=\"print 456\"\n\n{\n \"id\": 4,\n \"title\": \"\",\n \"code\": \"print 456\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n} Now go and open the API in a web browser, by visiting http://127.0.0.1:8000/snippets/ . Browsability Because the API chooses the content type of the response based on the client request, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a web browser. This allows for the API to return a fully web-browsable HTML representation. Having a web-browsable API is a huge usability win, and makes developing and using your API much easier. It also dramatically lowers the barrier-to-entry for other developers wanting to inspect and work with your API. See the browsable api topic for more information about the browsable API feature and how to customize it.",
"text":"In tutorial part 3 , we'll start using class based views, and see how generic views reduce the amount of code we need to write.",
"title":"What's next?"
},
{
"location":"/tutorial/3-class-based-views/",
"text":"Tutorial 3: Class Based Views\n\n\nWe can also write our API views using class based views, rather than function based views. As we'll see this is a powerful pattern that allows us to reuse common functionality, and helps us keep our code \nDRY\n.\n\n\nRewriting our API using class based views\n\n\nWe'll start by rewriting the root view as a class based view. All this involves is a little bit of refactoring of \nviews.py\n.\n\n\nfrom snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\nfrom django.http import Http404\nfrom rest_framework.views import APIView\nfrom rest_framework.response import Response\nfrom rest_framework import status\n\n\nclass SnippetList(APIView):\n \"\"\"\n List all snippets, or create a new snippet.\n \"\"\"\n def get(self, request, format=None):\n snippets = Snippet.objects.all()\n serializer = SnippetSerializer(snippets, many=True)\n return Response(serializer.data)\n\n def post(self, request, format=None):\n serializer = SnippetSerializer(data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data, status=status.HTTP_201_CREATED)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)\n\n\n\nSo far, so good. It looks pretty similar to the previous case, but we've got better separation between the different HTTP methods. We'll also need to update the instance view in \nviews.py\n.\n\n\nclass SnippetDetail(APIView):\n \"\"\"\n Retrieve, update or delete a snippet instance.\n \"\"\"\ndefget_object(self,pk):\ntry:\nreturnSnippet.objects.get(pk=pk)\nexceptSnippet.DoesNotExist:\nraiseHttp404\n\ndefget(self,request,pk,format=None):\nsnippet=self.get_object(pk)\nserializer=SnippetSerializer(snippet)\nreturnResponse(serializer.data)\n\ndefput(self,request,pk,format=None):\nsnippet=self.get_object(pk)\nserializer=SnippetSerializer(snippet,data=request.data)\nifserializer.is_valid():\nserializer.save()\nreturnResponse(serializer.data)\nreturnResponse(serializer.errors,status=status.HTTP_400_BAD_REQUEST)\n\ndefdelete(self,request,pk,format=None):\nsnippet=self.get_object(pk)\nsnippet.delete()\nreturnResponse(status=status.HTTP_204_NO_CONTENT)\n\n\n\nThat'slookinggood.Again,it'sstillprettysimilartothefunctionbasedviewrightnow.\n\n\nWe'llalsoneedtorefactorour\nurls.py\nslightlynowwe'reusingclassbasedviews.\n\n\nfromdjango.conf.urlsimporturl\nfromrest_framework.urlpatternsimportformat_suffix_patterns\nfromsnippetsimportviews\n\nurlpatterns=[\nurl(r'^snippets/$',views.SnippetList.as_view()),\nurl(r'^snippets/(?P\npk\n[0-9]+)/$',views.SnippetDetail.as_view()),\n]\n\nurlpatterns=format_suffix_patterns(urlpatterns)\n\n\n\nOkay,we'redone.Ifyourunthedevelopmentservereverythingshouldbeworkingjustasbefore.\n\n\nUsingmixins\n\n\nOneofthebigwinsofusingclassbasedviewsisthatitallowsustoeasilycomposereusablebitsofbehaviour.\n\n\nThecreate/retrieve/update/deleteoperationsthatwe'vebeenusingsofararegoingtobeprettysimilarforanymodel-backedAPIviewswecreate.ThosebitsofcommonbehaviourareimplementedinRESTframework'smixinclasses.\n\n\nLet'stakealookathowwecancomposetheviewsbyusingthemixinclasses.Here'sour\nviews.py\nmoduleagain.\n\n\nfromsnippets.modelsimportSnippet\nfromsnippets.serializersimportSnippetSerializer\nfromrest_frameworkimportmixins\nfromrest_frameworkimportgenerics\n\nclassSnippetList(mixins.ListModelMixin,\nmixins.CreateModelMixin,\ngenerics.GenericAPIView):\nqueryset=Snippet.objects.all()\nserializer_class=SnippetSerializer\n\ndefget(self,request,*args,**kwargs):\nreturnself.list(request,*args,**kwargs)\n
"text":"We can also write our API views using class based views, rather than function based views. As we'll see this is a powerful pattern that allows us to reuse common functionality, and helps us keep our code DRY .",
"text":"We'll start by rewriting the root view as a class based view. All this involves is a little bit of refactoring of views.py . from snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\nfrom django.http import Http404\nfrom rest_framework.views import APIView\nfrom rest_framework.response import Response\nfrom rest_framework import status\n\n\nclass SnippetList(APIView):\n \"\"\"\n List all snippets, or create a new snippet.\n \"\"\"\n def get(self, request, format=None):\n snippets = Snippet.objects.all()\n serializer = SnippetSerializer(snippets, many=True)\n return Response(serializer.data)\n\n def post(self, request, format=None):\n serializer = SnippetSerializer(data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data, status=status.HTTP_201_CREATED)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) So far, so good. It looks pretty similar to the previous case, but we've got better separation between the different HTTP methods. We'll also need to update the instance view in views.py . class SnippetDetail(APIView):\n \"\"\"\n Retrieve, update or delete a snippet instance.\n \"\"\"\n def get_object(self, pk):\n try:\n return Snippet.objects.get(pk=pk)\n except Snippet.DoesNotExist:\n raise Http404\n\n def get(self, request, pk, format=None):\n snippet = self.get_object(pk)\n serializer = SnippetSerializer(snippet)\n return Response(serializer.data)\n\n def put(self, request, pk, format=None):\n snippet = self.get_object(pk)\n serializer = SnippetSerializer(snippet, data=request.data)\n if serializer.is_valid():\n serializer.save()\n return Response(serializer.data)\n return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)\n\n def delete(self, request, pk, format=None):\n snippet = self.get_object(pk)\n snippet.delete()\n return Response(status=status.HTTP_204_NO_CONTENT) That's looking good. Again, it's still pretty similar to the function based view right now. We'll also need to refactor our urls.py slightly now we're using class based views. from django.conf.urls import url\nfrom rest_framework.urlpatterns import format_suffix_patterns\nfrom snippets import views\n\nurlpatterns = [\n url(r'^snippets/$', views.SnippetList.as_view()),\n url(r'^snippets/(?P pk [0-9]+)/$', views.SnippetDetail.as_view()),\n]\n\nurlpatterns = format_suffix_patterns(urlpatterns) Okay, we're done. If you run the development server everything should be working just as before.",
"title":"Rewriting our API using class based views"
"text":"One of the big wins of using class based views is that it allows us to easily compose reusable bits of behaviour. The create/retrieve/update/delete operations that we've been using so far are going to be pretty similar for any model-backed API views we create. Those bits of common behaviour are implemented in REST framework's mixin classes. Let's take a look at how we can compose the views by using the mixin classes. Here's our views.py module again. from snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\nfrom rest_framework import mixins\nfrom rest_framework import generics\n\nclass SnippetList(mixins.ListModelMixin,\n mixins.CreateModelMixin,\n generics.GenericAPIView):\n queryset = Snippet.objects.all()\n serializer_class = SnippetSerializer\n\n def get(self, request, *args, **kwargs):\n return self.list(request, *args, **kwargs)\n\n def post(self, request, *args, **kwargs):\n return self.create(request, *args, **kwargs) We'll take a moment to examine exactly what's happening here. We're building our view using GenericAPIView , and adding in ListModelMixin and CreateModelMixin . The base class provides the core functionality, and the mixin classes provide the .list() and .create() actions. We're then explicitly binding the get and post methods to the appropriate actions. Simple enough stuff so far. class SnippetDetail(mixins.RetrieveModelMixin,\n mixins.UpdateModelMixin,\n mixins.DestroyModelMixin,\n generics.GenericAPIView):\n queryset = Snippet.objects.all()\n serializer_class = SnippetSerializer\n\n def get(self, request, *args, **kwargs):\n return self.retrieve(request, *args, **kwargs)\n\n def put(self, request, *args, **kwargs):\n return self.update(request, *args, **kwargs)\n\n def delete(self, request, *args, **kwargs):\n return self.destroy(request, *args, **kwargs) Pretty similar. Again we're using the GenericAPIView class to provide the core functionality, and adding in mixins to provide the .retrieve() , .update() and .destroy() actions.",
"text":"Using the mixin classes we've rewritten the views to use slightly less code than before, but we can go one step further. REST framework provides a set of already mixed-in generic views that we can use to trim down our views.py module even more. from snippets.models import Snippet\nfrom snippets.serializers import SnippetSerializer\nfrom rest_framework import generics\n\n\nclass SnippetList(generics.ListCreateAPIView):\n queryset = Snippet.objects.all()\n serializer_class = SnippetSerializer\n\n\nclass SnippetDetail(generics.RetrieveUpdateDestroyAPIView):\n queryset = Snippet.objects.all()\n serializer_class = SnippetSerializer Wow, that's pretty concise. We've gotten a huge amount for free, and our code looks like good, clean, idiomatic Django. Next we'll move onto part 4 of the tutorial , where we'll take a look at how we can deal with authentication and permissions for our API.",
"text":"Tutorial 4: Authentication \n Permissions\n\n\nCurrently our API doesn't have any restrictions on who can edit or delete code snippets. We'd like to have some more advanced behavior in order to make sure that:\n\n\n\n\nCode snippets are always associated with a creator.\n\n\nOnly authenticated users may create snippets.\n\n\nOnly the creator of a snippet may update or delete it.\n\n\nUnauthenticated requests should have full read-only access.\n\n\n\n\nAdding information to our model\n\n\nWe're going to make a couple of changes to our \nSnippet\n model class.\nFirst, let's add a couple of fields. One of those fields will be used to represent the user who created the code snippet. The other field will be used to store the highlighted HTML representation of the code.\n\n\nAdd the following two fields to the \nSnippet\n model in \nmodels.py\n.\n\n\nowner = models.ForeignKey('auth.User', related_name='snippets')\nhighlighted = models.TextField()\n\n\n\nWe'd also need to make sure that when the model is saved, that we populate the highlighted field, using the \npygments\n code highlighting library.\n\n\nWe'll need some extra imports:\n\n\nfrom pygments.lexers import get_lexer_by_name\nfrom pygments.formatters.html import HtmlFormatter\nfrom pygments import highlight\n\n\n\nAnd now we can add a \n.save()\n method to our model class:\n\n\ndef save(self, *args, **kwargs):\n \"\"\"\n Use the `pygments` library to create a highlighted HTML\n representation of the code snippet.\n \"\"\"\nlexer=get_lexer_by_name(self.language)\nlinenos=self.linenosand'table'orFalse\noptions=self.titleand{'title':self.title}or{}\nformatter=HtmlFormatter(style=self.style,linenos=linenos,\nfull=True,**options)\nself.highlighted=highlight(self.code,lexer,formatter)\nsuper(Snippet,self).save(*args,**kwargs)\n\n\n\nWhenthat'salldonewe'llneedtoupdateourdatabasetables.\nNormallywe'dcreateadatabasemigrationinordertodothat,butforthepurposesofthistutorial,let'sjustdeletethedatabaseandstartagain.\n\n\nrm-ftmp.dbdb.sqlite3\nrm-rsnippets/migrations\npythonmanage.pymakemigrationssnippets\npythonmanage.pymigrate\n\n\n\nYoumightalsowanttocreateafewdifferentusers,tousefortestingtheAPI.Thequickestwaytodothiswillbewiththe\ncreatesuperuser\ncommand.\n\n\npythonmanage.pycreatesuperuser\n\n\n\nAddingendpointsforourUsermodels\n\n\nNowthatwe'vegotsomeuserstoworkwith,we'dbetteraddrepresentationsofthoseuserstoourAPI.Creatinganewserializeriseasy.In\nserializers.py\nadd:\n\n\nfromdjango.contrib.auth.modelsimportUser\n\nclassUserSerializer(serializers.ModelSerializer):\nsnippets=serializers.PrimaryKeyRelatedField(many=True,queryset=Snippet.objects.all())\n\nclassMeta:\nmodel=User\nfields=('id','username','snippets')\n\n\n\nBecause\n'snippets'\nisa\nreverse\nrelationshipontheUsermodel,itwillnotbeincludedbydefaultwhenusingthe\nModelSerializer\nclass,soweneededtoaddanexplicitfieldforit.\n\n\nWe'llalsoaddacoupleofviewsto\nviews.py\n.We'dliketojustuseread-onlyviewsfortheuserrepresentations,sowe'llusethe\nListAPIView\nand\nRetrieveAPIView\ngenericclassbasedviews.\n\n\nfromdjango.contrib.auth.modelsimportUser\n\n\nclassUserList(generics.ListAPIView):\nqueryset=User.objects.all()\nserializer_class=UserSerializer\n\n\nclassUserDetail(generics.RetrieveAPIView):\nqueryset=User.objects.all()\nserializer_class=UserSerializer\n\n\n\nMakesuretoalsoimportthe\nUserSerializer\nclass\n\n\nfromsnippets.serializersimportUserSerializer\n\n\n\nFinallyweneedtoaddthoseviewsintotheAPI,byreferencingthemfromtheURLconf.Addthefollowingtothepatternsin\nurls.py\n.\n\n\nurl(r'^users/$',views.UserList.as_view()),\nurl(r'^users/(?P\npk\n[0-9]+)/$',views.UserDetail.as_view()),\n\n\n\nAssociatingSnippetswithUsers\n\n\nRightnow,if
"text":"Currently our API doesn't have any restrictions on who can edit or delete code snippets. We'd like to have some more advanced behavior in order to make sure that: Code snippets are always associated with a creator. Only authenticated users may create snippets. Only the creator of a snippet may update or delete it. Unauthenticated requests should have full read-only access.",
"text":"We're going to make a couple of changes to our Snippet model class.\nFirst, let's add a couple of fields. One of those fields will be used to represent the user who created the code snippet. The other field will be used to store the highlighted HTML representation of the code. Add the following two fields to the Snippet model in models.py . owner = models.ForeignKey('auth.User', related_name='snippets')\nhighlighted = models.TextField() We'd also need to make sure that when the model is saved, that we populate the highlighted field, using the pygments code highlighting library. We'll need some extra imports: from pygments.lexers import get_lexer_by_name\nfrom pygments.formatters.html import HtmlFormatter\nfrom pygments import highlight And now we can add a .save() method to our model class: def save(self, *args, **kwargs):\n \"\"\"\n Use the `pygments` library to create a highlighted HTML\n representation of the code snippet.\n \"\"\"\n lexer = get_lexer_by_name(self.language)\n linenos = self.linenos and 'table' or False\n options = self.title and {'title': self.title} or {}\n formatter = HtmlFormatter(style=self.style, linenos=linenos,\n full=True, **options)\n self.highlighted = highlight(self.code, lexer, formatter)\n super(Snippet, self).save(*args, **kwargs) When that's all done we'll need to update our database tables.\nNormally we'd create a database migration in order to do that, but for the purposes of this tutorial, let's just delete the database and start again. rm -f tmp.db db.sqlite3\nrm -r snippets/migrations\npython manage.py makemigrations snippets\npython manage.py migrate You might also want to create a few different users, to use for testing the API. The quickest way to do this will be with the createsuperuser command. python manage.py createsuperuser",
"text":"Now that we've got some users to work with, we'd better add representations of those users to our API. Creating a new serializer is easy. In serializers.py add: from django.contrib.auth.models import User\n\nclass UserSerializer(serializers.ModelSerializer):\n snippets = serializers.PrimaryKeyRelatedField(many=True, queryset=Snippet.objects.all())\n\n class Meta:\n model = User\n fields = ('id', 'username', 'snippets') Because 'snippets' is a reverse relationship on the User model, it will not be included by default when using the ModelSerializer class, so we needed to add an explicit field for it. We'll also add a couple of views to views.py . We'd like to just use read-only views for the user representations, so we'll use the ListAPIView and RetrieveAPIView generic class based views. from django.contrib.auth.models import User\n\n\nclass UserList(generics.ListAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n\n\nclass UserDetail(generics.RetrieveAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer Make sure to also import the UserSerializer class from snippets.serializers import UserSerializer Finally we need to add those views into the API, by referencing them from the URL conf. Add the following to the patterns in urls.py . url(r'^users/$', views.UserList.as_view()),\nurl(r'^users/(?P pk [0-9]+)/$', views.UserDetail.as_view()),",
"text":"Right now, if we created a code snippet, there'd be no way of associating the user that created the snippet, with the snippet instance. The user isn't sent as part of the serialized representation, but is instead a property of the incoming request. The way we deal with that is by overriding a .perform_create() method on our snippet views, that allows us to modify how the instance save is managed, and handle any information that is implicit in the incoming request or requested URL. On the SnippetList view class, add the following method: def perform_create(self, serializer):\n serializer.save(owner=self.request.user) The create() method of our serializer will now be passed an additional 'owner' field, along with the validated data from the request.",
"text":"Now that snippets are associated with the user that created them, let's update our SnippetSerializer to reflect that. Add the following field to the serializer definition in serializers.py : owner = serializers.ReadOnlyField(source='owner.username') Note : Make sure you also add 'owner', to the list of fields in the inner Meta class. This field is doing something quite interesting. The source argument controls which attribute is used to populate a field, and can point at any attribute on the serialized instance. It can also take the dotted notation shown above, in which case it will traverse the given attributes, in a similar way as it is used with Django's template language. The field we've added is the untyped ReadOnlyField class, in contrast to the other typed fields, such as CharField , BooleanField etc... The untyped ReadOnlyField is always read-only, and will be used for serialized representations, but will not be used for updating model instances when they are deserialized. We could have also used CharField(read_only=True) here.",
"text":"Now that code snippets are associated with users, we want to make sure that only authenticated users are able to create, update and delete code snippets. REST framework includes a number of permission classes that we can use to restrict who can access a given view. In this case the one we're looking for is IsAuthenticatedOrReadOnly , which will ensure that authenticated requests get read-write access, and unauthenticated requests get read-only access. First add the following import in the views module from rest_framework import permissions Then, add the following property to both the SnippetList and SnippetDetail view classes. permission_classes = (permissions.IsAuthenticatedOrReadOnly,)",
"text":"If you open a browser and navigate to the browsable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user. We can add a login view for use with the browsable API, by editing the URLconf in our project-level urls.py file. Add the following import at the top of the file: from django.conf.urls import include And, at the end of the file, add a pattern to include the login and logout views for the browsable API. urlpatterns += [\n url(r'^api-auth/', include('rest_framework.urls',\n namespace='rest_framework')),\n] The r'^api-auth/' part of pattern can actually be whatever URL you want to use. The only restriction is that the included urls must use the 'rest_framework' namespace. In Django 1.9+, REST framework will set the namespace, so you may leave it out. Now if you open up the browser again and refresh the page you'll see a 'Login' link in the top right of the page. If you log in as one of the users you created earlier, you'll be able to create code snippets again. Once you've created a few code snippets, navigate to the '/users/' endpoint, and notice that the representation includes a list of the snippet pks that are associated with each user, in each user's 'snippets' field.",
"text":"Really we'd like all code snippets to be visible to anyone, but also make sure that only the user that created a code snippet is able to update or delete it. To do that we're going to need to create a custom permission. In the snippets app, create a new file, permissions.py from rest_framework import permissions\n\n\nclass IsOwnerOrReadOnly(permissions.BasePermission):\n \"\"\"\n Custom permission to only allow owners of an object to edit it.\n \"\"\"\n\n def has_object_permission(self, request, view, obj):\n # Read permissions are allowed to any request,\n # so we'll always allow GET, HEAD or OPTIONS requests.\n if request.method in permissions.SAFE_METHODS:\n return True\n\n # Write permissions are only allowed to the owner of the snippet.\n return obj.owner == request.user Now we can add that custom permission to our snippet instance endpoint, by editing the permission_classes property on the SnippetDetail view class: permission_classes = (permissions.IsAuthenticatedOrReadOnly,\n IsOwnerOrReadOnly,) Make sure to also import the IsOwnerOrReadOnly class. from snippets.permissions import IsOwnerOrReadOnly Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions only appear on a snippet instance endpoint if you're logged in as the same user that created the code snippet.",
"text":"Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets. We haven't set up any authentication classes , so the defaults are currently applied, which are SessionAuthentication and BasicAuthentication . When we interact with the API through the web browser, we can login, and the browser session will then provide the required authentication for the requests. If we're interacting with the API programmatically we need to explicitly provide the authentication credentials on each request. If we try to create a snippet without authenticating, we'll get an error: http POST http://127.0.0.1:8000/snippets/ code=\"print 123\"\n\n{\n \"detail\": \"Authentication credentials were not provided.\"\n} We can make a successful request by including the username and password of one of the users we created earlier. http -a tom:password123 POST http://127.0.0.1:8000/snippets/ code=\"print 789\"\n\n{\n \"id\": 5,\n \"owner\": \"tom\",\n \"title\": \"foo\",\n \"code\": \"print 789\",\n \"linenos\": false,\n \"language\": \"python\",\n \"style\": \"friendly\"\n}",
"text":"We've now got a fairly fine-grained set of permissions on our Web API, and end points for users of the system and for the code snippets that they have created. In part 5 of the tutorial we'll look at how we can tie everything together by creating an HTML endpoint for our highlighted snippets, and improve the cohesion of our API by using hyperlinking for the relationships within the system.",
"text":"At the moment relationships within our API are represented by using primary keys. In this part of the tutorial we'll improve the cohesion and discoverability of our API, by instead using hyperlinking for relationships.",
"text":"Right now we have endpoints for 'snippets' and 'users', but we don't have a single entry point to our API. To create one, we'll use a regular function-based view and the @api_view decorator we introduced earlier. In your snippets/views.py add: from rest_framework.decorators import api_view\nfrom rest_framework.response import Response\nfrom rest_framework.reverse import reverse\n\n\n@api_view(['GET'])\ndef api_root(request, format=None):\n return Response({\n 'users': reverse('user-list', request=request, format=format),\n 'snippets': reverse('snippet-list', request=request, format=format)\n }) Two things should be noticed here. First, we're using REST framework's reverse function in order to return fully-qualified URLs; second, URL patterns are identified by convenience names that we will declare later on in our snippets/urls.py .",
"text":"The other obvious thing that's still missing from our pastebin API is the code highlighting endpoints. Unlike all our other API endpoints, we don't want to use JSON, but instead just present an HTML representation. There are two styles of HTML renderer provided by REST framework, one for dealing with HTML rendered using templates, the other for dealing with pre-rendered HTML. The second renderer is the one we'd like to use for this endpoint. The other thing we need to consider when creating the code highlight view is that there's no existing concrete generic view that we can use. We're not returning an object instance, but instead a property of an object instance. Instead of using a concrete generic view, we'll use the base class for representing instances, and create our own .get() method. In your snippets/views.py add: from rest_framework import renderers\nfrom rest_framework.response import Response\n\nclass SnippetHighlight(generics.GenericAPIView):\n queryset = Snippet.objects.all()\n renderer_classes = (renderers.StaticHTMLRenderer,)\n\n def get(self, request, *args, **kwargs):\n snippet = self.get_object()\n return Response(snippet.highlighted) As usual we need to add the new views that we've created in to our URLconf.\nWe'll add a url pattern for our new API root in snippets/urls.py : url(r'^$', views.api_root), And then add a url pattern for the snippet highlights: url(r'^snippets/(?P pk [0-9]+)/highlight/$', views.SnippetHighlight.as_view()),",
"title":"Creating an endpoint for the highlighted snippets"
"text":"Dealing with relationships between entities is one of the more challenging aspects of Web API design. There are a number of different ways that we might choose to represent a relationship: Using primary keys. Using hyperlinking between entities. Using a unique identifying slug field on the related entity. Using the default string representation of the related entity. Nesting the related entity inside the parent representation. Some other custom representation. REST framework supports all of these styles, and can apply them across forward or reverse relationships, or apply them across custom managers such as generic foreign keys. In this case we'd like to use a hyperlinked style between entities. In order to do so, we'll modify our serializers to extend HyperlinkedModelSerializer instead of the existing ModelSerializer . The HyperlinkedModelSerializer has the following differences from ModelSerializer : It does not include the pk field by default. It includes a url field, using HyperlinkedIdentityField . Relationships use HyperlinkedRelatedField ,\n instead of PrimaryKeyRelatedField . We can easily re-write our existing serializers to use hyperlinking. In your snippets/serializers.py add: class SnippetSerializer(serializers.HyperlinkedModelSerializer):\n owner = serializers.ReadOnlyField(source='owner.username')\n highlight = serializers.HyperlinkedIdentityField(view_name='snippet-highlight', format='html')\n\n class Meta:\n model = Snippet\n fields = ('url', 'highlight', 'owner',\n 'title', 'code', 'linenos', 'language', 'style')\n\n\nclass UserSerializer(serializers.HyperlinkedModelSerializer):\n snippets = serializers.HyperlinkedRelatedField(many=True, view_name='snippet-detail', read_only=True)\n\n class Meta:\n model = User\n fields = ('url', 'username', 'snippets') Notice that we've also added a new 'highlight' field. This field is of the same type as the url field, except that it points to the 'snippet-highlight' url pattern, instead of the 'snippet-detail' url pattern. Because we've included format suffixed URLs such as '.json' , we also need to indicate on the highlight field that any format suffixed hyperlinks it returns should use the '.html' suffix.",
"text":"If we're going to have a hyperlinked API, we need to make sure we name our URL patterns. Let's take a look at which URL patterns we need to name. The root of our API refers to 'user-list' and 'snippet-list' . Our snippet serializer includes a field that refers to 'snippet-highlight' . Our user serializer includes a field that refers to 'snippet-detail' . Our snippet and user serializers include 'url' fields that by default will refer to '{model_name}-detail' , which in this case will be 'snippet-detail' and 'user-detail' . After adding all those names into our URLconf, our final snippets/urls.py file should look like this: from django.conf.urls import url, include\nfrom rest_framework.urlpatterns import format_suffix_patterns\nfrom snippets import views\n\n# API endpoints\nurlpatterns = format_suffix_patterns([\n url(r'^$', views.api_root),\n url(r'^snippets/$',\n views.SnippetList.as_view(),\n name='snippet-list'),\n url(r'^snippets/(?P pk [0-9]+)/$',\n views.SnippetDetail.as_view(),\n name='snippet-detail'),\n url(r'^snippets/(?P pk [0-9]+)/highlight/$',\n views.SnippetHighlight.as_view(),\n name='snippet-highlight'),\n url(r'^users/$',\n views.UserList.as_view(),\n name='user-list'),\n url(r'^users/(?P pk [0-9]+)/$',\n views.UserDetail.as_view(),\n name='user-detail')\n])\n\n# Login and logout views for the browsable API\nurlpatterns += [\n url(r'^api-auth/', include('rest_framework.urls',\n namespace='rest_framework')),\n]",
"text":"The list views for users and code snippets could end up returning quite a lot of instances, so really we'd like to make sure we paginate the results, and allow the API client to step through each of the individual pages. We can change the default list style to use pagination, by modifying our tutorial/settings.py file slightly. Add the following setting: REST_FRAMEWORK = {\n 'PAGE_SIZE': 10\n} Note that settings in REST framework are all namespaced into a single dictionary setting, named 'REST_FRAMEWORK', which helps keep them well separated from your other project settings. We could also customize the pagination style if we needed too, but in this case we'll just stick with the default.",
"text":"If we open a browser and navigate to the browsable API, you'll find that you can now work your way around the API simply by following links. You'll also be able to see the 'highlight' links on the snippet instances, that will take you to the highlighted code HTML representations. In part 6 of the tutorial we'll look at how we can use ViewSets and Routers to reduce the amount of code we need to build our API.",
"text":"Tutorial 6: ViewSets \n Routers\n\n\nREST framework includes an abstraction for dealing with \nViewSets\n, that allows the developer to concentrate on modeling the state and interactions of the API, and leave the URL construction to be handled automatically, based on common conventions.\n\n\nViewSet\n classes are almost the same thing as \nView\n classes, except that they provide operations such as \nread\n, or \nupdate\n, and not method handlers such as \nget\n or \nput\n.\n\n\nA \nViewSet\n class is only bound to a set of method handlers at the last moment, when it is instantiated into a set of views, typically by using a \nRouter\n class which handles the complexities of defining the URL conf for you.\n\n\nRefactoring to use ViewSets\n\n\nLet's take our current set of views, and refactor them into view sets.\n\n\nFirst of all let's refactor our \nUserList\n and \nUserDetail\n views into a single \nUserViewSet\n. We can remove the two views, and replace them with a single class:\n\n\nfrom rest_framework import viewsets\n\nclass UserViewSet(viewsets.ReadOnlyModelViewSet):\n \"\"\"\n This viewset automatically provides `list` and `detail` actions.\n \"\"\"\n queryset = User.objects.all()\n serializer_class = UserSerializer\n\n\n\nHere we've used the \nReadOnlyModelViewSet\n class to automatically provide the default 'read-only' operations. We're still setting the \nqueryset\n and \nserializer_class\n attributes exactly as we did when we were using regular views, but we no longer need to provide the same information to two separate classes.\n\n\nNext we're going to replace the \nSnippetList\n, \nSnippetDetail\n and \nSnippetHighlight\n view classes. We can remove the three views, and again replace them with a single class.\n\n\nfrom rest_framework.decorators import detail_route\n\nclass SnippetViewSet(viewsets.ModelViewSet):\n \"\"\"\n This viewset automatically provides `list`, `create`, `retrieve`,\n `update` and `destroy` actions.\n\n Additionally we also provide an extra `highlight` action.\n \"\"\"\nqueryset=Snippet.objects.all()\nserializer_class=SnippetSerializer\npermission_classes=(permissions.IsAuthenticatedOrReadOnly,\nIsOwnerOrReadOnly,)\n\n@detail_route(renderer_classes=[renderers.StaticHTMLRenderer])\ndefhighlight(self,request,*args,**kwargs):\nsnippet=self.get_object()\nreturnResponse(snippet.highlighted)\n\ndefperform_create(self,serializer):\nserializer.save(owner=self.request.user)\n\n\n\nThistimewe'veusedthe\nModelViewSet\nclassinordertogetthecompletesetofdefaultreadandwriteoperations.\n\n\nNoticethatwe'vealsousedthe\n@detail_route\ndecoratortocreateacustomaction,named\nhighlight\n.Thisdecoratorcanbeusedtoaddanycustomendpointsthatdon'tfitintothestandard\ncreate\n/\nupdate\n/\ndelete\nstyle.\n\n\nCustomactionswhichusethe\n@detail_route\ndecoratorwillrespondto\nGET\nrequests.Wecanusethe\nmethods\nargumentifwewantedanactionthatrespondedto\nPOST\nrequests.\n\n\nTheURLsforcustomactionsbydefaultdependonthemethodnameitself.Ifyouwanttochangethewayurlshouldbeconstructed,youcanincludeurl_pathasadecoratorkeywordargument.\n\n\nBindingViewSetstoURLsexplicitly\n\n\nThehandlermethodsonlygetboundtotheactionswhenwedefinetheURLConf.\nToseewhat'sgoingonunderthehoodlet'sfirstexplicitlycreateasetofviewsfromourViewSets.\n\n\nInthe\nurls.py\nfilewebindour\nViewSet\nclassesintoasetofconcreteviews.\n\n\nfromsnippets.viewsimportSnippetViewSet,UserViewSet,api_root\nfromrest_frameworkimportrenderers\n\nsnippet_list=SnippetViewSet.as_view({\n'get':'list',\n'post':'create'\n})\nsnippet_detail=SnippetViewSet.as_view({\n'get':'retrieve',\n'put':'update',\n'patch':'partial_update',\n'delete':'destroy'\n})\nsnippet_highlight=SnippetViewSet.as_view({\n'get':'highlight'\n},renderer_classes=
"text":"REST framework includes an abstraction for dealing with ViewSets , that allows the developer to concentrate on modeling the state and interactions of the API, and leave the URL construction to be handled automatically, based on common conventions. ViewSet classes are almost the same thing as View classes, except that they provide operations such as read , or update , and not method handlers such as get or put . A ViewSet class is only bound to a set of method handlers at the last moment, when it is instantiated into a set of views, typically by using a Router class which handles the complexities of defining the URL conf for you.",
"text":"Let's take our current set of views, and refactor them into view sets. First of all let's refactor our UserList and UserDetail views into a single UserViewSet . We can remove the two views, and replace them with a single class: from rest_framework import viewsets\n\nclass UserViewSet(viewsets.ReadOnlyModelViewSet):\n \"\"\"\n This viewset automatically provides `list` and `detail` actions.\n \"\"\"\n queryset = User.objects.all()\n serializer_class = UserSerializer Here we've used the ReadOnlyModelViewSet class to automatically provide the default 'read-only' operations. We're still setting the queryset and serializer_class attributes exactly as we did when we were using regular views, but we no longer need to provide the same information to two separate classes. Next we're going to replace the SnippetList , SnippetDetail and SnippetHighlight view classes. We can remove the three views, and again replace them with a single class. from rest_framework.decorators import detail_route\n\nclass SnippetViewSet(viewsets.ModelViewSet):\n \"\"\"\n This viewset automatically provides `list`, `create`, `retrieve`,\n `update` and `destroy` actions.\n\n Additionally we also provide an extra `highlight` action.\n \"\"\"\n queryset = Snippet.objects.all()\n serializer_class = SnippetSerializer\n permission_classes = (permissions.IsAuthenticatedOrReadOnly,\n IsOwnerOrReadOnly,)\n\n @detail_route(renderer_classes=[renderers.StaticHTMLRenderer])\n def highlight(self, request, *args, **kwargs):\n snippet = self.get_object()\n return Response(snippet.highlighted)\n\n def perform_create(self, serializer):\n serializer.save(owner=self.request.user) This time we've used the ModelViewSet class in order to get the complete set of default read and write operations. Notice that we've also used the @detail_route decorator to create a custom action, named highlight . This decorator can be used to add any custom endpoints that don't fit into the standard create / update / delete style. Custom actions which use the @detail_route decorator will respond to GET requests. We can use the methods argument if we wanted an action that responded to POST requests. The URLs for custom actions by default depend on the method name itself. If you want to change the way url should be constructed, you can include url_path as a decorator keyword argument.",
"text":"The handler methods only get bound to the actions when we define the URLConf.\nTo see what's going on under the hood let's first explicitly create a set of views from our ViewSets. In the urls.py file we bind our ViewSet classes into a set of concrete views. from snippets.views import SnippetViewSet, UserViewSet, api_root\nfrom rest_framework import renderers\n\nsnippet_list = SnippetViewSet.as_view({\n 'get': 'list',\n 'post': 'create'\n})\nsnippet_detail = SnippetViewSet.as_view({\n 'get': 'retrieve',\n 'put': 'update',\n 'patch': 'partial_update',\n 'delete': 'destroy'\n})\nsnippet_highlight = SnippetViewSet.as_view({\n 'get': 'highlight'\n}, renderer_classes=[renderers.StaticHTMLRenderer])\nuser_list = UserViewSet.as_view({\n 'get': 'list'\n})\nuser_detail = UserViewSet.as_view({\n 'get': 'retrieve'\n}) Notice how we're creating multiple views from each ViewSet class, by binding the http methods to the required action for each view. Now that we've bound our resources into concrete views, we can register the views with the URL conf as usual. urlpatterns = format_suffix_patterns([\n url(r'^$', api_root),\n url(r'^snippets/$', snippet_list, name='snippet-list'),\n url(r'^snippets/(?P pk [0-9]+)/$', snippet_detail, name='snippet-detail'),\n url(r'^snippets/(?P pk [0-9]+)/highlight/$', snippet_highlight, name='snippet-highlight'),\n url(r'^users/$', user_list, name='user-list'),\n url(r'^users/(?P pk [0-9]+)/$', user_detail, name='user-detail')\n])",
"text":"Because we're using ViewSet classes rather than View classes, we actually don't need to design the URL conf ourselves. The conventions for wiring up resources into views and urls can be handled automatically, using a Router class. All we need to do is register the appropriate view sets with a router, and let it do the rest. Here's our re-wired urls.py file. from django.conf.urls import url, include\nfrom snippets import views\nfrom rest_framework.routers import DefaultRouter\n\n# Create a router and register our viewsets with it.\nrouter = DefaultRouter()\nrouter.register(r'snippets', views.SnippetViewSet)\nrouter.register(r'users', views.UserViewSet)\n\n# The API URLs are now determined automatically by the router.\n# Additionally, we include the login URLs for the browsable API.\nurlpatterns = [\n url(r'^', include(router.urls)),\n url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))\n] Registering the viewsets with the router is similar to providing a urlpattern. We include two arguments - the URL prefix for the views, and the viewset itself. The DefaultRouter class we're using also automatically creates the API root view for us, so we can now delete the api_root method from our views module.",
"text":"Using viewsets can be a really useful abstraction. It helps ensure that URL conventions will be consistent across your API, minimizes the amount of code you need to write, and allows you to concentrate on the interactions and representations your API provides rather than the specifics of the URL conf. That doesn't mean it's always the right approach to take. There's a similar set of trade-offs to consider as when using class-based views instead of function based views. Using viewsets is less explicit than building your views individually.",
"text":"With an incredibly small amount of code, we've now got a complete pastebin Web API, which is fully web browsable, and comes complete with authentication, per-object permissions, and multiple renderer formats. We've walked through each step of the design process, and seen how if we need to customize anything we can gradually work our way down to simply using regular Django views. You can review the final tutorial code on GitHub, or try out a live example in the sandbox .",
"text":"We've reached the end of our tutorial. If you want to get more involved in the REST framework project, here are a few places you can start: Contribute on GitHub by reviewing and submitting issues, and making pull requests. Join the REST framework discussion group , and help build the community. Follow the author on Twitter and say hi. Now go build awesome things.",
"text":"If you're doing REST-based web service stuff ... you should ignore request.POST. Malcom Tredinnick, Django developers group REST framework's Request class extends the standard HttpRequest , adding support for REST framework's flexible request parsing and request authentication.",
"text":"REST framework's Request objects provide flexible request parsing that allows you to treat requests with JSON data or other media types in the same way that you would normally deal with form data.",
"title":"Request parsing"
},
{
"location":"/api-guide/requests/#data",
"text":"request.data returns the parsed content of the request body. This is similar to the standard request.POST and request.FILES attributes except that: It includes all parsed content, including file and non-file inputs. It supports parsing the content of HTTP methods other than POST , meaning that you can access the content of PUT and PATCH requests. It supports REST framework's flexible request parsing, rather than just supporting form data. For example you can handle incoming JSON data in the same way that you handle incoming form data. For more details see the parsers documentation .",
"title":".data"
},
{
"location":"/api-guide/requests/#query_params",
"text":"request.query_params is a more correctly named synonym for request.GET . For clarity inside your code, we recommend using request.query_params instead of the Django's standard request.GET . Doing so will help keep your codebase more correct and obvious - any HTTP method type may include query parameters, not just GET requests.",
"title":".query_params"
},
{
"location":"/api-guide/requests/#parsers",
"text":"The APIView class or @api_view decorator will ensure that this property is automatically set to a list of Parser instances, based on the parser_classes set on the view or based on the DEFAULT_PARSER_CLASSES setting. You won't typically need to access this property. Note: If a client sends malformed content, then accessing request.data may raise a ParseError . By default REST framework's APIView class or @api_view decorator will catch the error and return a 400 Bad Request response. If a client sends a request with a content-type that cannot be parsed then a UnsupportedMediaType exception will be raised, which by default will be caught and return a 415 Unsupported Media Type response.",
"text":"The request exposes some properties that allow you to determine the result of the content negotiation stage. This allows you to implement behaviour such as selecting a different serialisation schemes for different media types.",
"text":"A string representing the media type that was accepted by the content negotiation stage.",
"title":".accepted_media_type"
},
{
"location":"/api-guide/requests/#authentication",
"text":"REST framework provides flexible, per-request authentication, that gives you the ability to: Use different authentication policies for different parts of your API. Support the use of multiple authentication policies. Provide both user and token information associated with the incoming request.",
"title":"Authentication"
},
{
"location":"/api-guide/requests/#user",
"text":"request.user typically returns an instance of django.contrib.auth.models.User , although the behavior depends on the authentication policy being used. If the request is unauthenticated the default value of request.user is an instance of django.contrib.auth.models.AnonymousUser . For more details see the authentication documentation .",
"title":".user"
},
{
"location":"/api-guide/requests/#auth",
"text":"request.auth returns any additional authentication context. The exact behavior of request.auth depends on the authentication policy being used, but it may typically be an instance of the token that the request was authenticated against. If the request is unauthenticated, or if no additional context is present, the default value of request.auth is None . For more details see the authentication documentation .",
"title":".auth"
},
{
"location":"/api-guide/requests/#authenticators",
"text":"The APIView class or @api_view decorator will ensure that this property is automatically set to a list of Authentication instances, based on the authentication_classes set on the view or based on the DEFAULT_AUTHENTICATORS setting. You won't typically need to access this property.",
"text":"REST framework supports a few browser enhancements such as browser-based PUT , PATCH and DELETE forms.",
"title":"Browser enhancements"
},
{
"location":"/api-guide/requests/#method",
"text":"request.method returns the uppercased string representation of the request's HTTP method. Browser-based PUT , PATCH and DELETE forms are transparently supported. For more information see the browser enhancements documentation .",
"title":".method"
},
{
"location":"/api-guide/requests/#content_type",
"text":"request.content_type , returns a string object representing the media type of the HTTP request's body, or an empty string if no media type was provided. You won't typically need to directly access the request's content type, as you'll normally rely on REST framework's default request parsing behavior. If you do need to access the content type of the request you should use the .content_type property in preference to using request.META.get('HTTP_CONTENT_TYPE') , as it provides transparent support for browser-based non-form content. For more information see the browser enhancements documentation .",
"text":"request.stream returns a stream representing the content of the request body. You won't typically need to directly access the request's content, as you'll normally rely on REST framework's default request parsing behavior.",
"text":"As REST framework's Request extends Django's HttpRequest , all the other standard attributes and methods are also available. For example the request.META and request.session dictionaries are available as normal. Note that due to implementation reasons the Request class does not inherit from HttpRequest class, but instead extends the class using composition.",
"text":"Unlike basic HttpResponse objects, TemplateResponse objects retain the details of the context that was provided by the view to compute the response. The final output of the response is not computed until it is needed, later in the response process. Django documentation REST framework supports HTTP content negotiation by providing a Response class which allows you to return content that can be rendered into multiple content types, depending on the client request. The Response class subclasses Django's SimpleTemplateResponse . Response objects are initialised with data, which should consist of native Python primitives. REST framework then uses standard HTTP content negotiation to determine how it should render the final response content. There's no requirement for you to use the Response class, you can also return regular HttpResponse or StreamingHttpResponse objects from your views if required. Using the Response class simply provides a nicer interface for returning content-negotiated Web API responses, that can be rendered to multiple formats. Unless you want to heavily customize REST framework for some reason, you should always use an APIView class or @api_view function for views that return Response objects. Doing so ensures that the view can perform content negotiation and select the appropriate renderer for the response, before it is returned from the view.",
"text":"Signature: Response(data, status=None, template_name=None, headers=None, content_type=None) Unlike regular HttpResponse objects, you do not instantiate Response objects with rendered content. Instead you pass in unrendered data, which may consist of any Python primitives. The renderers used by the Response class cannot natively handle complex datatypes such as Django model instances, so you need to serialize the data into primitive datatypes before creating the Response object. You can use REST framework's Serializer classes to perform this data serialization, or use your own custom serialization. Arguments: data : The serialized data for the response. status : A status code for the response. Defaults to 200. See also status codes . template_name : A template name to use if HTMLRenderer is selected. headers : A dictionary of HTTP headers to use in the response. content_type : The content type of the response. Typically, this will be set automatically by the renderer as determined by content negotiation, but there may be some cases where you need to specify the content type explicitly.",
"title":"Response()"
},
{
"location":"/api-guide/responses/#attributes",
"text":"",
"title":"Attributes"
},
{
"location":"/api-guide/responses/#data",
"text":"The unrendered content of a Request object.",
"title":".data"
},
{
"location":"/api-guide/responses/#status_code",
"text":"The numeric status code of the HTTP response.",
"title":".status_code"
},
{
"location":"/api-guide/responses/#content",
"text":"The rendered content of the response. The .render() method must have been called before .content can be accessed.",
"title":".content"
},
{
"location":"/api-guide/responses/#template_name",
"text":"The template_name , if supplied. Only required if HTMLRenderer or some other custom template renderer is the accepted renderer for the response.",
"text":"The renderer instance that will be used to render the response. Set automatically by the APIView or @api_view immediately before the response is returned from the view.",
"text":"The media type that was selected by the content negotiation stage. Set automatically by the APIView or @api_view immediately before the response is returned from the view.",
"text":"A dictionary of additional context information that will be passed to the renderer's .render() method. Set automatically by the APIView or @api_view immediately before the response is returned from the view.",
"text":"The Response class extends SimpleTemplateResponse , and all the usual attributes and methods are also available on the response. For example you can set headers on the response in the standard way: response = Response()\nresponse['Cache-Control'] = 'no-cache'",
"title":"Standard HttpResponse attributes"
},
{
"location":"/api-guide/responses/#render",
"text":"Signature: .render() As with any other TemplateResponse , this method is called to render the serialized data of the response into the final response content. When .render() is called, the response content will be set to the result of calling the .render(data, accepted_media_type, renderer_context) method on the accepted_renderer instance. You won't typically need to call .render() yourself, as it's handled by Django's standard response cycle.",
"title":".render()"
},
{
"location":"/api-guide/views/",
"text":"Class Based Views\n\n\n\n\nDjango's class based views are a welcome departure from the old-style views.\n\n\n \nReinout van Rees\n\n\n\n\nREST framework provides an \nAPIView\n class, which subclasses Django's \nView\n class.\n\n\nAPIView\n classes are different from regular \nView\n classes in the following ways:\n\n\n\n\nRequests passed to the handler methods will be REST framework's \nRequest\n instances, not Django's \nHttpRequest\n instances.\n\n\nHandler methods may return REST framework's \nResponse\n, instead of Django's \nHttpResponse\n. The view will manage content negotiation and setting the correct renderer on the response.\n\n\nAny \nAPIException\n exceptions will be caught and mediated into appropriate responses.\n\n\nIncoming requests will be authenticated and appropriate permission and/or throttle checks will be run before dispatching the request to the handler method.\n\n\n\n\nUsing the \nAPIView\n class is pretty much the same as using a regular \nView\n class, as usual, the incoming request is dispatched to an appropriate handler method such as \n.get()\n or \n.post()\n. Additionally, a number of attributes may be set on the class that control various aspects of the API policy.\n\n\nFor example:\n\n\nfrom rest_framework.views import APIView\nfrom rest_framework.response import Response\nfrom rest_framework import authentication, permissions\n\nclass ListUsers(APIView):\n \"\"\"\n View to list all users in the system.\n\n * Requires token authentication.\n * Only admin users are able to access this view.\n \"\"\"\n authentication_classes = (authentication.TokenAuthentication,)\n permission_classes = (permissions.IsAdminUser,)\n\n def get(self, request, format=None):\n \"\"\"\n Return a list of all users.\n \"\"\"\nusernames=[user.usernameforuserinUser.objects.all()]\nreturnResponse(usernames)\n\n\n\nAPIpolicyattributes\n\n\nThefollowingattributescontrolthepluggableaspectsofAPIviews.\n\n\n.renderer_classes\n\n\n.parser_classes\n\n\n.authentication_classes\n\n\n.throttle_classes\n\n\n.permission_classes\n\n\n.content_negotiation_class\n\n\nAPIpolicyinstantiationmethods\n\n\nThefollowingmethodsareusedbyRESTframeworktoinstantiatethevariouspluggableAPIpolicies.Youwon'ttypicallyneedtooverridethesemethods.\n\n\n.get_renderers(self)\n\n\n.get_parsers(self)\n\n\n.get_authenticators(self)\n\n\n.get_throttles(self)\n\n\n.get_permissions(self)\n\n\n.get_content_negotiator(self)\n\n\nAPIpolicyimplementationmethods\n\n\nThefollowingmethodsarecalledbeforedispatchingtothehandlermethod.\n\n\n.check_permissions(self,request)\n\n\n.check_throttles(self,request)\n\n\n.perform_content_negotiation(self,request,force=False)\n\n\nDispatchmethods\n\n\nThefollowingmethodsarecalleddirectlybytheview's\n.dispatch()\nmethod.\nTheseperformanyactionsthatneedtooccurbeforeoraftercallingthehandlermethodssuchas\n.get()\n,\n.post()\n,\nput()\n,\npatch()\nand\n.delete()\n.\n\n\n.initial(self,request,*args,**kwargs)\n\n\nPerformsanyactionsthatneedtooccurbeforethehandlermethodgetscalled.\nThismethodisusedtoenforcepermissionsandthrottling,andperformcontentnegotiation.\n\n\nYouwon'ttypicallyneedtooverridethismethod.\n\n\n.handle_exception(self,exc)\n\n\nAnyexceptionthrownbythehandlermethodwillbepassedtothismethod,whicheitherreturnsa\nResponse\ninstance,orre-raisestheexception.\n\n\nThedefaultimplementationhandlesanysubclassof\nrest_framework.exceptions.APIException\n,aswellasDjango's\nHttp404\nand\nPermissionDenied\nexceptions,andreturnsanappropriateerrorresponse.\n\n\nIfyouneedtocustomizetheerrorresponsesyourAPIreturnsyoushouldsubclassthismethod.\n\n\n.initialize_request(self,request,*args,**kwargs)\n\n\nEnsuresthattherequestobjectthatispassedtothehandlermethodisaninstanceof\nRequest\n,ratherthantheusualDjango\nHttpRequest\n.\n\n\nYouwon'ttypicallyn
"title":"Views"
},
{
"location":"/api-guide/views/#class-based-views",
"text":"Django's class based views are a welcome departure from the old-style views. Reinout van Rees REST framework provides an APIView class, which subclasses Django's View class. APIView classes are different from regular View classes in the following ways: Requests passed to the handler methods will be REST framework's Request instances, not Django's HttpRequest instances. Handler methods may return REST framework's Response , instead of Django's HttpResponse . The view will manage content negotiation and setting the correct renderer on the response. Any APIException exceptions will be caught and mediated into appropriate responses. Incoming requests will be authenticated and appropriate permission and/or throttle checks will be run before dispatching the request to the handler method. Using the APIView class is pretty much the same as using a regular View class, as usual, the incoming request is dispatched to an appropriate handler method such as .get() or .post() . Additionally, a number of attributes may be set on the class that control various aspects of the API policy. For example: from rest_framework.views import APIView\nfrom rest_framework.response import Response\nfrom rest_framework import authentication, permissions\n\nclass ListUsers(APIView):\n \"\"\"\n View to list all users in the system.\n\n * Requires token authentication.\n * Only admin users are able to access this view.\n \"\"\"\n authentication_classes = (authentication.TokenAuthentication,)\n permission_classes = (permissions.IsAdminUser,)\n\n def get(self, request, format=None):\n \"\"\"\n Return a list of all users.\n \"\"\"\n usernames = [user.username for user in User.objects.all()]\n return Response(usernames)",
"text":"The following attributes control the pluggable aspects of API views. .renderer_classes .parser_classes .authentication_classes .throttle_classes .permission_classes .content_negotiation_class",
"text":"The following methods are used by REST framework to instantiate the various pluggable API policies. You won't typically need to override these methods. .get_renderers(self) .get_parsers(self) .get_authenticators(self) .get_throttles(self) .get_permissions(self) .get_content_negotiator(self)",
"text":"The following methods are called before dispatching to the handler method. .check_permissions(self, request) .check_throttles(self, request) .perform_content_negotiation(self, request, force=False)",
"title":"API policy implementation methods"
},
{
"location":"/api-guide/views/#dispatch-methods",
"text":"The following methods are called directly by the view's .dispatch() method.\nThese perform any actions that need to occur before or after calling the handler methods such as .get() , .post() , put() , patch() and .delete() . .initial(self, request, *args, **kwargs) Performs any actions that need to occur before the handler method gets called.\nThis method is used to enforce permissions and throttling, and perform content negotiation. You won't typically need to override this method. .handle_exception(self, exc) Any exception thrown by the handler method will be passed to this method, which either returns a Response instance, or re-raises the exception. The default implementation handles any subclass of rest_framework.exceptions.APIException , as well as Django's Http404 and PermissionDenied exceptions, and returns an appropriate error response. If you need to customize the error responses your API returns you should subclass this method. .initialize_request(self, request, *args, **kwargs) Ensures that the request object that is passed to the handler method is an instance of Request , rather than the usual Django HttpRequest . You won't typically need to override this method. .finalize_response(self, request, response, *args, **kwargs) Ensures that any Response object returned from the handler method will be rendered into the correct content type, as determined by the content negotiation. You won't typically need to override this method.",
"text":"Saying [that Class based views] is always the superior solution is a mistake. Nick Coghlan REST framework also allows you to work with regular function based views. It provides a set of simple decorators that wrap your function based views to ensure they receive an instance of Request (rather than the usual Django HttpRequest ) and allows them to return a Response (instead of a Django HttpResponse ), and allow you to configure how the request is processed.",
"title":"Function Based Views"
},
{
"location":"/api-guide/views/#api_view",
"text":"Signature: @api_view(http_method_names=['GET']) The core of this functionality is the api_view decorator, which takes a list of HTTP methods that your view should respond to. For example, this is how you would write a very simple view that just manually returns some data: from rest_framework.decorators import api_view\n\n@api_view()\ndef hello_world(request):\n return Response({\"message\": \"Hello, world!\"}) This view will use the default renderers, parsers, authentication classes etc specified in the settings . By default only GET methods will be accepted. Other methods will respond with \"405 Method Not Allowed\". To alter this behavior, specify which methods the view allows, like so: @api_view(['GET', 'POST'])\ndef hello_world(request):\n if request.method == 'POST':\n return Response({\"message\": \"Got some data!\", \"data\": request.data})\n return Response({\"message\": \"Hello, world!\"})",
"text":"To override the default settings, REST framework provides a set of additional decorators which can be added to your views. These must come after (below) the @api_view decorator. For example, to create a view that uses a throttle to ensure it can only be called once per day by a particular user, use the @throttle_classes decorator, passing a list of throttle classes: from rest_framework.decorators import api_view, throttle_classes\nfrom rest_framework.throttling import UserRateThrottle\n\nclass OncePerDayUserThrottle(UserRateThrottle):\n rate = '1/day'\n\n@api_view(['GET'])\n@throttle_classes([OncePerDayUserThrottle])\ndef view(request):\n return Response({\"message\": \"Hello for today! See you tomorrow!\"}) These decorators correspond to the attributes set on APIView subclasses, described above. The available decorators are: @renderer_classes(...) @parser_classes(...) @authentication_classes(...) @throttle_classes(...) @permission_classes(...) Each of these decorators takes a single argument which must be a list or tuple of classes.",
"text":"Django\u2019s generic views... were developed as a shortcut for common usage patterns... They take certain common idioms and patterns found in view development and abstract them so that you can quickly write common views of data without having to repeat yourself. Django Documentation One of the key benefits of class based views is the way they allow you to compose bits of reusable behavior. REST framework takes advantage of this by providing a number of pre-built views that provide for commonly used patterns. The generic views provided by REST framework allow you to quickly build API views that map closely to your database models. If the generic views don't suit the needs of your API, you can drop down to using the regular APIView class, or reuse the mixins and base classes used by the generic views to compose your own set of reusable generic views.",
"text":"Typically when using the generic views, you'll override the view, and set several class attributes. from django.contrib.auth.models import User\nfrom myapp.serializers import UserSerializer\nfrom rest_framework import generics\nfrom rest_framework.permissions import IsAdminUser\n\nclass UserList(generics.ListCreateAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n permission_classes = (IsAdminUser,) For more complex cases you might also want to override various methods on the view class. For example. class UserList(generics.ListCreateAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n permission_classes = (IsAdminUser,)\n\n def list(self, request):\n # Note the use of `get_queryset()` instead of `self.queryset`\n queryset = self.get_queryset()\n serializer = UserSerializer(queryset, many=True)\n return Response(serializer.data) For very simple cases you might want to pass through any class attributes using the .as_view() method. For example, your URLconf might include something like the following entry: url(r'^/users/', ListCreateAPIView.as_view(queryset=User.objects.all(), serializer_class=UserSerializer), name='user-list')",
"text":"The mixin classes provide the actions that are used to provide the basic view behavior. Note that the mixin classes provide action methods rather than defining the handler methods, such as .get() and .post() , directly. This allows for more flexible composition of behavior. The mixin classes can be imported from rest_framework.mixins .",
"text":"Provides a .list(request, *args, **kwargs) method, that implements listing a queryset. If the queryset is populated, this returns a 200 OK response, with a serialized representation of the queryset as the body of the response. The response data may optionally be paginated.",
"text":"Provides a .create(request, *args, **kwargs) method, that implements creating and saving a new model instance. If an object is created this returns a 201 Created response, with a serialized representation of the object as the body of the response. If the representation contains a key named url , then the Location header of the response will be populated with that value. If the request data provided for creating the object was invalid, a 400 Bad Request response will be returned, with the error details as the body of the response.",
"text":"Provides a .retrieve(request, *args, **kwargs) method, that implements returning an existing model instance in a response. If an object can be retrieved this returns a 200 OK response, with a serialized representation of the object as the body of the response. Otherwise it will return a 404 Not Found .",
"text":"Provides a .update(request, *args, **kwargs) method, that implements updating and saving an existing model instance. Also provides a .partial_update(request, *args, **kwargs) method, which is similar to the update method, except that all fields for the update will be optional. This allows support for HTTP PATCH requests. If an object is updated this returns a 200 OK response, with a serialized representation of the object as the body of the response. If an object is created, for example when making a DELETE request followed by a PUT request to the same URL, this returns a 201 Created response, with a serialized representation of the object as the body of the response. If the request data provided for updating the object was invalid, a 400 Bad Request response will be returned, with the error details as the body of the response.",
"text":"Provides a .destroy(request, *args, **kwargs) method, that implements deletion of an existing model instance. If an object is deleted this returns a 204 No Content response, otherwise it will return a 404 Not Found .",
"text":"The following classes are the concrete generic views. If you're using generic views this is normally the level you'll be working at unless you need heavily customized behavior. The view classes can be imported from rest_framework.generics .",
"text":"Used for read-only endpoints to represent a collection of model instances . Provides a get method handler. Extends: GenericAPIView , ListModelMixin",
"text":"Used for read-only endpoints to represent a single model instance . Provides a get method handler. Extends: GenericAPIView , RetrieveModelMixin",
"text":"Used for update-only endpoints for a single model instance . Provides put and patch method handlers. Extends: GenericAPIView , UpdateModelMixin",
"text":"Used for read-write endpoints to represent a collection of model instances . Provides get and post method handlers. Extends: GenericAPIView , ListModelMixin , CreateModelMixin",
"text":"Used for read or update endpoints to represent a single model instance . Provides get , put and patch method handlers. Extends: GenericAPIView , RetrieveModelMixin , UpdateModelMixin",
"text":"Used for read or delete endpoints to represent a single model instance . Provides get and delete method handlers. Extends: GenericAPIView , RetrieveModelMixin , DestroyModelMixin",
"text":"Used for read-write-delete endpoints to represent a single model instance . Provides get , put , patch and delete method handlers. Extends: GenericAPIView , RetrieveModelMixin , UpdateModelMixin , DestroyModelMixin",
"text":"Often you'll want to use the existing generic views, but use some slightly customized behavior. If you find yourself reusing some bit of customized behavior in multiple places, you might want to refactor the behavior into a common class that you can then just apply to any view or viewset as needed.",
"text":"For example, if you need to lookup objects based on multiple fields in the URL conf, you could create a mixin class like the following: class MultipleFieldLookupMixin(object):\n \"\"\"\n Apply this mixin to any view or viewset to get multiple field filtering\n based on a `lookup_fields` attribute, instead of the default single field filtering.\n \"\"\"\n def get_object(self):\n queryset = self.get_queryset() # Get the base queryset\n queryset = self.filter_queryset(queryset) # Apply any filter backends\n filter = {}\n for field in self.lookup_fields:\n filter[field] = self.kwargs[field]\n return get_object_or_404(queryset, **filter) # Lookup the object You can then simply apply this mixin to a view or viewset anytime you need to apply the custom behavior. class RetrieveUserView(MultipleFieldLookupMixin, generics.RetrieveAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n lookup_fields = ('account', 'username') Using custom mixins is a good option if you have custom behavior that needs to be used.",
"text":"If you are using a mixin across multiple views, you can take this a step further and create your own set of base views that can then be used throughout your project. For example: class BaseRetrieveView(MultipleFieldLookupMixin,\n generics.RetrieveAPIView):\n pass\n\nclass BaseRetrieveUpdateDestroyView(MultipleFieldLookupMixin,\n generics.RetrieveUpdateDestroyAPIView):\n pass Using custom base classes is a good option if you have custom behavior that consistently needs to be repeated across a large number of views throughout your project.",
"text":"Prior to version 3.0 the REST framework mixins treated PUT as either an update or a create operation, depending on if the object already existed or not. Allowing PUT as create operations is problematic, as it necessarily exposes information about the existence or non-existence of objects. It's also not obvious that transparently allowing re-creating of previously deleted instances is necessarily a better default behavior than simply returning 404 responses. Both styles \" PUT as 404\" and \" PUT as create\" can be valid in different circumstances, but from version 3.0 onwards we now use 404 behavior as the default, due to it being simpler and more obvious. If you need to generic PUT-as-create behavior you may want to include something like this AllowPUTAsCreateMixin class as a mixin to your views.",
"text":"The django-rest-framework-bulk package implements generic view mixins as well as some common concrete generic views to allow to apply bulk operations via API requests.",
"text":"Django Rest Multiple Models provides a generic view (and mixin) for sending multiple serialized models and/or querysets via a single API request.",
"text":"ViewSets\n\n\n\n\nAfter routing has determined which controller to use for a request, your controller is responsible for making sense of the request and producing the appropriate output.\n\n\n \nRuby on Rails Documentation\n\n\n\n\nDjango REST framework allows you to combine the logic for a set of related views in a single class, called a \nViewSet\n. In other frameworks you may also find conceptually similar implementations named something like 'Resources' or 'Controllers'.\n\n\nA \nViewSet\n class is simply \na type of class-based View, that does not provide any method handlers\n such as \n.get()\n or \n.post()\n, and instead provides actions such as \n.list()\n and \n.create()\n.\n\n\nThe method handlers for a \nViewSet\n are only bound to the corresponding actions at the point of finalizing the view, using the \n.as_view()\n method.\n\n\nTypically, rather than explicitly registering the views in a viewset in the urlconf, you'll register the viewset with a router class, that automatically determines the urlconf for you.\n\n\nExample\n\n\nLet's define a simple viewset that can be used to list or retrieve all the users in the system.\n\n\nfrom django.contrib.auth.models import User\nfrom django.shortcuts import get_object_or_404\nfrom myapps.serializers import UserSerializer\nfrom rest_framework import viewsets\nfrom rest_framework.response import Response\n\nclass UserViewSet(viewsets.ViewSet):\n \"\"\"\n A simple ViewSet for listing or retrieving users.\n \"\"\"\n def list(self, request):\n queryset = User.objects.all()\n serializer = UserSerializer(queryset, many=True)\n return Response(serializer.data)\n\n def retrieve(self, request, pk=None):\n queryset = User.objects.all()\n user = get_object_or_404(queryset, pk=pk)\n serializer = UserSerializer(user)\n return Response(serializer.data)\n\n\n\nIf we need to, we can bind this viewset into two separate views, like so:\n\n\nuser_list = UserViewSet.as_view({'get': 'list'})\nuser_detail = UserViewSet.as_view({'get': 'retrieve'})\n\n\n\nTypically we wouldn't do this, but would instead register the viewset with a router, and allow the urlconf to be automatically generated.\n\n\nfrom myapp.views import UserViewSet\nfrom rest_framework.routers import DefaultRouter\n\nrouter = DefaultRouter()\nrouter.register(r'users', UserViewSet)\nurlpatterns = router.urls\n\n\n\nRather than writing your own viewsets, you'll often want to use the existing base classes that provide a default set of behavior. For example:\n\n\nclass UserViewSet(viewsets.ModelViewSet):\n \"\"\"\n A viewset for viewing and editing user instances.\n \"\"\"\n serializer_class = UserSerializer\n queryset = User.objects.all()\n\n\n\nThere are two main advantages of using a \nViewSet\n class over using a \nView\n class.\n\n\n\n\nRepeated logic can be combined into a single class. In the above example, we only need to specify the \nqueryset\n once, and it'll be used across multiple views.\n\n\nBy using routers, we no longer need to deal with wiring up the URL conf ourselves.\n\n\n\n\nBoth of these come with a trade-off. Using regular views and URL confs is more explicit and gives you more control. ViewSets are helpful if you want to get up and running quickly, or when you have a large API and you want to enforce a consistent URL configuration throughout.\n\n\nMarking extra actions for routing\n\n\nThe default routers included with REST framework will provide routes for a standard set of create/retrieve/update/destroy style operations, as shown below:\n\n\nclass UserViewSet(viewsets.ViewSet):\n \"\"\"\n Example empty viewset demonstrating the standard\n actions that will be handled by a router class.\n\n If you're using format suffixes, make sure to also include\n the `format=None` keyword argument for each action.\n \"\"\"\n\ndeflist(self,request):\npass\n\ndefcreate(self,request):\npass\n\ndefretrieve(self,request,pk=None):\npass\n\ndefupdate(sel
"text":"After routing has determined which controller to use for a request, your controller is responsible for making sense of the request and producing the appropriate output. Ruby on Rails Documentation Django REST framework allows you to combine the logic for a set of related views in a single class, called a ViewSet . In other frameworks you may also find conceptually similar implementations named something like 'Resources' or 'Controllers'. A ViewSet class is simply a type of class-based View, that does not provide any method handlers such as .get() or .post() , and instead provides actions such as .list() and .create() . The method handlers for a ViewSet are only bound to the corresponding actions at the point of finalizing the view, using the .as_view() method. Typically, rather than explicitly registering the views in a viewset in the urlconf, you'll register the viewset with a router class, that automatically determines the urlconf for you.",
"text":"Let's define a simple viewset that can be used to list or retrieve all the users in the system. from django.contrib.auth.models import User\nfrom django.shortcuts import get_object_or_404\nfrom myapps.serializers import UserSerializer\nfrom rest_framework import viewsets\nfrom rest_framework.response import Response\n\nclass UserViewSet(viewsets.ViewSet):\n \"\"\"\n A simple ViewSet for listing or retrieving users.\n \"\"\"\n def list(self, request):\n queryset = User.objects.all()\n serializer = UserSerializer(queryset, many=True)\n return Response(serializer.data)\n\n def retrieve(self, request, pk=None):\n queryset = User.objects.all()\n user = get_object_or_404(queryset, pk=pk)\n serializer = UserSerializer(user)\n return Response(serializer.data) If we need to, we can bind this viewset into two separate views, like so: user_list = UserViewSet.as_view({'get': 'list'})\nuser_detail = UserViewSet.as_view({'get': 'retrieve'}) Typically we wouldn't do this, but would instead register the viewset with a router, and allow the urlconf to be automatically generated. from myapp.views import UserViewSet\nfrom rest_framework.routers import DefaultRouter\n\nrouter = DefaultRouter()\nrouter.register(r'users', UserViewSet)\nurlpatterns = router.urls Rather than writing your own viewsets, you'll often want to use the existing base classes that provide a default set of behavior. For example: class UserViewSet(viewsets.ModelViewSet):\n \"\"\"\n A viewset for viewing and editing user instances.\n \"\"\"\n serializer_class = UserSerializer\n queryset = User.objects.all() There are two main advantages of using a ViewSet class over using a View class. Repeated logic can be combined into a single class. In the above example, we only need to specify the queryset once, and it'll be used across multiple views. By using routers, we no longer need to deal with wiring up the URL conf ourselves. Both of these come with a trade-off. Using regular views and URL confs is more explicit and gives you more control. ViewSets are helpful if you want to get up and running quickly, or when you have a large API and you want to enforce a consistent URL configuration throughout.",
"text":"The default routers included with REST framework will provide routes for a standard set of create/retrieve/update/destroy style operations, as shown below: class UserViewSet(viewsets.ViewSet):\n \"\"\"\n Example empty viewset demonstrating the standard\n actions that will be handled by a router class.\n\n If you're using format suffixes, make sure to also include\n the `format=None` keyword argument for each action.\n \"\"\"\n\n def list(self, request):\n pass\n\n def create(self, request):\n pass\n\n def retrieve(self, request, pk=None):\n pass\n\n def update(self, request, pk=None):\n pass\n\n def partial_update(self, request, pk=None):\n pass\n\n def destroy(self, request, pk=None):\n pass If you have ad-hoc methods that you need to be routed to, you can mark them as requiring routing using the @detail_route or @list_route decorators. The @detail_route decorator contains pk in its URL pattern and is intended for methods which require a single instance. The @list_route decorator is intended for methods which operate on a list of objects. For example: from django.contrib.auth.models import User\nfrom rest_framework import status\nfrom rest_framework import viewsets\nfrom rest_framework.decorators import detail_route, list_route\nfrom rest_framework.response import Response\nfrom myapp.serializers import UserSerializer, PasswordSerializer\n\nclass UserViewSet(viewsets.ModelViewSet):\n \"\"\"\n A viewset that provides the standard actions\n \"\"\"\n queryset = User.objects.all()\n serializer_class = UserSerializer\n\n @detail_route(methods=['post'])\n def set_password(self, request, pk=None):\n user = self.get_object()\n serializer = PasswordSerializer(data=request.data)\n if serializer.is_valid():\n user.set_password(serializer.data['password'])\n user.save()\n return Response({'status': 'password set'})\n else:\n return Response(serializer.errors,\n status=status.HTTP_400_BAD_REQUEST)\n\n @list_route()\n def recent_users(self, request):\n recent_users = User.objects.all().order('-last_login')\n\n page = self.paginate_queryset(recent_users)\n if page is not None:\n serializer = self.get_serializer(page, many=True)\n return self.get_paginated_response(serializer.data)\n\n serializer = self.get_serializer(recent_users, many=True)\n return Response(serializer.data) The decorators can additionally take extra arguments that will be set for the routed view only. For example... @detail_route(methods=['post'], permission_classes=[IsAdminOrIsSelf])\n def set_password(self, request, pk=None):\n ... These decorators will route GET requests by default, but may also accept other HTTP methods, by using the methods argument. For example: @detail_route(methods=['post', 'delete'])\n def unset_password(self, request, pk=None):\n ... The two new actions will then be available at the urls ^users/{pk}/set_password/$ and ^users/{pk}/unset_password/$",
"title":"Marking extra actions for routing"
},
{
"location":"/api-guide/viewsets/#api-reference",
"text":"",
"title":"API Reference"
},
{
"location":"/api-guide/viewsets/#viewset",
"text":"The ViewSet class inherits from APIView . You can use any of the standard attributes such as permission_classes , authentication_classes in order to control the API policy on the viewset. The ViewSet class does not provide any implementations of actions. In order to use a ViewSet class you'll override the class and define the action implementations explicitly.",
"title":"ViewSet"
},
{
"location":"/api-guide/viewsets/#genericviewset",
"text":"The GenericViewSet class inherits from GenericAPIView , and provides the default set of get_object , get_queryset methods and other generic view base behavior, but does not include any actions by default. In order to use a GenericViewSet class you'll override the class and either mixin the required mixin classes, or define the action implementations explicitly.",
"text":"The ModelViewSet class inherits from GenericAPIView and includes implementations for various actions, by mixing in the behavior of the various mixin classes. The actions provided by the ModelViewSet class are .list() , .retrieve() , .create() , .update() , .partial_update() , and .destroy() . Example Because ModelViewSet extends GenericAPIView , you'll normally need to provide at least the queryset and serializer_class attributes. For example: class AccountViewSet(viewsets.ModelViewSet):\n \"\"\"\n A simple ViewSet for viewing and editing accounts.\n \"\"\"\n queryset = Account.objects.all()\n serializer_class = AccountSerializer\n permission_classes = [IsAccountAdminOrReadOnly] Note that you can use any of the standard attributes or method overrides provided by GenericAPIView . For example, to use a ViewSet that dynamically determines the queryset it should operate on, you might do something like this: class AccountViewSet(viewsets.ModelViewSet):\n \"\"\"\n A simple ViewSet for viewing and editing the accounts\n associated with the user.\n \"\"\"\n serializer_class = AccountSerializer\n permission_classes = [IsAccountAdminOrReadOnly]\n\n def get_queryset(self):\n return self.request.user.accounts.all() Note however that upon removal of the queryset property from your ViewSet , any associated router will be unable to derive the base_name of your Model automatically, and so you will have to specify the base_name kwarg as part of your router registration . Also note that although this class provides the complete set of create/list/retrieve/update/destroy actions by default, you can restrict the available operations by using the standard permission classes.",
"text":"The ReadOnlyModelViewSet class also inherits from GenericAPIView . As with ModelViewSet it also includes implementations for various actions, but unlike ModelViewSet only provides the 'read-only' actions, .list() and .retrieve() . Example As with ModelViewSet , you'll normally need to provide at least the queryset and serializer_class attributes. For example: class AccountViewSet(viewsets.ReadOnlyModelViewSet):\n \"\"\"\n A simple ViewSet for viewing accounts.\n \"\"\"\n queryset = Account.objects.all()\n serializer_class = AccountSerializer Again, as with ModelViewSet , you can use any of the standard attributes and method overrides available to GenericAPIView .",
"text":"You may need to provide custom ViewSet classes that do not have the full set of ModelViewSet actions, or that customize the behavior in some other way.",
"title":"Custom ViewSet base classes"
},
{
"location":"/api-guide/viewsets/#example_3",
"text":"To create a base viewset class that provides create , list and retrieve operations, inherit from GenericViewSet , and mixin the required actions: class CreateListRetrieveViewSet(mixins.CreateModelMixin,\n mixins.ListModelMixin,\n mixins.RetrieveModelMixin,\n viewsets.GenericViewSet):\n \"\"\"\n A viewset that provides `retrieve`, `create`, and `list` actions.\n\n To use it, override the class and set the `.queryset` and\n `.serializer_class` attributes.\n \"\"\"\n pass By creating your own base ViewSet classes, you can provide common behavior that can be reused in multiple viewsets across your API.",
"text":"Resource routing allows you to quickly declare all of the common routes for a given resourceful controller. Instead of declaring separate routes for your index... a resourceful route declares them in a single line of code. Ruby on Rails Documentation Some Web frameworks such as Rails provide functionality for automatically determining how the URLs for an application should be mapped to the logic that deals with handling incoming requests. REST framework adds support for automatic URL routing to Django, and provides you with a simple, quick and consistent way of wiring your view logic to a set of URLs.",
"text":"This router includes routes for the standard set of list , create , retrieve , update , partial_update and destroy actions. The viewset can also mark additional methods to be routed, using the @detail_route or @list_route decorators. \n URL Style HTTP Method Action URL Name \n {prefix}/ GET list {basename}-list \n POST create \n {prefix}/{methodname}/ GET, or as specified by `methods` argument `@list_route` decorated method {basename}-{methodname} \n {prefix}/{lookup}/ GET retrieve {basename}-detail \n PUT update \n PATCH partial_update \n DELETE destroy \n {prefix}/{lookup}/{methodname}/ GET, or as specified by `methods` argument `@detail_route` decorated method {basename}-{methodname} By default the URLs created by SimpleRouter are appended with a trailing slash.\nThis behavior can be modified by setting the trailing_slash argument to False when instantiating the router. For example: router = SimpleRouter(trailing_slash=False) Trailing slashes are conventional in Django, but are not used by default in some other frameworks such as Rails. Which style you choose to use is largely a matter of preference, although some javascript frameworks may expect a particular routing style. The router will match lookup values containing any characters except slashes and period characters. For a more restrictive (or lenient) lookup pattern, set the lookup_value_regex attribute on the viewset. For example, you can limit the lookup to valid UUIDs: class MyModelViewSet(mixins.RetrieveModelMixin, viewsets.GenericViewSet):\n lookup_field = 'my_model_id'\n lookup_value_regex = '[0-9a-f]{32}'",
"title":"SimpleRouter"
},
{
"location":"/api-guide/routers/#defaultrouter",
"text":"This router is similar to SimpleRouter as above, but additionally includes a default API root view, that returns a response containing hyperlinks to all the list views. It also generates routes for optional .json style format suffixes. \n URL Style HTTP Method Action URL Name \n [.format] GET automatically generated root view api-root \n {prefix}/[.format] GET list {basename}-list \n POST create \n {prefix}/{methodname}/[.format] GET, or as specified by `methods` argument `@list_route` decorated method {basename}-{methodname} \n {prefix}/{lookup}/[.format] GET retrieve {basename}-detail \n PUT update \n PATCH partial_update \n DELETE destroy \n {prefix}/{lookup}/{methodname}/[.format] GET, or as specified by `methods` argument `@detail_route` decorated method {basename}-{methodname} As with SimpleRouter the trailing slashes on the URL routes can be removed by setting the trailing_slash argument to False when instantiating the router. router = DefaultRouter(trailing_slash=False)",
"title":"DefaultRouter"
},
{
"location":"/api-guide/routers/#custom-routers",
"text":"Implementing a custom router isn't something you'd need to do very often, but it can be useful if you have specific requirements about how the your URLs for your API are structured. Doing so allows you to encapsulate the URL structure in a reusable way that ensures you don't have to write your URL patterns explicitly for each new view. The simplest way to implement a custom router is to subclass one of the existing router classes. The .routes attribute is used to template the URL patterns that will be mapped to each viewset. The .routes attribute is a list of Route named tuples. The arguments to the Route named tuple are: url : A string representing the URL to be routed. May include the following format strings: {prefix} - The URL prefix to use for this set of routes. {lookup} - The lookup field used to match against a single instance. {trailing_slash} - Either a '/' or an empty string, depending on the trailing_slash argument. mapping : A mapping of HTTP method names to the view methods name : The name of the URL as used in reverse calls. May include the following format string: {basename} - The base to use for the URL names that are created. initkwargs : A dictionary of any additional arguments that should be passed when instantiating the view. Note that the suffix argument is reserved for identifying the viewset type, used when generating the view name and breadcrumb links.",
"text":"You can also customize how the @list_route and @detail_route decorators are routed.\nTo route either or both of these decorators, include a DynamicListRoute and/or DynamicDetailRoute named tuple in the .routes list. The arguments to DynamicListRoute and DynamicDetailRoute are: url : A string representing the URL to be routed. May include the same format strings as Route , and additionally accepts the {methodname} and {methodnamehyphen} format strings. name : The name of the URL as used in reverse calls. May include the following format strings: {basename} , {methodname} and {methodnamehyphen} . initkwargs : A dictionary of any additional arguments that should be passed when instantiating the view.",
"text":"The following example will only route to the list and retrieve actions, and does not use the trailing slash convention. from rest_framework.routers import Route, DynamicDetailRoute, SimpleRouter\n\nclass CustomReadOnlyRouter(SimpleRouter):\n \"\"\"\n A router for read-only APIs, which doesn't use trailing slashes.\n \"\"\"\n routes = [\n Route(\n url=r'^{prefix}$',\n mapping={'get': 'list'},\n name='{basename}-list',\n initkwargs={'suffix': 'List'}\n ),\n Route(\n url=r'^{prefix}/{lookup}$',\n mapping={'get': 'retrieve'},\n name='{basename}-detail',\n initkwargs={'suffix': 'Detail'}\n ),\n DynamicDetailRoute(\n url=r'^{prefix}/{lookup}/{methodnamehyphen}$',\n name='{basename}-{methodnamehyphen}',\n initkwargs={}\n )\n ] Let's take a look at the routes our CustomReadOnlyRouter would generate for a simple viewset. views.py : class UserViewSet(viewsets.ReadOnlyModelViewSet):\n \"\"\"\n A viewset that provides the standard actions\n \"\"\"\n queryset = User.objects.all()\n serializer_class = UserSerializer\n lookup_field = 'username'\n\n @detail_route()\n def group_names(self, request):\n \"\"\"\n Returns a list of all the group names that the given\n user belongs to.\n \"\"\"\n user = self.get_object()\n groups = user.groups.all()\n return Response([group.name for group in groups]) urls.py : router = CustomReadOnlyRouter()\nrouter.register('users', UserViewSet)\nurlpatterns = router.urls The following mappings would be generated... \n URL HTTP Method Action URL Name \n /users GET list user-list \n /users/{username} GET retrieve user-detail \n /users/{username}/group-names GET group_names user-group-names For another example of setting the .routes attribute, see the source code for the SimpleRouter class.",
"text":"If you want to provide totally custom behavior, you can override BaseRouter and override the get_urls(self) method. The method should inspect the registered viewsets and return a list of URL patterns. The registered prefix, viewset and basename tuples may be inspected by accessing the self.registry attribute. You may also want to override the get_default_base_name(self, viewset) method, or else always explicitly set the base_name argument when registering your viewsets with the router.",
"text":"The wq.db package provides an advanced ModelRouter class (and singleton instance) that extends DefaultRouter with a register_model() API. Much like Django's admin.site.register , the only required argument to rest.router.register_model is a model class. Reasonable defaults for a url prefix, serializer, and viewset will be inferred from the model and global configuration. from wq.db import rest\nfrom myapp.models import MyModel\n\nrest.router.register_model(MyModel)",
"title":"ModelRouter (wq.db.rest)"
},
{
"location":"/api-guide/routers/#drf-extensions",
"text":"The DRF-extensions package provides routers for creating nested viewsets , collection level controllers with customizable endpoint names .",
"text":"Parsers\n\n\n\n\nMachine interacting web services tend to use more\nstructured formats for sending data than form-encoded, since they're\nsending more complex data than simple forms\n\n\n Malcom Tredinnick, \nDjango developers group\n\n\n\n\nREST framework includes a number of built in Parser classes, that allow you to accept requests with various media types. There is also support for defining your own custom parsers, which gives you the flexibility to design the media types that your API accepts.\n\n\nHow the parser is determined\n\n\nThe set of valid parsers for a view is always defined as a list of classes. When \nrequest.data\n is accessed, REST framework will examine the \nContent-Type\n header on the incoming request, and determine which parser to use to parse the request content.\n\n\n\n\nNote\n: When developing client applications always remember to make sure you're setting the \nContent-Type\n header when sending data in an HTTP request.\n\n\nIf you don't set the content type, most clients will default to using \n'application/x-www-form-urlencoded'\n, which may not be what you wanted.\n\n\nAs an example, if you are sending \njson\n encoded data using jQuery with the \n.ajax() method\n, you should make sure to include the \ncontentType: 'application/json'\n setting.\n\n\n\n\nSetting the parsers\n\n\nThe default set of parsers may be set globally, using the \nDEFAULT_PARSER_CLASSES\n setting. For example, the following settings would allow only requests with \nJSON\n content, instead of the default of JSON or form data.\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework.parsers.JSONParser',\n )\n}\n\n\n\nYou can also set the parsers used for an individual view, or viewset,\nusing the \nAPIView\n class based views.\n\n\nfrom rest_framework.parsers import JSONParser\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass ExampleView(APIView):\n \"\"\"\n A view that can accept POST requests with JSON content.\n \"\"\"\n parser_classes = (JSONParser,)\n\n def post(self, request, format=None):\n return Response({'received data': request.data})\n\n\n\nOr, if you're using the \n@api_view\n decorator with function based views.\n\n\nfrom rest_framework.decorators import api_view\nfrom rest_framework.decorators import parser_classes\n\n@api_view(['POST'])\n@parser_classes((JSONParser,))\ndef example_view(request, format=None):\n \"\"\"\n A view that can accept POST requests with JSON content.\n \"\"\"\nreturnResponse({'receiveddata':request.data})\n\n\n\n\n\nAPIReference\n\n\nJSONParser\n\n\nParses\nJSON\nrequestcontent.\n\n\n.media_type\n:\napplication/json\n\n\nFormParser\n\n\nParsesHTMLformcontent.\nrequest.data\nwillbepopulatedwitha\nQueryDict\nofdata.\n\n\nYouwilltypicallywanttouseboth\nFormParser\nand\nMultiPartParser\ntogetherinordertofullysupportHTMLformdata.\n\n\n.media_type\n:\napplication/x-www-form-urlencoded\n\n\nMultiPartParser\n\n\nParsesmultipartHTMLformcontent,whichsupportsfileuploads.Both\nrequest.data\nwillbepopulatedwitha\nQueryDict\n.\n\n\nYouwilltypicallywanttouseboth\nFormParser\nand\nMultiPartParser\ntogetherinordertofullysupportHTMLformdata.\n\n\n.media_type\n:\nmultipart/form-data\n\n\nFileUploadParser\n\n\nParsesrawfileuploadcontent.The\nrequest.data\npropertywillbeadictionarywithasinglekey\n'file'\ncontainingtheuploadedfile.\n\n\nIftheviewusedwith\nFileUploadParser\niscalledwitha\nfilename\nURLkeywordargument,thenthatargumentwillbeusedasthefilename.Ifitiscalledwithouta\nfilename\nURLkeywordargument,thentheclientmustsetthefilenameinthe\nContent-Disposition\nHTTPheader.Forexample\nContent-Disposition:attachment;filename=upload.jpg\n.\n\n\n.media_type\n:\n*/*\n\n\nNotes:\n\n\n\n\nThe\nFileUploadParser\nisforusagewithnativeclientsthatcanuploadthefileasarawdatarequest.Forweb-baseduploads,orfornativ
"text":"Machine interacting web services tend to use more\nstructured formats for sending data than form-encoded, since they're\nsending more complex data than simple forms Malcom Tredinnick, Django developers group REST framework includes a number of built in Parser classes, that allow you to accept requests with various media types. There is also support for defining your own custom parsers, which gives you the flexibility to design the media types that your API accepts.",
"text":"The set of valid parsers for a view is always defined as a list of classes. When request.data is accessed, REST framework will examine the Content-Type header on the incoming request, and determine which parser to use to parse the request content. Note : When developing client applications always remember to make sure you're setting the Content-Type header when sending data in an HTTP request. If you don't set the content type, most clients will default to using 'application/x-www-form-urlencoded' , which may not be what you wanted. As an example, if you are sending json encoded data using jQuery with the .ajax() method , you should make sure to include the contentType: 'application/json' setting.",
"text":"The default set of parsers may be set globally, using the DEFAULT_PARSER_CLASSES setting. For example, the following settings would allow only requests with JSON content, instead of the default of JSON or form data. REST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework.parsers.JSONParser',\n )\n} You can also set the parsers used for an individual view, or viewset,\nusing the APIView class based views. from rest_framework.parsers import JSONParser\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass ExampleView(APIView):\n \"\"\"\n A view that can accept POST requests with JSON content.\n \"\"\"\n parser_classes = (JSONParser,)\n\n def post(self, request, format=None):\n return Response({'received data': request.data}) Or, if you're using the @api_view decorator with function based views. from rest_framework.decorators import api_view\nfrom rest_framework.decorators import parser_classes\n\n@api_view(['POST'])\n@parser_classes((JSONParser,))\ndef example_view(request, format=None):\n \"\"\"\n A view that can accept POST requests with JSON content.\n \"\"\"\n return Response({'received data': request.data})",
"text":"Parses HTML form content. request.data will be populated with a QueryDict of data. You will typically want to use both FormParser and MultiPartParser together in order to fully support HTML form data. .media_type : application/x-www-form-urlencoded",
"title":"FormParser"
},
{
"location":"/api-guide/parsers/#multipartparser",
"text":"Parses multipart HTML form content, which supports file uploads. Both request.data will be populated with a QueryDict . You will typically want to use both FormParser and MultiPartParser together in order to fully support HTML form data. .media_type : multipart/form-data",
"text":"Parses raw file upload content. The request.data property will be a dictionary with a single key 'file' containing the uploaded file. If the view used with FileUploadParser is called with a filename URL keyword argument, then that argument will be used as the filename. If it is called without a filename URL keyword argument, then the client must set the filename in the Content-Disposition HTTP header. For example Content-Disposition: attachment; filename=upload.jpg . .media_type : */* Notes: The FileUploadParser is for usage with native clients that can upload the file as a raw data request. For web-based uploads, or for native clients with multipart upload support, you should use the MultiPartParser parser instead. Since this parser's media_type matches any content type, FileUploadParser should generally be the only parser set on an API view. FileUploadParser respects Django's standard FILE_UPLOAD_HANDLERS setting, and the request.upload_handlers attribute. See the Django documentation for more details. Basic usage example: class FileUploadView(views.APIView):\n parser_classes = (FileUploadParser,)\n\n def put(self, request, filename, format=None):\n file_obj = request.data['file']\n # ...\n # do some stuff with uploaded file\n # ...\n return Response(status=204)",
"title":"FileUploadParser"
},
{
"location":"/api-guide/parsers/#custom-parsers",
"text":"To implement a custom parser, you should override BaseParser , set the .media_type property, and implement the .parse(self, stream, media_type, parser_context) method. The method should return the data that will be used to populate the request.data property. The arguments passed to .parse() are: stream A stream-like object representing the body of the request. media_type Optional. If provided, this is the media type of the incoming request content. Depending on the request's Content-Type: header, this may be more specific than the renderer's media_type attribute, and may include media type parameters. For example \"text/plain; charset=utf-8\" . parser_context Optional. If supplied, this argument will be a dictionary containing any additional context that may be required to parse the request content. By default this will include the following keys: view , request , args , kwargs .",
"text":"The following is an example plaintext parser that will populate the request.data property with a string representing the body of the request. class PlainTextParser(BaseParser):\n \"\"\"\n Plain text parser.\n \"\"\"\n media_type = 'text/plain'\n\n def parse(self, stream, media_type=None, parser_context=None):\n \"\"\"\n Simply return a string representing the body of the request.\n \"\"\"\n return stream.read()",
"text":"The following third party packages are also available.",
"title":"Third party packages"
},
{
"location":"/api-guide/parsers/#yaml",
"text":"REST framework YAML provides YAML parsing and rendering support. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. Installation configuration Install using pip. $ pip install djangorestframework-yaml Modify your REST framework settings. REST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework_yaml.parsers.YAMLParser',\n ),\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework_yaml.renderers.YAMLRenderer',\n ),\n}",
"title":"YAML"
},
{
"location":"/api-guide/parsers/#xml",
"text":"REST Framework XML provides a simple informal XML format. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. Installation configuration Install using pip. $ pip install djangorestframework-xml Modify your REST framework settings. REST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework_xml.parsers.XMLParser',\n ),\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework_xml.renderers.XMLRenderer',\n ),\n}",
"title":"XML"
},
{
"location":"/api-guide/parsers/#messagepack",
"text":"MessagePack is a fast, efficient binary serialization format. Juan Riaza maintains the djangorestframework-msgpack package which provides MessagePack renderer and parser support for REST framework.",
"title":"MessagePack"
},
{
"location":"/api-guide/parsers/#camelcase-json",
"text":"djangorestframework-camel-case provides camel case JSON renderers and parsers for REST framework. This allows serializers to use Python-style underscored field names, but be exposed in the API as Javascript-style camel case field names. It is maintained by Vitaly Babiy .",
"text":"Renderers\n\n\n\n\nBefore a TemplateResponse instance can be returned to the client, it must be rendered. The rendering process takes the intermediate representation of template and context, and turns it into the final byte stream that can be served to the client.\n\n\n \nDjango documentation\n\n\n\n\nREST framework includes a number of built in Renderer classes, that allow you to return responses with various media types. There is also support for defining your own custom renderers, which gives you the flexibility to design your own media types.\n\n\nHow the renderer is determined\n\n\nThe set of valid renderers for a view is always defined as a list of classes. When a view is entered REST framework will perform content negotiation on the incoming request, and determine the most appropriate renderer to satisfy the request.\n\n\nThe basic process of content negotiation involves examining the request's \nAccept\n header, to determine which media types it expects in the response. Optionally, format suffixes on the URL may be used to explicitly request a particular representation. For example the URL \nhttp://example.com/api/users_count.json\n might be an endpoint that always returns JSON data.\n\n\nFor more information see the documentation on \ncontent negotiation\n.\n\n\nSetting the renderers\n\n\nThe default set of renderers may be set globally, using the \nDEFAULT_RENDERER_CLASSES\n setting. For example, the following settings would use \nJSON\n as the main media type and also include the self describing API.\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.BrowsableAPIRenderer',\n )\n}\n\n\n\nYou can also set the renderers used for an individual view, or viewset,\nusing the \nAPIView\n class based views.\n\n\nfrom django.contrib.auth.models import User\nfrom rest_framework.renderers import JSONRenderer\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass UserCountView(APIView):\n \"\"\"\n A view that returns the count of active users in JSON.\n \"\"\"\n renderer_classes = (JSONRenderer, )\n\n def get(self, request, format=None):\n user_count = User.objects.filter(active=True).count()\n content = {'user_count': user_count}\n return Response(content)\n\n\n\nOr, if you're using the \n@api_view\n decorator with function based views.\n\n\n@api_view(['GET'])\n@renderer_classes((JSONRenderer,))\ndef user_count_view(request, format=None):\n \"\"\"\n A view that returns the count of active users in JSON.\n \"\"\"\n user_count = User.objects.filter(active=True).count()\n content = {'user_count': user_count}\n return Response(content)\n\n\n\nOrdering of renderer classes\n\n\nIt's important when specifying the renderer classes for your API to think about what priority you want to assign to each media type. If a client underspecifies the representations it can accept, such as sending an \nAccept: */*\n header, or not including an \nAccept\n header at all, then REST framework will select the first renderer in the list to use for the response.\n\n\nFor example if your API serves JSON responses and the HTML browsable API, you might want to make \nJSONRenderer\n your default renderer, in order to send \nJSON\n responses to clients that do not specify an \nAccept\n header.\n\n\nIf your API includes views that can serve both regular webpages and API responses depending on the request, then you might consider making \nTemplateHTMLRenderer\n your default renderer, in order to play nicely with older browsers that send \nbroken accept headers\n.\n\n\n\n\nAPI Reference\n\n\nJSONRenderer\n\n\nRenders the request data into \nJSON\n, using utf-8 encoding.\n\n\nNote that the default style is to include unicode characters, and render the response using a compact style with no unnecessary whitespace:\n\n\n{\"unicode black star\":\"\u2605\",\"value\":999}\n\n\n\nTheclientmayadditionallyincludean\n'indent'\nmediatypepara
"text":"Before a TemplateResponse instance can be returned to the client, it must be rendered. The rendering process takes the intermediate representation of template and context, and turns it into the final byte stream that can be served to the client. Django documentation REST framework includes a number of built in Renderer classes, that allow you to return responses with various media types. There is also support for defining your own custom renderers, which gives you the flexibility to design your own media types.",
"text":"The set of valid renderers for a view is always defined as a list of classes. When a view is entered REST framework will perform content negotiation on the incoming request, and determine the most appropriate renderer to satisfy the request. The basic process of content negotiation involves examining the request's Accept header, to determine which media types it expects in the response. Optionally, format suffixes on the URL may be used to explicitly request a particular representation. For example the URL http://example.com/api/users_count.json might be an endpoint that always returns JSON data. For more information see the documentation on content negotiation .",
"text":"The default set of renderers may be set globally, using the DEFAULT_RENDERER_CLASSES setting. For example, the following settings would use JSON as the main media type and also include the self describing API. REST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.BrowsableAPIRenderer',\n )\n} You can also set the renderers used for an individual view, or viewset,\nusing the APIView class based views. from django.contrib.auth.models import User\nfrom rest_framework.renderers import JSONRenderer\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass UserCountView(APIView):\n \"\"\"\n A view that returns the count of active users in JSON.\n \"\"\"\n renderer_classes = (JSONRenderer, )\n\n def get(self, request, format=None):\n user_count = User.objects.filter(active=True).count()\n content = {'user_count': user_count}\n return Response(content) Or, if you're using the @api_view decorator with function based views. @api_view(['GET'])\n@renderer_classes((JSONRenderer,))\ndef user_count_view(request, format=None):\n \"\"\"\n A view that returns the count of active users in JSON.\n \"\"\"\n user_count = User.objects.filter(active=True).count()\n content = {'user_count': user_count}\n return Response(content)",
"text":"It's important when specifying the renderer classes for your API to think about what priority you want to assign to each media type. If a client underspecifies the representations it can accept, such as sending an Accept: */* header, or not including an Accept header at all, then REST framework will select the first renderer in the list to use for the response. For example if your API serves JSON responses and the HTML browsable API, you might want to make JSONRenderer your default renderer, in order to send JSON responses to clients that do not specify an Accept header. If your API includes views that can serve both regular webpages and API responses depending on the request, then you might consider making TemplateHTMLRenderer your default renderer, in order to play nicely with older browsers that send broken accept headers .",
"title":"Ordering of renderer classes"
},
{
"location":"/api-guide/renderers/#api-reference",
"text":"",
"title":"API Reference"
},
{
"location":"/api-guide/renderers/#jsonrenderer",
"text":"Renders the request data into JSON , using utf-8 encoding. Note that the default style is to include unicode characters, and render the response using a compact style with no unnecessary whitespace: {\"unicode black star\":\"\u2605\",\"value\":999} The client may additionally include an 'indent' media type parameter, in which case the returned JSON will be indented. For example Accept: application/json; indent=4 . {\n \"unicode black star\": \"\u2605\",\n \"value\": 999\n} The default JSON encoding style can be altered using the UNICODE_JSON and COMPACT_JSON settings keys. .media_type : application/json .format : '.json' .charset : None",
"text":"Renders data to HTML, using Django's standard template rendering.\nUnlike other renderers, the data passed to the Response does not need to be serialized. Also, unlike other renderers, you may want to include a template_name argument when creating the Response . The TemplateHTMLRenderer will create a RequestContext , using the response.data as the context dict, and determine a template name to use to render the context. The template name is determined by (in order of preference): An explicit template_name argument passed to the response. An explicit .template_name attribute set on this class. The return result of calling view.get_template_names() . An example of a view that uses TemplateHTMLRenderer : class UserDetail(generics.RetrieveAPIView):\n \"\"\"\n A view that returns a templated HTML representation of a given user.\n \"\"\"\n queryset = User.objects.all()\n renderer_classes = (TemplateHTMLRenderer,)\n\n def get(self, request, *args, **kwargs):\n self.object = self.get_object()\n return Response({'user': self.object}, template_name='user_detail.html') You can use TemplateHTMLRenderer either to return regular HTML pages using REST framework, or to return both HTML and API responses from a single endpoint. If you're building websites that use TemplateHTMLRenderer along with other renderer classes, you should consider listing TemplateHTMLRenderer as the first class in the renderer_classes list, so that it will be prioritised first even for browsers that send poorly formed ACCEPT: headers. .media_type : text/html .format : '.html' .charset : utf-8 See also: StaticHTMLRenderer",
"text":"A simple renderer that simply returns pre-rendered HTML. Unlike other renderers, the data passed to the response object should be a string representing the content to be returned. An example of a view that uses StaticHTMLRenderer : @api_view(('GET',))\n@renderer_classes((StaticHTMLRenderer,))\ndef simple_html_view(request):\n data = ' html body h1 Hello, world /h1 /body /html '\n return Response(data) You can use StaticHTMLRenderer either to return regular HTML pages using REST framework, or to return both HTML and API responses from a single endpoint. .media_type : text/html .format : '.html' .charset : utf-8 See also: TemplateHTMLRenderer",
"text":"Renders data into HTML for the Browsable API: This renderer will determine which other renderer would have been given highest priority, and use that to display an API style response within the HTML page. .media_type : text/html .format : '.api' .charset : utf-8 .template : 'rest_framework/api.html' Customizing BrowsableAPIRenderer By default the response content will be rendered with the highest priority renderer apart from BrowsableAPIRenderer . If you need to customize this behavior, for example to use HTML as the default return format, but use JSON in the browsable API, you can do so by overriding the get_default_renderer() method. For example: class CustomBrowsableAPIRenderer(BrowsableAPIRenderer):\n def get_default_renderer(self, view):\n return JSONRenderer()",
"text":"Renders data into HTML for an admin-like display: This renderer is suitable for CRUD-style web APIs that should also present a user-friendly interface for managing the data. Note that views that have nested or list serializers for their input won't work well with the AdminRenderer , as the HTML forms are unable to properly support them. Note : The AdminRenderer is only able to include links to detail pages when a properly configured URL_FIELD_NAME ( url by default) attribute is present in the data. For HyperlinkedModelSerializer this will be the case, but for ModelSerializer or plain Serializer classes you'll need to make sure to include the field explicitly. For example here we use models get_absolute_url method: class AccountSerializer(serializers.ModelSerializer):\n url = serializers.CharField(source='get_absolute_url', read_only=True)\n\n class Meta:\n model = Account .media_type : text/html .format : '.admin' .charset : utf-8 .template : 'rest_framework/admin.html'",
"text":"Renders data returned by a serializer into an HTML form. The output of this renderer does not include the enclosing form tags, a hidden CSRF input or any submit buttons. This renderer is not intended to be used directly, but can instead be used in templates by passing a serializer instance to the render_form template tag. {% load rest_framework %} form action=\"/submit-report/\" method=\"post\" \n {% csrf_token %}\n {% render_form serializer %}\n input type=\"submit\" value=\"Save\" / /form For more information see the HTML Forms documentation. .media_type : text/html .format : '.form' .charset : utf-8 .template : 'rest_framework/horizontal/form.html'",
"text":"This renderer is used for rendering HTML multipart form data. It is not suitable as a response renderer , but is instead used for creating test requests, using REST framework's test client and test request factory . .media_type : multipart/form-data; boundary=BoUnDaRyStRiNg .format : '.multipart' .charset : utf-8",
"text":"To implement a custom renderer, you should override BaseRenderer , set the .media_type and .format properties, and implement the .render(self, data, media_type=None, renderer_context=None) method. The method should return a bytestring, which will be used as the body of the HTTP response. The arguments passed to the .render() method are: data The request data, as set by the Response() instantiation. media_type=None Optional. If provided, this is the accepted media type, as determined by the content negotiation stage. Depending on the client's Accept: header, this may be more specific than the renderer's media_type attribute, and may include media type parameters. For example \"application/json; nested=true\" . renderer_context=None Optional. If provided, this is a dictionary of contextual information provided by the view. By default this will include the following keys: view , request , response , args , kwargs .",
"title":"Custom renderers"
},
{
"location":"/api-guide/renderers/#example",
"text":"The following is an example plaintext renderer that will return a response with the data parameter as the content of the response. from django.utils.encoding import smart_unicode\nfrom rest_framework import renderers\n\n\nclass PlainTextRenderer(renderers.BaseRenderer):\n media_type = 'text/plain'\n format = 'txt'\n\n def render(self, data, media_type=None, renderer_context=None):\n return data.encode(self.charset)",
"text":"By default renderer classes are assumed to be using the UTF-8 encoding. To use a different encoding, set the charset attribute on the renderer. class PlainTextRenderer(renderers.BaseRenderer):\n media_type = 'text/plain'\n format = 'txt'\n charset = 'iso-8859-1'\n\n def render(self, data, media_type=None, renderer_context=None):\n return data.encode(self.charset) Note that if a renderer class returns a unicode string, then the response content will be coerced into a bytestring by the Response class, with the charset attribute set on the renderer used to determine the encoding. If the renderer returns a bytestring representing raw binary content, you should set a charset value of None , which will ensure the Content-Type header of the response will not have a charset value set. In some cases you may also want to set the render_style attribute to 'binary' . Doing so will also ensure that the browsable API will not attempt to display the binary content as a string. class JPEGRenderer(renderers.BaseRenderer):\n media_type = 'image/jpeg'\n format = 'jpg'\n charset = None\n render_style = 'binary'\n\n def render(self, data, media_type=None, renderer_context=None):\n return data",
"text":"You can do some pretty flexible things using REST framework's renderers. Some examples... Provide either flat or nested representations from the same endpoint, depending on the requested media type. Serve both regular HTML webpages, and JSON based API responses from the same endpoints. Specify multiple types of HTML representation for API clients to use. Underspecify a renderer's media type, such as using media_type = 'image/*' , and use the Accept header to vary the encoding of the response.",
"text":"In some cases you might want your view to use different serialization styles depending on the accepted media type. If you need to do this you can access request.accepted_renderer to determine the negotiated renderer that will be used for the response. For example: @api_view(('GET',))\n@renderer_classes((TemplateHTMLRenderer, JSONRenderer))\ndef list_users(request):\n \"\"\"\n A view that can return JSON or HTML representations\n of the users in the system.\n \"\"\"\n queryset = Users.objects.filter(active=True)\n\n if request.accepted_renderer.format == 'html':\n # TemplateHTMLRenderer takes a context dict,\n # and additionally requires a 'template_name'.\n # It does not require serialization.\n data = {'users': queryset}\n return Response(data, template_name='list_users.html')\n\n # JSONRenderer requires serialized data as normal.\n serializer = UserSerializer(instance=queryset)\n data = serializer.data\n return Response(data)",
"text":"In some cases you might want a renderer to serve a range of media types.\nIn this case you can underspecify the media types it should respond to, by using a media_type value such as image/* , or */* . If you underspecify the renderer's media type, you should make sure to specify the media type explicitly when you return the response, using the content_type attribute. For example: return Response(data, content_type='image/png')",
"text":"For the purposes of many Web APIs, simple JSON responses with hyperlinked relations may be sufficient. If you want to fully embrace RESTful design and HATEOAS you'll need to consider the design and usage of your media types in more detail. In the words of Roy Fielding , \"A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state, or in defining extended relation names and/or hypertext-enabled mark-up for existing standard media types.\". For good examples of custom media types, see GitHub's use of a custom application/vnd.github+json media type, and Mike Amundsen's IANA approved application/vnd.collection+json JSON-based hypermedia.",
"text":"Typically a renderer will behave the same regardless of if it's dealing with a regular response, or with a response caused by an exception being raised, such as an Http404 or PermissionDenied exception, or a subclass of APIException . If you're using either the TemplateHTMLRenderer or the StaticHTMLRenderer and an exception is raised, the behavior is slightly different, and mirrors Django's default handling of error views . Exceptions raised and handled by an HTML renderer will attempt to render using one of the following methods, by order of precedence. Load and render a template named {status_code}.html . Load and render a template named api_exception.html . Render the HTTP status code and text, for example \"404 Not Found\". Templates will render with a RequestContext which includes the status_code and details keys. Note : If DEBUG=True , Django's standard traceback error page will be displayed instead of rendering the HTTP status code and text.",
"text":"The following third party packages are also available.",
"title":"Third party packages"
},
{
"location":"/api-guide/renderers/#yaml",
"text":"REST framework YAML provides YAML parsing and rendering support. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. Installation configuration Install using pip. $ pip install djangorestframework-yaml Modify your REST framework settings. REST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework_yaml.parsers.YAMLParser',\n ),\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework_yaml.renderers.YAMLRenderer',\n ),\n}",
"title":"YAML"
},
{
"location":"/api-guide/renderers/#xml",
"text":"REST Framework XML provides a simple informal XML format. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. Installation configuration Install using pip. $ pip install djangorestframework-xml Modify your REST framework settings. REST_FRAMEWORK = {\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework_xml.parsers.XMLParser',\n ),\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework_xml.renderers.XMLRenderer',\n ),\n}",
"title":"XML"
},
{
"location":"/api-guide/renderers/#jsonp",
"text":"REST framework JSONP provides JSONP rendering support. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. Warning : If you require cross-domain AJAX requests, you should generally be using the more modern approach of CORS as an alternative to JSONP . See the CORS documentation for more details. The jsonp approach is essentially a browser hack, and is only appropriate for globally readable API endpoints , where GET requests are unauthenticated and do not require any user permissions. Installation configuration Install using pip. $ pip install djangorestframework-jsonp Modify your REST framework settings. REST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework_jsonp.renderers.JSONPRenderer',\n ),\n}",
"title":"JSONP"
},
{
"location":"/api-guide/renderers/#messagepack",
"text":"MessagePack is a fast, efficient binary serialization format. Juan Riaza maintains the djangorestframework-msgpack package which provides MessagePack renderer and parser support for REST framework.",
"title":"MessagePack"
},
{
"location":"/api-guide/renderers/#csv",
"text":"Comma-separated values are a plain-text tabular data format, that can be easily imported into spreadsheet applications. Mjumbe Poe maintains the djangorestframework-csv package which provides CSV renderer support for REST framework.",
"title":"CSV"
},
{
"location":"/api-guide/renderers/#ultrajson",
"text":"UltraJSON is an optimized C JSON encoder which can give significantly faster JSON rendering. Jacob Haslehurst maintains the drf-ujson-renderer package which implements JSON rendering using the UJSON package.",
"text":"djangorestframework-camel-case provides camel case JSON renderers and parsers for REST framework. This allows serializers to use Python-style underscored field names, but be exposed in the API as Javascript-style camel case field names. It is maintained by Vitaly Babiy .",
"text":"Django REST Pandas provides a serializer and renderers that support additional data processing and output via the Pandas DataFrame API. Django REST Pandas includes renderers for Pandas-style CSV files, Excel workbooks (both .xls and .xlsx ), and a number of other formats . It is maintained by S. Andrew Sheppard as part of the wq Project .",
"text":"Serializers\n\n\n\n\nExpanding the usefulness of the serializers is something that we would\nlike to address. However, it's not a trivial problem, and it\nwill take some serious design work.\n\n\n Russell Keith-Magee, \nDjango users group\n\n\n\n\nSerializers allow complex data such as querysets and model instances to be converted to native Python datatypes that can then be easily rendered into \nJSON\n, \nXML\n or other content types. Serializers also provide deserialization, allowing parsed data to be converted back into complex types, after first validating the incoming data.\n\n\nThe serializers in REST framework work very similarly to Django's \nForm\n and \nModelForm\n classes. We provide a \nSerializer\n class which gives you a powerful, generic way to control the output of your responses, as well as a \nModelSerializer\n class which provides a useful shortcut for creating serializers that deal with model instances and querysets.\n\n\nDeclaring Serializers\n\n\nLet's start by creating a simple object we can use for example purposes:\n\n\nfrom datetime import datetime\n\nclass Comment(object):\n def __init__(self, email, content, created=None):\n self.email = email\n self.content = content\n self.created = created or datetime.now()\n\ncomment = Comment(email='leila@example.com', content='foo bar')\n\n\n\nWe'll declare a serializer that we can use to serialize and deserialize data that corresponds to \nComment\n objects.\n\n\nDeclaring a serializer looks very similar to declaring a form:\n\n\nfrom rest_framework import serializers\n\nclass CommentSerializer(serializers.Serializer):\n email = serializers.EmailField()\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField()\n\n\n\nSerializing objects\n\n\nWe can now use \nCommentSerializer\n to serialize a comment, or list of comments. Again, using the \nSerializer\n class looks a lot like using a \nForm\n class.\n\n\nserializer = CommentSerializer(comment)\nserializer.data\n# {'email': 'leila@example.com', 'content': 'foo bar', 'created': '2016-01-27T15:17:10.375877'}\n\n\n\nAt this point we've translated the model instance into Python native datatypes. To finalise the serialization process we render the data into \njson\n.\n\n\nfrom rest_framework.renderers import JSONRenderer\n\njson = JSONRenderer().render(serializer.data)\njson\n# b'{\"email\":\"leila@example.com\",\"content\":\"foo bar\",\"created\":\"2016-01-27T15:17:10.375877\"}'\n\n\n\nDeserializingobjects\n\n\nDeserializationissimilar.FirstweparseastreamintoPythonnativedatatypes...\n\n\nfromdjango.utils.siximportBytesIO\nfromrest_framework.parsersimportJSONParser\n\nstream=BytesIO(json)\ndata=JSONParser().parse(stream)\n\n\n\n...thenwerestorethosenativedatatypesintoadictionaryofvalidateddata.\n\n\nserializer=CommentSerializer(data=data)\nserializer.is_valid()\n#True\nserializer.validated_data\n#{'content':'foobar','email':'leila@example.com','created':datetime.datetime(2012,08,22,16,20,09,822243)}\n\n\n\nSavinginstances\n\n\nIfwewanttobeabletoreturncompleteobjectinstancesbasedonthevalidateddataweneedtoimplementoneorbothofthe\n.create()\nand\nupdate()\nmethods.Forexample:\n\n\nclassCommentSerializer(serializers.Serializer):\nemail=serializers.EmailField()\ncontent=serializers.CharField(max_length=200)\ncreated=serializers.DateTimeField()\n\ndefcreate(self,validated_data):\nreturnComment(**validated_data)\n\ndefupdate(self,instance,validated_data):\ninstance.email=validated_data.get('email',instance.email)\ninstance.content=validated_data.get('content',instance.content)\ninstance.created=validated_data.get('created',instance.created)\nreturninstance\n\n\n\nIfyourobjectinstancescorrespondtoDjangomodelsyou'llalsowanttoensurethatthesemethodssavetheobjecttothedatabase.Forexample,if\nComment\nwasaDjangomodel,themethodsmightlooklike
"text":"Expanding the usefulness of the serializers is something that we would\nlike to address. However, it's not a trivial problem, and it\nwill take some serious design work. Russell Keith-Magee, Django users group Serializers allow complex data such as querysets and model instances to be converted to native Python datatypes that can then be easily rendered into JSON , XML or other content types. Serializers also provide deserialization, allowing parsed data to be converted back into complex types, after first validating the incoming data. The serializers in REST framework work very similarly to Django's Form and ModelForm classes. We provide a Serializer class which gives you a powerful, generic way to control the output of your responses, as well as a ModelSerializer class which provides a useful shortcut for creating serializers that deal with model instances and querysets.",
"text":"Let's start by creating a simple object we can use for example purposes: from datetime import datetime\n\nclass Comment(object):\n def __init__(self, email, content, created=None):\n self.email = email\n self.content = content\n self.created = created or datetime.now()\n\ncomment = Comment(email='leila@example.com', content='foo bar') We'll declare a serializer that we can use to serialize and deserialize data that corresponds to Comment objects. Declaring a serializer looks very similar to declaring a form: from rest_framework import serializers\n\nclass CommentSerializer(serializers.Serializer):\n email = serializers.EmailField()\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField()",
"text":"We can now use CommentSerializer to serialize a comment, or list of comments. Again, using the Serializer class looks a lot like using a Form class. serializer = CommentSerializer(comment)\nserializer.data\n# {'email': 'leila@example.com', 'content': 'foo bar', 'created': '2016-01-27T15:17:10.375877'} At this point we've translated the model instance into Python native datatypes. To finalise the serialization process we render the data into json . from rest_framework.renderers import JSONRenderer\n\njson = JSONRenderer().render(serializer.data)\njson\n# b'{\"email\":\"leila@example.com\",\"content\":\"foo bar\",\"created\":\"2016-01-27T15:17:10.375877\"}'",
"text":"Deserialization is similar. First we parse a stream into Python native datatypes... from django.utils.six import BytesIO\nfrom rest_framework.parsers import JSONParser\n\nstream = BytesIO(json)\ndata = JSONParser().parse(stream) ...then we restore those native datatypes into a dictionary of validated data. serializer = CommentSerializer(data=data)\nserializer.is_valid()\n# True\nserializer.validated_data\n# {'content': 'foo bar', 'email': 'leila@example.com', 'created': datetime.datetime(2012, 08, 22, 16, 20, 09, 822243)}",
"text":"If we want to be able to return complete object instances based on the validated data we need to implement one or both of the .create() and update() methods. For example: class CommentSerializer(serializers.Serializer):\n email = serializers.EmailField()\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField()\n\n def create(self, validated_data):\n return Comment(**validated_data)\n\n def update(self, instance, validated_data):\n instance.email = validated_data.get('email', instance.email)\n instance.content = validated_data.get('content', instance.content)\n instance.created = validated_data.get('created', instance.created)\n return instance If your object instances correspond to Django models you'll also want to ensure that these methods save the object to the database. For example, if Comment was a Django model, the methods might look like this: def create(self, validated_data):\n return Comment.objects.create(**validated_data)\n\n def update(self, instance, validated_data):\n instance.email = validated_data.get('email', instance.email)\n instance.content = validated_data.get('content', instance.content)\n instance.created = validated_data.get('created', instance.created)\n instance.save()\n return instance Now when deserializing data, we can call .save() to return an object instance, based on the validated data. comment = serializer.save() Calling .save() will either create a new instance, or update an existing instance, depending on if an existing instance was passed when instantiating the serializer class: # .save() will create a new instance.\nserializer = CommentSerializer(data=data)\n\n# .save() will update the existing `comment` instance.\nserializer = CommentSerializer(comment, data=data) Both the .create() and .update() methods are optional. You can implement either neither, one, or both of them, depending on the use-case for your serializer class. Passing additional attributes to .save() Sometimes you'll want your view code to be able to inject additional data at the point of saving the instance. This additional data might include information like the current user, the current time, or anything else that is not part of the request data. You can do so by including additional keyword arguments when calling .save() . For example: serializer.save(owner=request.user) Any additional keyword arguments will be included in the validated_data argument when .create() or .update() are called. Overriding .save() directly. In some cases the .create() and .update() method names may not be meaningful. For example, in a contact form we may not be creating new instances, but instead sending an email or other message. In these cases you might instead choose to override .save() directly, as being more readable and meaningful. For example: class ContactForm(serializers.Serializer):\n email = serializers.EmailField()\n message = serializers.CharField()\n\n def save(self):\n email = self.validated_data['email']\n message = self.validated_data['message']\n send_email(from=email, message=message) Note that in the case above we're now having to access the serializer .validated_data property directly.",
"text":"When deserializing data, you always need to call is_valid() before attempting to access the validated data, or save an object instance. If any validation errors occur, the .errors property will contain a dictionary representing the resulting error messages. For example: serializer = CommentSerializer(data={'email': 'foobar', 'content': 'baz'})\nserializer.is_valid()\n# False\nserializer.errors\n# {'email': [u'Enter a valid e-mail address.'], 'created': [u'This field is required.']} Each key in the dictionary will be the field name, and the values will be lists of strings of any error messages corresponding to that field. The non_field_errors key may also be present, and will list any general validation errors. The name of the non_field_errors key may be customized using the NON_FIELD_ERRORS_KEY REST framework setting. When deserializing a list of items, errors will be returned as a list of dictionaries representing each of the deserialized items. Raising an exception on invalid data The .is_valid() method takes an optional raise_exception flag that will cause it to raise a serializers.ValidationError exception if there are validation errors. These exceptions are automatically dealt with by the default exception handler that REST framework provides, and will return HTTP 400 Bad Request responses by default. # Return a 400 response if the data was invalid.\nserializer.is_valid(raise_exception=True) Field-level validation You can specify custom field-level validation by adding .validate_ field_name methods to your Serializer subclass. These are similar to the .clean_ field_name methods on Django forms. These methods take a single argument, which is the field value that requires validation. Your validate_ field_name methods should return the validated value or raise a serializers.ValidationError . For example: from rest_framework import serializers\n\nclass BlogPostSerializer(serializers.Serializer):\n title = serializers.CharField(max_length=100)\n content = serializers.CharField()\n\n def validate_title(self, value):\n \"\"\"\n Check that the blog post is about Django.\n \"\"\"\n if 'django' not in value.lower():\n raise serializers.ValidationError(\"Blog post is not about Django\")\n return value Note: If your field_name is declared on your serializer with the parameter required=False then this validation step will not take place if the field is not included. Object-level validation To do any other validation that requires access to multiple fields, add a method called .validate() to your Serializer subclass. This method takes a single argument, which is a dictionary of field values. It should raise a ValidationError if necessary, or just return the validated values. For example: from rest_framework import serializers\n\nclass EventSerializer(serializers.Serializer):\n description = serializers.CharField(max_length=100)\n start = serializers.DateTimeField()\n finish = serializers.DateTimeField()\n\n def validate(self, data):\n \"\"\"\n Check that the start is before the stop.\n \"\"\"\n if data['start'] data['finish']:\n raise serializers.ValidationError(\"finish must occur after start\")\nreturndataValidatorsIndividualfieldsonaserializercanincludevalidators,bydeclaringthemonthefieldinstance,forexample:defmultiple_of_ten(value):\nifvalue%10!=0:\nraiseserializers.ValidationError('Notamultipleoften')\n\nclassGameRecord(serializers.Serializer):\nscore=IntegerField(validators=[multiple_of_ten])\n...Serializerclassescanalsoincludereusablevalidatorsthatareappliedtothecompletesetoffielddata.ThesevalidatorsareincludedbydeclaringthemonaninnerMetaclass,likeso:classEventSerializer(serializers.Serializer):\nname=serializers.CharField()\nroom_number=serializers.IntegerField(choices=[101,102,103,201])\ndate=serializers.DateFi
"text":"When passing an initial object or queryset to a serializer instance, the object will be made available as .instance . If no initial object is passed then the .instance attribute will be None . When passing data to a serializer instance, the unmodified data will be made available as .initial_data . If the data keyword argument is not passed then the .initial_data attribute will not exist.",
"text":"By default, serializers must be passed values for all required fields or they will raise validation errors. You can use the partial argument in order to allow partial updates. # Update `comment` with partial data\nserializer = CommentSerializer(comment, data={'content': u'foo bar'}, partial=True)",
"text":"The previous examples are fine for dealing with objects that only have simple datatypes, but sometimes we also need to be able to represent more complex objects, where some of the attributes of an object might not be simple datatypes such as strings, dates or integers. The Serializer class is itself a type of Field , and can be used to represent relationships where one object type is nested inside another. class UserSerializer(serializers.Serializer):\n email = serializers.EmailField()\n username = serializers.CharField(max_length=100)\n\nclass CommentSerializer(serializers.Serializer):\n user = UserSerializer()\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField() If a nested representation may optionally accept the None value you should pass the required=False flag to the nested serializer. class CommentSerializer(serializers.Serializer):\n user = UserSerializer(required=False) # May be an anonymous user.\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField() Similarly if a nested representation should be a list of items, you should pass the many=True flag to the nested serialized. class CommentSerializer(serializers.Serializer):\n user = UserSerializer(required=False)\n edits = EditItemSerializer(many=True) # A nested list of 'edit' items.\n content = serializers.CharField(max_length=200)\n created = serializers.DateTimeField()",
"text":"The Serializer class can also handle serializing or deserializing lists of objects. Serializing multiple objects To serialize a queryset or list of objects instead of a single object instance, you should pass the many=True flag when instantiating the serializer. You can then pass a queryset or list of objects to be serialized. queryset = Book.objects.all()\nserializer = BookSerializer(queryset, many=True)\nserializer.data\n# [\n# {'id': 0, 'title': 'The electric kool-aid acid test', 'author': 'Tom Wolfe'},\n# {'id': 1, 'title': 'If this is a man', 'author': 'Primo Levi'},\n# {'id': 2, 'title': 'The wind-up bird chronicle', 'author': 'Haruki Murakami'}\n# ] Deserializing multiple objects The default behavior for deserializing multiple objects is to support multiple object creation, but not support multiple object updates. For more information on how to support or customize either of these cases, see the ListSerializer documentation below.",
"text":"There are some cases where you need to provide extra context to the serializer in addition to the object being serialized. One common case is if you're using a serializer that includes hyperlinked relations, which requires the serializer to have access to the current request so that it can properly generate fully qualified URLs. You can provide arbitrary additional context by passing a context argument when instantiating the serializer. For example: serializer = AccountSerializer(account, context={'request': request})\nserializer.data\n# {'id': 6, 'owner': u'denvercoder9', 'created': datetime.datetime(2013, 2, 12, 09, 44, 56, 678870), 'details': 'http://example.com/accounts/6/details'} The context dictionary can be used within any serializer field logic, such as a custom .to_representation() method, by accessing the self.context attribute.",
"text":"Often you'll want serializer classes that map closely to Django model definitions. The ModelSerializer class provides a shortcut that lets you automatically create a Serializer class with fields that correspond to the Model fields. The ModelSerializer class is the same as a regular Serializer class, except that : It will automatically generate a set of fields for you, based on the model. It will automatically generate validators for the serializer, such as unique_together validators. It includes simple default implementations of .create() and .update() . Declaring a ModelSerializer looks like this: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = ('id', 'account_name', 'users', 'created') By default, all the model fields on the class will be mapped to a corresponding serializer fields. Any relationships such as foreign keys on the model will be mapped to PrimaryKeyRelatedField . Reverse relationships are not included by default unless explicitly included as described below. Inspecting a ModelSerializer Serializer classes generate helpful verbose representation strings, that allow you to fully inspect the state of their fields. This is particularly useful when working with ModelSerializers where you want to determine what set of fields and validators are being automatically created for you. To do so, open the Django shell, using python manage.py shell , then import the serializer class, instantiate it, and print the object representation\u2026 from myapp.serializers import AccountSerializer serializer = AccountSerializer() print(repr(serializer))\nAccountSerializer():\n id = IntegerField(label='ID', read_only=True)\n name = CharField(allow_blank=True, max_length=100, required=False)\n owner = PrimaryKeyRelatedField(queryset=User.objects.all())",
"text":"If you only want a subset of the default fields to be used in a model serializer, you can do so using fields or exclude options, just as you would with a ModelForm . It is strongly recommended that you explicitly set all fields that should be serialized using the fields attribute. This will make it less likely to result in unintentionally exposing data when your models change. For example: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = ('id', 'account_name', 'users', 'created') You can also set the fields attribute to the special value '__all__' to indicate that all fields in the model should be used. For example: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = '__all__' You can set the exclude attribute to a list of fields to be excluded from the serializer. For example: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n exclude = ('users',) In the example above, if the Account model had 3 fields account_name , users , and created , this will result in the fields account_name and created to be serialized. The names in the fields and exclude attributes will normally map to model fields on the model class. Alternatively names in the fields options can map to properties or methods which take no arguments that exist on the model class.",
"text":"The default ModelSerializer uses primary keys for relationships, but you can also easily generate nested representations using the depth option: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = ('id', 'account_name', 'users', 'created')\n depth = 1 The depth option should be set to an integer value that indicates the depth of relationships that should be traversed before reverting to a flat representation. If you want to customize the way the serialization is done you'll need to define the field yourself.",
"text":"You can add extra fields to a ModelSerializer or override the default fields by declaring fields on the class, just as you would for a Serializer class. class AccountSerializer(serializers.ModelSerializer):\n url = serializers.CharField(source='get_absolute_url', read_only=True)\n groups = serializers.PrimaryKeyRelatedField(many=True)\n\n class Meta:\n model = Account Extra fields can correspond to any property or callable on the model.",
"text":"You may wish to specify multiple fields as read-only. Instead of adding each field explicitly with the read_only=True attribute, you may use the shortcut Meta option, read_only_fields . This option should be a list or tuple of field names, and is declared as follows: class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = ('id', 'account_name', 'users', 'created')\n read_only_fields = ('account_name',) Model fields which have editable=False set, and AutoField fields will be set to read-only by default, and do not need to be added to the read_only_fields option. Note : There is a special-case where a read-only field is part of a unique_together constraint at the model level. In this case the field is required by the serializer class in order to validate the constraint, but should also not be editable by the user. The right way to deal with this is to specify the field explicitly on the serializer, providing both the read_only=True and default=\u2026 keyword arguments. One example of this is a read-only relation to the currently authenticated User which is unique_together with another identifier. In this case you would declare the user field like so: user = serializers.PrimaryKeyRelatedField(read_only=True, default=serializers.CurrentUserDefault()) Please review the Validators Documentation for details on the UniqueTogetherValidator and CurrentUserDefault classes.",
"text":"There is also a shortcut allowing you to specify arbitrary additional keyword arguments on fields, using the extra_kwargs option. As in the case of read_only_fields , this means you do not need to explicitly declare the field on the serializer. This option is a dictionary, mapping field names to a dictionary of keyword arguments. For example: class CreateUserSerializer(serializers.ModelSerializer):\n class Meta:\n model = User\n fields = ('email', 'username', 'password')\n extra_kwargs = {'password': {'write_only': True}}\n\n def create(self, validated_data):\n user = User(\n email=validated_data['email'],\n username=validated_data['username']\n )\n user.set_password(validated_data['password'])\n user.save()\n return user",
"text":"When serializing model instances, there are a number of different ways you might choose to represent relationships. The default representation for ModelSerializer is to use the primary keys of the related instances. Alternative representations include serializing using hyperlinks, serializing complete nested representations, or serializing with a custom representation. For full details see the serializer relations documentation.",
"text":"The inner Meta class on serializers is not inherited from parent classes by default. This is the same behavior as with Django's Model and ModelForm classes. If you want the Meta class to inherit from a parent class you must do so explicitly. For example: class AccountSerializer(MyBaseSerializer):\n class Meta(MyBaseSerializer.Meta):\n model = Account Typically we would recommend not using inheritance on inner Meta classes, but instead declaring all options explicitly.",
"text":"The ModelSerializer class also exposes an API that you can override in order to alter how serializer fields are automatically determined when instantiating the serializer. Normally if a ModelSerializer does not generate the fields you need by default then you should either add them to the class explicitly, or simply use a regular Serializer class instead. However in some cases you may want to create a new base class that defines how the serializer fields are created for any given model. .serializer_field_mapping A mapping of Django model classes to REST framework serializer classes. You can override this mapping to alter the default serializer classes that should be used for each model class. .serializer_related_field This property should be the serializer field class, that is used for relational fields by default. For ModelSerializer this defaults to PrimaryKeyRelatedField . For HyperlinkedModelSerializer this defaults to serializers.HyperlinkedRelatedField . serializer_url_field The serializer field class that should be used for any url field on the serializer. Defaults to serializers.HyperlinkedIdentityField serializer_choice_field The serializer field class that should be used for any choice fields on the serializer. Defaults to serializers.ChoiceField The field_class and field_kwargs API The following methods are called to determine the class and keyword arguments for each field that should be automatically included on the serializer. Each of these methods should return a two tuple of (field_class, field_kwargs) . .build_standard_field(self, field_name, model_field) Called to generate a serializer field that maps to a standard model field. The default implementation returns a serializer class based on the serializer_field_mapping attribute. .build_relational_field(self, field_name, relation_info) Called to generate a serializer field that maps to a relational model field. The default implementation returns a serializer class based on the serializer_relational_field attribute. The relation_info argument is a named tuple, that contains model_field , related_model , to_many and has_through_model properties. .build_nested_field(self, field_name, relation_info, nested_depth) Called to generate a serializer field that maps to a relational model field, when the depth option has been set. The default implementation dynamically creates a nested serializer class based on either ModelSerializer or HyperlinkedModelSerializer . The nested_depth will be the value of the depth option, minus one. The relation_info argument is a named tuple, that contains model_field , related_model , to_many and has_through_model properties. .build_property_field(self, field_name, model_class) Called to generate a serializer field that maps to a property or zero-argument method on the model class. The default implementation returns a ReadOnlyField class. .build_url_field(self, field_name, model_class) Called to generate a serializer field for the serializer's own url field. The default implementation returns a HyperlinkedIdentityField class. .build_unknown_field(self, field_name, model_class) Called when the field name did not map to any model field or model property.\nThe default implementation raises an error, although subclasses may customize this behavior.",
"text":"The HyperlinkedModelSerializer class is similar to the ModelSerializer class except that it uses hyperlinks to represent relationships, rather than primary keys. By default the serializer will include a url field instead of a primary key field. The url field will be represented using a HyperlinkedIdentityField serializer field, and any relationships on the model will be represented using a HyperlinkedRelatedField serializer field. You can explicitly include the primary key by adding it to the fields option, for example: class AccountSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = Account\n fields = ('url', 'id', 'account_name', 'users', 'created')",
"text":"There needs to be a way of determining which views should be used for hyperlinking to model instances. By default hyperlinks are expected to correspond to a view name that matches the style '{model_name}-detail' , and looks up the instance by a pk keyword argument. You can override a URL field view name and lookup field by using either, or both of, the view_name and lookup_field options in the extra_kwargs setting, like so: class AccountSerializer(serializers.HyperlinkedModelSerializer):\n class Meta:\n model = Account\n fields = ('account_url', 'account_name', 'users', 'created')\n extra_kwargs = {\n 'url': {'view_name': 'accounts', 'lookup_field': 'account_name'}\n 'users': {'lookup_field': 'username'}\n } Alternatively you can set the fields on the serializer explicitly. For example: class AccountSerializer(serializers.HyperlinkedModelSerializer):\n url = serializers.HyperlinkedIdentityField(\n view_name='accounts',\n lookup_field='slug'\n )\n users = serializers.HyperlinkedRelatedField(\n view_name='user-detail',\n lookup_field='username',\n many=True,\n read_only=True\n )\n\n class Meta:\n model = Account\n fields = ('url', 'account_name', 'users', 'created') Tip : Properly matching together hyperlinked representations and your URL conf can sometimes be a bit fiddly. Printing the repr of a HyperlinkedModelSerializer instance is a particularly useful way to inspect exactly which view names and lookup fields the relationships are expected to map too.",
"text":"If you need to alter the serialization, deserialization or validation of a serializer class you can do so by overriding the .to_representation() or .to_internal_value() methods. Some reasons this might be useful include... Adding new behavior for new serializer base classes. Modifying the behavior slightly for an existing class. Improving serialization performance for a frequently accessed API endpoint that returns lots of data. The signatures for these methods are as follows: .to_representation(self, obj) Takes the object instance that requires serialization, and should return a primitive representation. Typically this means returning a structure of built-in Python datatypes. The exact types that can be handled will depend on the render classes you have configured for your API. .to_internal_value(self, data) Takes the unvalidated incoming data as input and should return the validated data that will be made available as serializer.validated_data . The return value will also be passed to the .create() or .update() methods if .save() is called on the serializer class. If any of the validation fails, then the method should raise a serializers.ValidationError(errors) . Typically the errors argument here will be a dictionary mapping field names to error messages. The data argument passed to this method will normally be the value of request.data , so the datatype it provides will depend on the parser classes you have configured for your API.",
"title":"Overriding serialization and deserialization behavior"
"text":"Once a serializer has been initialized, the dictionary of fields that are set on the serializer may be accessed using the .fields attribute. Accessing and modifying this attribute allows you to dynamically modify the serializer. Modifying the fields argument directly allows you to do interesting things such as changing the arguments on serializer fields at runtime, rather than at the point of declaring the serializer. Example For example, if you wanted to be able to set which fields should be used by a serializer at the point of initializing it, you could create a serializer class like so: class DynamicFieldsModelSerializer(serializers.ModelSerializer):\n \"\"\"\n A ModelSerializer that takes an additional `fields` argument that\n controls which fields should be displayed.\n \"\"\"\n\n def __init__(self, *args, **kwargs):\n # Don't pass the 'fields' arg up to the superclass\n fields = kwargs.pop('fields', None)\n\n # Instantiate the superclass normally\n super(DynamicFieldsModelSerializer, self).__init__(*args, **kwargs)\n\n if fields is not None:\n # Drop any fields that are not specified in the `fields` argument.\n allowed = set(fields)\n existing = set(self.fields.keys())\n for field_name in existing - allowed:\n self.fields.pop(field_name) This would then allow you to do the following: class UserSerializer(DynamicFieldsModelSerializer): class Meta: model = User fields = ('id', 'username', 'email') print UserSerializer(user)\n{'id': 2, 'username': 'jonwatts', 'email': 'jon@example.com'} print UserSerializer(user, fields=('id', 'email'))\n{'id': 2, 'email': 'jon@example.com'}",
"text":"REST framework 2 provided an API to allow developers to override how a ModelSerializer class would automatically generate the default set of fields. This API included the .get_field() , .get_pk_field() and other methods. Because the serializers have been fundamentally redesigned with 3.0 this API no longer exists. You can still modify the fields that get created but you'll need to refer to the source code, and be aware that if the changes you make are against private bits of API then they may be subject to change. A new interface for controlling this behavior is currently planned for REST framework 3.1.",
"text":"The django-rest-marshmallow package provides an alternative implementation for serializers, using the python marshmallow library. It exposes the same API as the REST framework serializers, and can be used as a drop-in replacement in some use-cases.",
"text":"The serpy package is an alternative implementation for serializers that is built for speed. Serpy serializes complex datatypes to simple native types. The native types can be easily converted to JSON or any other format needed.",
"text":"The django-rest-framework-mongoengine package provides a MongoEngineModelSerializer serializer class that supports using MongoDB as the storage layer for Django REST framework.",
"text":"The django-rest-framework-gis package provides a GeoFeatureModelSerializer serializer class that supports GeoJSON both for read and write operations.",
"text":"The django-rest-framework-hstore package provides an HStoreSerializer to support django-hstore DictionaryField model field and its schema-mode feature.",
"text":"The dynamic-rest package extends the ModelSerializer and ModelViewSet interfaces, adding API query parameters for filtering, sorting, and including / excluding all fields and relationships defined by your serializers.",
"text":"The html-json-forms package provides an algorithm and serializer for processing form submissions per the (inactive) HTML JSON Form specification . The serializer facilitates processing of arbitrarily nested JSON structures within HTML. For example, input name=\"items[0][id]\" value=\"5\" will be interpreted as {\"items\": [{\"id\": \"5\"}]} .",
"text":"Serializer fields\n\n\n\n\nEach field in a Form class is responsible not only for validating data, but also for \"cleaning\"it\nnormalizingittoaconsistentformat.\n\n\n\nDjangodocumentation\n\n\n\n\nSerializerfieldshandleconvertingbetweenprimitivevaluesandinternaldatatypes.Theyalsodealwithvalidatinginputvalues,aswellasretrievingandsettingthevaluesfromtheirparentobjects.\n\n\n\n\nNote:\nTheserializerfieldsaredeclaredin\nfields.py\n,butbyconventionyoushouldimportthemusing\nfromrest_frameworkimportserializers\nandrefertofieldsas\nserializers.\nFieldName\n.\n\n\n\n\nCorearguments\n\n\nEachserializerfieldclassconstructortakesatleastthesearguments.SomeFieldclassestakeadditional,field-specificarguments,butthefollowingshouldalwaysbeaccepted:\n\n\nread_only\n\n\nRead-onlyfieldsareincludedintheAPIoutput,butshouldnotbeincludedintheinputduringcreateorupdateoperations.Any'read_only'fieldsthatareincorrectlyincludedintheserializerinputwillbeignored.\n\n\nSetthisto\nTrue\ntoensurethatthefieldisusedwhenserializingarepresentation,butisnotusedwhencreatingorupdatinganinstanceduringdeserialization.\n\n\nDefaultsto\nFalse\n\n\nwrite_only\n\n\nSetthisto\nTrue\ntoensurethatthefieldmaybeusedwhenupdatingorcreatinganinstance,butisnotincludedwhenserializingtherepresentation.\n\n\nDefaultsto\nFalse\n\n\nrequired\n\n\nNormallyanerrorwillberaisedifafieldisnotsuppliedduringdeserialization.\nSettofalseifthisfieldisnotrequiredtobepresentduringdeserialization.\n\n\nSettingthisto\nFalse\nalsoallowstheobjectattributeordictionarykeytobeomittedfromoutputwhenserializingtheinstance.Ifthekeyisnotpresentitwillsimplynotbeincludedintheoutputrepresentation.\n\n\nDefaultsto\nTrue\n.\n\n\nallow_null\n\n\nNormallyanerrorwillberaisedif\nNone\nispassedtoaserializerfield.Setthiskeywordargumentto\nTrue\nif\nNone\nshouldbeconsideredavalidvalue.\n\n\nDefaultsto\nFalse\n\n\ndefault\n\n\nIfset,thisgivesthedefaultvaluethatwillbeusedforthefieldifnoinputvalueissupplied.Ifnotsetthedefaultbehavioristonotpopulatetheattributeatall.\n\n\nMaybesettoafunctionorothercallable,inwhichcasethevaluewillbeevaluatedeachtimeitisused.Whencalled,itwillreceivenoarguments.Ifthecallablehasa\nset_context\nmethod,thatwillbecalledeachtimebeforegettingthevaluewiththefieldinstanceasonlyargument.Thisworksthesamewayasfor\nvalidators\n.\n\n\nNotethatsettinga\ndefault\nvalueimpliesthatthefieldisnotrequired.Includingboththe\ndefault\nand\nrequired\nkeywordargumentsisinvalidandwillraiseanerror.\n\n\nsource\n\n\nThenameoftheattributethatwillbeusedtopopulatethefield.Maybeamethodthatonlytakesa\nself\nargument,suchas\nURLField(source='get_absolute_url')\n,ormayusedottednotationtotraverseattributes,suchas\nEmailField(source='user.email')\n.\n\n\nThevalue\nsource='*'\nhasaspecialmeaning,andisusedtoindicatethattheentireobjectshouldbepassedthroughtothefield.Thiscanbeusefulforcreatingnestedrepresentations,orforfieldswhichrequireaccesstothecompleteobjectinordertodeterminetheoutputrepresentation.\n\n\nDefaultstothenameofthefield.\n\n\nvalidators\n\n\nAlistofvalidatorfunctionswhichshouldbeappliedtotheincomingfieldinput,andwhicheitherraiseavalidationerrororsimplyreturn.Validatorfunctionsshouldtypicallyraise\nserializers.ValidationError\n,butDjango'sbuilt-in\nValidationError\nisalsosupportedforcompatibilitywithvalidatorsdefinedintheDjangocodebaseorthirdpartyDjangopackages.\n\n\nerror_messages\n\n\nAdictionaryoferrorcodestoerrormessages.\n\n\nlabel\n\n\nAshorttextstringthatmaybeusedasthenameofthefieldinHTMLformfieldsorotherdescriptiveelements.\n\n\nhelp_t
"text":"Each field in a Form class is responsible not only for validating data, but also for \"cleaning\" it normalizing it to a consistent format. Django documentation Serializer fields handle converting between primitive values and internal datatypes. They also deal with validating input values, as well as retrieving and setting the values from their parent objects. Note: The serializer fields are declared in fields.py , but by convention you should import them using from rest_framework import serializers and refer to fields as serializers. FieldName .",
"text":"Each serializer field class constructor takes at least these arguments. Some Field classes take additional, field-specific arguments, but the following should always be accepted: read_only Read-only fields are included in the API output, but should not be included in the input during create or update operations. Any 'read_only' fields that are incorrectly included in the serializer input will be ignored. Set this to True to ensure that the field is used when serializing a representation, but is not used when creating or updating an instance during deserialization. Defaults to False write_only Set this to True to ensure that the field may be used when updating or creating an instance, but is not included when serializing the representation. Defaults to False required Normally an error will be raised if a field is not supplied during deserialization.\nSet to false if this field is not required to be present during deserialization. Setting this to False also allows the object attribute or dictionary key to be omitted from output when serializing the instance. If the key is not present it will simply not be included in the output representation. Defaults to True . allow_null Normally an error will be raised if None is passed to a serializer field. Set this keyword argument to True if None should be considered a valid value. Defaults to False default If set, this gives the default value that will be used for the field if no input value is supplied. If not set the default behavior is to not populate the attribute at all. May be set to a function or other callable, in which case the value will be evaluated each time it is used. When called, it will receive no arguments. If the callable has a set_context method, that will be called each time before getting the value with the field instance as only argument. This works the same way as for validators . Note that setting a default value implies that the field is not required. Including both the default and required keyword arguments is invalid and will raise an error. source The name of the attribute that will be used to populate the field. May be a method that only takes a self argument, such as URLField(source='get_absolute_url') , or may use dotted notation to traverse attributes, such as EmailField(source='user.email') . The value source='*' has a special meaning, and is used to indicate that the entire object should be passed through to the field. This can be useful for creating nested representations, or for fields which require access to the complete object in order to determine the output representation. Defaults to the name of the field. validators A list of validator functions which should be applied to the incoming field input, and which either raise a validation error or simply return. Validator functions should typically raise serializers.ValidationError , but Django's built-in ValidationError is also supported for compatibility with validators defined in the Django codebase or third party Django packages. error_messages A dictionary of error codes to error messages. label A short text string that may be used as the name of the field in HTML form fields or other descriptive elements. help_text A text string that may be used as a description of the field in HTML form fields or other descriptive elements. initial A value that should be used for pre-populating the value of HTML form fields. You may pass a callable to it, just as\nyou may do with any regular Django Field : import datetime\nfrom rest_framework import serializers\nclass ExampleSerializer(serializers.Serializer):\n day = serializers.DateField(initial=datetime.date.today) style A dictionary of key-value pairs that can be used to control how renderers should render the field. Two examples here are 'input_type' and 'base_template' : # Use input type=\"password\"fortheinput.\npassword=serializers.CharField(\nstyle={'input_type':'password'}\n)\n\n#Usearadioinputinsteadofaselectinput.\ncolor_
"text":"A boolean representation. When using HTML encoded form input be aware that omitting a value will always be treated as setting a field to False , even if it has a default=True option specified. This is because HTML checkbox inputs represent the unchecked state by omitting the value, so REST framework treats omission as if it is an empty checkbox input. Corresponds to django.db.models.fields.BooleanField . Signature: BooleanField()",
"title":"BooleanField"
},
{
"location":"/api-guide/fields/#nullbooleanfield",
"text":"A boolean representation that also accepts None as a valid value. Corresponds to django.db.models.fields.NullBooleanField . Signature: NullBooleanField()",
"title":"NullBooleanField"
},
{
"location":"/api-guide/fields/#string-fields",
"text":"",
"title":"String fields"
},
{
"location":"/api-guide/fields/#charfield",
"text":"A text representation. Optionally validates the text to be shorter than max_length and longer than min_length . Corresponds to django.db.models.fields.CharField or django.db.models.fields.TextField . Signature: CharField(max_length=None, min_length=None, allow_blank=False, trim_whitespace=True) max_length - Validates that the input contains no more than this number of characters. min_length - Validates that the input contains no fewer than this number of characters. allow_blank - If set to True then the empty string should be considered a valid value. If set to False then the empty string is considered invalid and will raise a validation error. Defaults to False . trim_whitespace - If set to True then leading and trailing whitespace is trimmed. Defaults to True . The allow_null option is also available for string fields, although its usage is discouraged in favor of allow_blank . It is valid to set both allow_blank=True and allow_null=True , but doing so means that there will be two differing types of empty value permissible for string representations, which can lead to data inconsistencies and subtle application bugs.",
"title":"CharField"
},
{
"location":"/api-guide/fields/#emailfield",
"text":"A text representation, validates the text to be a valid e-mail address. Corresponds to django.db.models.fields.EmailField Signature: EmailField(max_length=None, min_length=None, allow_blank=False)",
"title":"EmailField"
},
{
"location":"/api-guide/fields/#regexfield",
"text":"A text representation, that validates the given value matches against a certain regular expression. Corresponds to django.forms.fields.RegexField . Signature: RegexField(regex, max_length=None, min_length=None, allow_blank=False) The mandatory regex argument may either be a string, or a compiled python regular expression object. Uses Django's django.core.validators.RegexValidator for validation.",
"title":"RegexField"
},
{
"location":"/api-guide/fields/#slugfield",
"text":"A RegexField that validates the input against the pattern [a-zA-Z0-9_-]+ . Corresponds to django.db.models.fields.SlugField . Signature: SlugField(max_length=50, min_length=None, allow_blank=False)",
"title":"SlugField"
},
{
"location":"/api-guide/fields/#urlfield",
"text":"A RegexField that validates the input against a URL matching pattern. Expects fully qualified URLs of the form http:// host / path . Corresponds to django.db.models.fields.URLField . Uses Django's django.core.validators.URLValidator for validation. Signature: URLField(max_length=200, min_length=None, allow_blank=False)",
"title":"URLField"
},
{
"location":"/api-guide/fields/#uuidfield",
"text":"A field that ensures the input is a valid UUID string. The to_internal_value method will return a uuid.UUID instance. On output the field will return a string in the canonical hyphenated format, for example: \"de305d54-75b4-431b-adb2-eb6b9e546013\" Signature: UUIDField(format='hex_verbose') format : Determines the representation format of the uuid value 'hex_verbose' - The cannoncical hex representation, including hyphens: \"5ce0e9a5-5ffa-654b-cee0-1238041fb31a\" 'hex' - The compact hex representation of the UUID, not including hyphens: \"5ce0e9a55ffa654bcee01238041fb31a\" 'int' - A 128 bit integer representation of the UUID: \"123456789012312313134124512351145145114\" 'urn' - RFC 4122 URN representation of the UUID: \"urn:uuid:5ce0e9a5-5ffa-654b-cee0-1238041fb31a\" \n Changing the format parameters only affects representation values. All formats are accepted by to_internal_value",
"text":"A field whose choices are limited to the filenames in a certain directory on the filesystem Corresponds to django.forms.fields.FilePathField . Signature: FilePathField(path, match=None, recursive=False, allow_files=True, allow_folders=False, required=None, **kwargs) path - The absolute filesystem path to a directory from which this FilePathField should get its choice. match - A regular expression, as a string, that FilePathField will use to filter filenames. recursive - Specifies whether all subdirectories of path should be included. Default is False . allow_files - Specifies whether files in the specified location should be included. Default is True . Either this or allow_folders must be True . allow_folders - Specifies whether folders in the specified location should be included. Default is False . Either this or allow_files must be True .",
"text":"A field that ensures the input is a valid IPv4 or IPv6 string. Corresponds to django.forms.fields.IPAddressField and django.forms.fields.GenericIPAddressField . Signature : IPAddressField(protocol='both', unpack_ipv4=False, **options) protocol Limits valid inputs to the specified protocol. Accepted values are 'both' (default), 'IPv4' or 'IPv6'. Matching is case insensitive. unpack_ipv4 Unpacks IPv4 mapped addresses like ::ffff:192.0.2.1. If this option is enabled that address would be unpacked to 192.0.2.1. Default is disabled. Can only be used when protocol is set to 'both'.",
"title":"IPAddressField"
},
{
"location":"/api-guide/fields/#numeric-fields",
"text":"",
"title":"Numeric fields"
},
{
"location":"/api-guide/fields/#integerfield",
"text":"An integer representation. Corresponds to django.db.models.fields.IntegerField , django.db.models.fields.SmallIntegerField , django.db.models.fields.PositiveIntegerField and django.db.models.fields.PositiveSmallIntegerField . Signature : IntegerField(max_value=None, min_value=None) max_value Validate that the number provided is no greater than this value. min_value Validate that the number provided is no less than this value.",
"title":"IntegerField"
},
{
"location":"/api-guide/fields/#floatfield",
"text":"A floating point representation. Corresponds to django.db.models.fields.FloatField . Signature : FloatField(max_value=None, min_value=None) max_value Validate that the number provided is no greater than this value. min_value Validate that the number provided is no less than this value.",
"title":"FloatField"
},
{
"location":"/api-guide/fields/#decimalfield",
"text":"A decimal representation, represented in Python by a Decimal instance. Corresponds to django.db.models.fields.DecimalField . Signature : DecimalField(max_digits, decimal_places, coerce_to_string=None, max_value=None, min_value=None) max_digits The maximum number of digits allowed in the number. Note that this number must be greater than or equal to decimal_places. decimal_places The number of decimal places to store with the number. coerce_to_string Set to True if string values should be returned for the representation, or False if Decimal objects should be returned. Defaults to the same value as the COERCE_DECIMAL_TO_STRING settings key, which will be True unless overridden. If Decimal objects are returned by the serializer, then the final output format will be determined by the renderer. max_value Validate that the number provided is no greater than this value. min_value Validate that the number provided is no less than this value. Example usage To validate numbers up to 999 with a resolution of 2 decimal places, you would use: serializers.DecimalField(max_digits=5, decimal_places=2) And to validate numbers up to anything less than one billion with a resolution of 10 decimal places: serializers.DecimalField(max_digits=19, decimal_places=10) This field also takes an optional argument, coerce_to_string . If set to True the representation will be output as a string. If set to False the representation will be left as a Decimal instance and the final representation will be determined by the renderer. If unset, this will default to the same value as the COERCE_DECIMAL_TO_STRING setting, which is True unless set otherwise.",
"text":"A date and time representation. Corresponds to django.db.models.fields.DateTimeField . Signature: DateTimeField(format=None, input_formats=None) format - A string representing the output format. If not specified, this defaults to the same value as the DATETIME_FORMAT settings key, which will be 'iso-8601' unless set. Setting to a format string indicates that to_representation return values should be coerced to string output. Format strings are described below. Setting this value to None indicates that Python datetime objects should be returned by to_representation . In this case the datetime encoding will be determined by the renderer. input_formats - A list of strings representing the input formats which may be used to parse the date. If not specified, the DATETIME_INPUT_FORMATS setting will be used, which defaults to ['iso-8601'] . DateTimeField format strings. Format strings may either be Python strftime formats which explicitly specify the format, or the special string 'iso-8601' , which indicates that ISO 8601 style datetimes should be used. (eg '2013-01-29T12:34:56.000000Z' ) When a value of None is used for the format datetime objects will be returned by to_representation and the final output representation will determined by the renderer class. In the case of JSON this means the default datetime representation uses the ECMA 262 date time string specification . This is a subset of ISO 8601 which uses millisecond precision, and includes the 'Z' suffix for the UTC timezone, for example: 2013-01-29T12:34:56.123Z . auto_now and auto_now_add model fields. When using ModelSerializer or HyperlinkedModelSerializer , note that any model fields with auto_now=True or auto_now_add=True will use serializer fields that are read_only=True by default. If you want to override this behavior, you'll need to declare the DateTimeField explicitly on the serializer. For example: class CommentSerializer(serializers.ModelSerializer):\n created = serializers.DateTimeField()\n\n class Meta:\n model = Comment",
"text":"A date representation. Corresponds to django.db.models.fields.DateField Signature: DateField(format=None, input_formats=None) format - A string representing the output format. If not specified, this defaults to the same value as the DATE_FORMAT settings key, which will be 'iso-8601' unless set. Setting to a format string indicates that to_representation return values should be coerced to string output. Format strings are described below. Setting this value to None indicates that Python date objects should be returned by to_representation . In this case the date encoding will be determined by the renderer. input_formats - A list of strings representing the input formats which may be used to parse the date. If not specified, the DATE_INPUT_FORMATS setting will be used, which defaults to ['iso-8601'] . DateField format strings Format strings may either be Python strftime formats which explicitly specify the format, or the special string 'iso-8601' , which indicates that ISO 8601 style dates should be used. (eg '2013-01-29' )",
"title":"DateField"
},
{
"location":"/api-guide/fields/#timefield",
"text":"A time representation. Corresponds to django.db.models.fields.TimeField Signature: TimeField(format=None, input_formats=None) format - A string representing the output format. If not specified, this defaults to the same value as the TIME_FORMAT settings key, which will be 'iso-8601' unless set. Setting to a format string indicates that to_representation return values should be coerced to string output. Format strings are described below. Setting this value to None indicates that Python time objects should be returned by to_representation . In this case the time encoding will be determined by the renderer. input_formats - A list of strings representing the input formats which may be used to parse the date. If not specified, the TIME_INPUT_FORMATS setting will be used, which defaults to ['iso-8601'] . TimeField format strings Format strings may either be Python strftime formats which explicitly specify the format, or the special string 'iso-8601' , which indicates that ISO 8601 style times should be used. (eg '12:34:56.000000' )",
"title":"TimeField"
},
{
"location":"/api-guide/fields/#durationfield",
"text":"A Duration representation.\nCorresponds to django.db.models.fields.DurationField The validated_data for these fields will contain a datetime.timedelta instance.\nThe representation is a string following this format '[DD] [HH:[MM:]]ss[.uuuuuu]' . Note: This field is only available with Django versions = 1.8. Signature: DurationField()",
"text":"A field that can accept a value out of a limited set of choices. Used by ModelSerializer to automatically generate fields if the corresponding model field includes a choices=\u2026 argument. Signature: ChoiceField(choices) choices - A list of valid values, or a list of (key, display_name) tuples. allow_blank - If set to True then the empty string should be considered a valid value. If set to False then the empty string is considered invalid and will raise a validation error. Defaults to False . html_cutoff - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Can be used to ensure that automatically generated ChoiceFields with very large possible selections do not prevent a template from rendering. Defaults to None . html_cutoff_text - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to \"More than {count} items\u2026\" Both the allow_blank and allow_null are valid options on ChoiceField , although it is highly recommended that you only use one and not both. allow_blank should be preferred for textual choices, and allow_null should be preferred for numeric or other non-textual choices.",
"text":"A field that can accept a set of zero, one or many values, chosen from a limited set of choices. Takes a single mandatory argument. to_internal_value returns a set containing the selected values. Signature: MultipleChoiceField(choices) choices - A list of valid values, or a list of (key, display_name) tuples. allow_blank - If set to True then the empty string should be considered a valid value. If set to False then the empty string is considered invalid and will raise a validation error. Defaults to False . html_cutoff - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Can be used to ensure that automatically generated ChoiceFields with very large possible selections do not prevent a template from rendering. Defaults to None . html_cutoff_text - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to \"More than {count} items\u2026\" As with ChoiceField , both the allow_blank and allow_null options are valid, although it is highly recommended that you only use one and not both. allow_blank should be preferred for textual choices, and allow_null should be preferred for numeric or other non-textual choices.",
"text":"Parsers and file uploads. The FileField and ImageField classes are only suitable for use with MultiPartParser or FileUploadParser . Most parsers, such as e.g. JSON don't support file uploads.\nDjango's regular FILE_UPLOAD_HANDLERS are used for handling uploaded files.",
"title":"File upload fields"
},
{
"location":"/api-guide/fields/#filefield",
"text":"A file representation. Performs Django's standard FileField validation. Corresponds to django.forms.fields.FileField . Signature: FileField(max_length=None, allow_empty_file=False, use_url=UPLOADED_FILES_USE_URL) max_length - Designates the maximum length for the file name. allow_empty_file - Designates if empty files are allowed. use_url - If set to True then URL string values will be used for the output representation. If set to False then filename string values will be used for the output representation. Defaults to the value of the UPLOADED_FILES_USE_URL settings key, which is True unless set otherwise.",
"title":"FileField"
},
{
"location":"/api-guide/fields/#imagefield",
"text":"An image representation. Validates the uploaded file content as matching a known image format. Corresponds to django.forms.fields.ImageField . Signature: ImageField(max_length=None, allow_empty_file=False, use_url=UPLOADED_FILES_USE_URL) max_length - Designates the maximum length for the file name. allow_empty_file - Designates if empty files are allowed. use_url - If set to True then URL string values will be used for the output representation. If set to False then filename string values will be used for the output representation. Defaults to the value of the UPLOADED_FILES_USE_URL settings key, which is True unless set otherwise. Requires either the Pillow package or PIL package. The Pillow package is recommended, as PIL is no longer actively maintained.",
"title":"ImageField"
},
{
"location":"/api-guide/fields/#composite-fields",
"text":"",
"title":"Composite fields"
},
{
"location":"/api-guide/fields/#listfield",
"text":"A field class that validates a list of objects. Signature : ListField(child) child - A field instance that should be used for validating the objects in the list. If this argument is not provided then objects in the list will not be validated. For example, to validate a list of integers you might use something like the following: scores = serializers.ListField(\n child=serializers.IntegerField(min_value=0, max_value=100)\n) The ListField class also supports a declarative style that allows you to write reusable list field classes. class StringListField(serializers.ListField):\n child = serializers.CharField() We can now reuse our custom StringListField class throughout our application, without having to provide a child argument to it.",
"title":"ListField"
},
{
"location":"/api-guide/fields/#dictfield",
"text":"A field class that validates a dictionary of objects. The keys in DictField are always assumed to be string values. Signature : DictField(child) child - A field instance that should be used for validating the values in the dictionary. If this argument is not provided then values in the mapping will not be validated. For example, to create a field that validates a mapping of strings to strings, you would write something like this: document = DictField(child=CharField()) You can also use the declarative style, as with ListField . For example: class DocumentField(DictField):\n child = CharField()",
"text":"A field class that validates that the incoming data structure consists of valid JSON primitives. In its alternate binary mode, it will represent and validate JSON-encoded binary strings. Signature : JSONField(binary) binary - If set to True then the field will output and validate a JSON encoded string, rather than a primitive data structure. Defaults to False .",
"text":"A field class that simply returns the value of the field without modification. This field is used by default with ModelSerializer when including field names that relate to an attribute rather than a model field. Signature : ReadOnlyField() For example, is has_expired was a property on the Account model, then the following serializer would automatically generate it as a ReadOnlyField : class AccountSerializer(serializers.ModelSerializer):\n class Meta:\n model = Account\n fields = ('id', 'account_name', 'has_expired')",
"title":"ReadOnlyField"
},
{
"location":"/api-guide/fields/#hiddenfield",
"text":"A field class that does not take a value based on user input, but instead takes its value from a default value or callable. Signature : HiddenField() For example, to include a field that always provides the current time as part of the serializer validated data, you would use the following: modified = serializers.HiddenField(default=timezone.now) The HiddenField class is usually only needed if you have some validation that needs to run based on some pre-provided field values, but you do not want to expose all of those fields to the end user. For further examples on HiddenField see the validators documentation.",
"title":"HiddenField"
},
{
"location":"/api-guide/fields/#modelfield",
"text":"A generic field that can be tied to any arbitrary model field. The ModelField class delegates the task of serialization/deserialization to its associated model field. This field can be used to create serializer fields for custom model fields, without having to create a new custom serializer field. This field is used by ModelSerializer to correspond to custom model field classes. Signature: ModelField(model_field= Django ModelField instance ) The ModelField class is generally intended for internal use, but can be used by your API if needed. In order to properly instantiate a ModelField , it must be passed a field that is attached to an instantiated model. For example: ModelField(model_field=MyModel()._meta.get_field('custom_field'))",
"text":"This is a read-only field. It gets its value by calling a method on the serializer class it is attached to. It can be used to add any sort of data to the serialized representation of your object. Signature : SerializerMethodField(method_name=None) method_name - The name of the method on the serializer to be called. If not included this defaults to get_ field_name . The serializer method referred to by the method_name argument should accept a single argument (in addition to self ), which is the object being serialized. It should return whatever you want to be included in the serialized representation of the object. For example: from django.contrib.auth.models import User\nfrom django.utils.timezone import now\nfrom rest_framework import serializers\n\nclass UserSerializer(serializers.ModelSerializer):\n days_since_joined = serializers.SerializerMethodField()\n\n class Meta:\n model = User\n\n def get_days_since_joined(self, obj):\n return (now() - obj.date_joined).days",
"title":"SerializerMethodField"
},
{
"location":"/api-guide/fields/#custom-fields",
"text":"If you want to create a custom field, you'll need to subclass Field and then override either one or both of the .to_representation() and .to_internal_value() methods. These two methods are used to convert between the initial datatype, and a primitive, serializable datatype. Primitive datatypes will typically be any of a number, string, boolean, date / time / datetime or None . They may also be any list or dictionary like object that only contains other primitive objects. Other types might be supported, depending on the renderer that you are using. The .to_representation() method is called to convert the initial datatype into a primitive, serializable datatype. The to_internal_value() method is called to restore a primitive datatype into its internal python representation. This method should raise a serializers.ValidationError if the data is invalid. Note that the WritableField class that was present in version 2.x no longer exists. You should subclass Field and override to_internal_value() if the field supports data input.",
"text":"Let's look at an example of serializing a class that represents an RGB color value: class Color(object):\n \"\"\"\n A color represented in the RGB colorspace.\n \"\"\"\n def __init__(self, red, green, blue):\n assert(red = 0 and green = 0 and blue = 0)\n assert(red 256 and green 256 and blue 256)\n self.red, self.green, self.blue = red, green, blue\n\nclass ColorField(serializers.Field):\n \"\"\"\n Color objects are serialized into 'rgb(#, #, #)' notation.\n \"\"\"\n def to_representation(self, obj):\n return \"rgb(%d, %d, %d)\" % (obj.red, obj.green, obj.blue)\n\n def to_internal_value(self, data):\n data = data.strip('rgb(').rstrip(')')\n red, green, blue = [int(col) for col in data.split(',')]\n return Color(red, green, blue) By default field values are treated as mapping to an attribute on the object. If you need to customize how the field value is accessed and set you need to override .get_attribute() and/or .get_value() . As an example, let's create a field that can be used to represent the class name of the object being serialized: class ClassNameField(serializers.Field):\n def get_attribute(self, obj):\n # We pass the object instance onto `to_representation`,\n # not just the field attribute.\n return obj\n\n def to_representation(self, obj):\n \"\"\"\n Serialize the object's class name.\n \"\"\"\n return obj.__class__.__name__ Raising validation errors Our ColorField class above currently does not perform any data validation.\nTo indicate invalid data, we should raise a serializers.ValidationError , like so: def to_internal_value(self, data):\n if not isinstance(data, six.text_type):\n msg = 'Incorrect type. Expected a string, but got %s'\n raise ValidationError(msg % type(data).__name__)\n\n if not re.match(r'^rgb\\([0-9]+,[0-9]+,[0-9]+\\)$', data):\n raise ValidationError('Incorrect format. Expected `rgb(#,#,#)`.')\n\n data = data.strip('rgb(').rstrip(')')\n red, green, blue = [int(col) for col in data.split(',')]\n\n if any([col 255 or col 0 for col in (red, green, blue)]):\n raise ValidationError('Value out of range. Must be between 0 and 255.')\n\n return Color(red, green, blue) The .fail() method is a shortcut for raising ValidationError that takes a message string from the error_messages dictionary. For example: default_error_messages = {\n 'incorrect_type': 'Incorrect type. Expected a string, but got {input_type}',\n 'incorrect_format': 'Incorrect format. Expected `rgb(#,#,#)`.',\n 'out_of_range': 'Value out of range. Must be between 0 and 255.'\n}\n\ndef to_internal_value(self, data):\n if not isinstance(data, six.text_type):\n msg = 'Incorrect type. Expected a string, but got %s'\n self.fail('incorrect_type', input_type=type(data).__name__)\n\n if not re.match(r'^rgb\\([0-9]+,[0-9]+,[0-9]+\\)$', data):\n self.fail('incorrect_format')\n\n data = data.strip('rgb(').rstrip(')')\n red, green, blue = [int(col) for col in data.split(',')]\n\n if any([col 255 or col 0 for col in (red, green, blue)]):\n self.fail('out_of_range')\n\n return Color(red, green, blue) This style keeps you error messages more cleanly separated from your code, and should be preferred.",
"text":"The drf-compound-fields package provides \"compound\" serializer fields, such as lists of simple values, which can be described by other fields rather than serializers with the many=True option. Also provided are fields for typed dictionaries and values that can be either a specific type or a list of items of that type.",
"title":"DRF Compound Fields"
},
{
"location":"/api-guide/fields/#drf-extra-fields",
"text":"The drf-extra-fields package provides extra serializer fields for REST framework, including Base64ImageField and PointField classes.",
"text":"The django-rest-framework-gis package provides geographic addons for django rest framework like a GeometryField field and a GeoJSON serializer.",
"text":"Bad programmers worry about the code.\nGood programmers worry about data structures and their relationships. Linus Torvalds Relational fields are used to represent model relationships. They can be applied to ForeignKey , ManyToManyField and OneToOneField relationships, as well as to reverse relationships, and custom relationships such as GenericForeignKey . Note: The relational fields are declared in relations.py , but by convention you should import them from the serializers module, using from rest_framework import serializers and refer to fields as serializers. FieldName . Inspecting relationships. When using the ModelSerializer class, serializer fields and relationships will be automatically generated for you. Inspecting these automatically generated fields can be a useful tool for determining how to customize the relationship style. To do so, open the Django shell, using python manage.py shell , then import the serializer class, instantiate it, and print the object representation\u2026 from myapp.serializers import AccountSerializer serializer = AccountSerializer() print repr(serializer) # Or `print(repr(serializer))` in Python 3.x.\nAccountSerializer():\n id = IntegerField(label='ID', read_only=True)\n name = CharField(allow_blank=True, max_length=100, required=False)\n owner = PrimaryKeyRelatedField(queryset=User.objects.all())",
"text":"In order to explain the various types of relational fields, we'll use a couple of simple models for our examples. Our models will be for music albums, and the tracks listed on each album. class Album(models.Model):\n album_name = models.CharField(max_length=100)\n artist = models.CharField(max_length=100)\n\nclass Track(models.Model):\n album = models.ForeignKey(Album, related_name='tracks')\n order = models.IntegerField()\n title = models.CharField(max_length=100)\n duration = models.IntegerField()\n\n class Meta:\n unique_together = ('album', 'order')\n ordering = ['order']\n\n def __unicode__(self):\n return '%d: %s' % (self.order, self.title)",
"text":"StringRelatedField may be used to represent the target of the relationship using its __unicode__ method. For example, the following serializer. class AlbumSerializer(serializers.ModelSerializer):\n tracks = serializers.StringRelatedField(many=True)\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks') Would serialize to the following representation. {\n 'album_name': 'Things We Lost In The Fire',\n 'artist': 'Low',\n 'tracks': [\n '1: Sunflower',\n '2: Whitetail',\n '3: Dinosaur Act',\n ...\n ]\n} This field is read only. Arguments : many - If applied to a to-many relationship, you should set this argument to True .",
"text":"PrimaryKeyRelatedField may be used to represent the target of the relationship using its primary key. For example, the following serializer: class AlbumSerializer(serializers.ModelSerializer):\n tracks = serializers.PrimaryKeyRelatedField(many=True, read_only=True)\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks') Would serialize to a representation like this: {\n 'album_name': 'The Roots',\n 'artist': 'Undun',\n 'tracks': [\n 89,\n 90,\n 91,\n ...\n ]\n} By default this field is read-write, although you can change this behavior using the read_only flag. Arguments : queryset - The queryset used for model instance lookups when validating the field input. Relationships must either set a queryset explicitly, or set read_only=True . many - If applied to a to-many relationship, you should set this argument to True . allow_null - If set to True , the field will accept values of None or the empty string for nullable relationships. Defaults to False . pk_field - Set to a field to control serialization/deserialization of the primary key's value. For example, pk_field=UUIDField(format='hex') would serialize a UUID primary key into its compact hex representation.",
"text":"HyperlinkedRelatedField may be used to represent the target of the relationship using a hyperlink. For example, the following serializer: class AlbumSerializer(serializers.ModelSerializer):\n tracks = serializers.HyperlinkedRelatedField(\n many=True,\n read_only=True,\n view_name='track-detail'\n )\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks') Would serialize to a representation like this: {\n 'album_name': 'Graceland',\n 'artist': 'Paul Simon',\n 'tracks': [\n 'http://www.example.com/api/tracks/45/',\n 'http://www.example.com/api/tracks/46/',\n 'http://www.example.com/api/tracks/47/',\n ...\n ]\n} By default this field is read-write, although you can change this behavior using the read_only flag. Note : This field is designed for objects that map to a URL that accepts a single URL keyword argument, as set using the lookup_field and lookup_url_kwarg arguments. This is suitable for URLs that contain a single primary key or slug argument as part of the URL. If you require more complex hyperlinked representation you'll need to customize the field, as described in the custom hyperlinked fields section, below. Arguments : view_name - The view name that should be used as the target of the relationship. If you're using the standard router classes this will be a string with the format modelname -detail . required . queryset - The queryset used for model instance lookups when validating the field input. Relationships must either set a queryset explicitly, or set read_only=True . many - If applied to a to-many relationship, you should set this argument to True . allow_null - If set to True , the field will accept values of None or the empty string for nullable relationships. Defaults to False . lookup_field - The field on the target that should be used for the lookup. Should correspond to a URL keyword argument on the referenced view. Default is 'pk' . lookup_url_kwarg - The name of the keyword argument defined in the URL conf that corresponds to the lookup field. Defaults to using the same value as lookup_field . format - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the format argument.",
"text":"SlugRelatedField may be used to represent the target of the relationship using a field on the target. For example, the following serializer: class AlbumSerializer(serializers.ModelSerializer):\n tracks = serializers.SlugRelatedField(\n many=True,\n read_only=True,\n slug_field='title'\n )\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks') Would serialize to a representation like this: {\n 'album_name': 'Dear John',\n 'artist': 'Loney Dear',\n 'tracks': [\n 'Airport Surroundings',\n 'Everything Turns to You',\n 'I Was Only Going Out',\n ...\n ]\n} By default this field is read-write, although you can change this behavior using the read_only flag. When using SlugRelatedField as a read-write field, you will normally want to ensure that the slug field corresponds to a model field with unique=True . Arguments : slug_field - The field on the target that should be used to represent it. This should be a field that uniquely identifies any given instance. For example, username . required queryset - The queryset used for model instance lookups when validating the field input. Relationships must either set a queryset explicitly, or set read_only=True . many - If applied to a to-many relationship, you should set this argument to True . allow_null - If set to True , the field will accept values of None or the empty string for nullable relationships. Defaults to False .",
"text":"This field can be applied as an identity relationship, such as the 'url' field on a HyperlinkedModelSerializer. It can also be used for an attribute on the object. For example, the following serializer: class AlbumSerializer(serializers.HyperlinkedModelSerializer):\n track_listing = serializers.HyperlinkedIdentityField(view_name='track-list')\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'track_listing') Would serialize to a representation like this: {\n 'album_name': 'The Eraser',\n 'artist': 'Thom Yorke',\n 'track_listing': 'http://www.example.com/api/track_list/12/',\n} This field is always read-only. Arguments : view_name - The view name that should be used as the target of the relationship. If you're using the standard router classes this will be a string with the format model_name -detail . required . lookup_field - The field on the target that should be used for the lookup. Should correspond to a URL keyword argument on the referenced view. Default is 'pk' . lookup_url_kwarg - The name of the keyword argument defined in the URL conf that corresponds to the lookup field. Defaults to using the same value as lookup_field . format - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the format argument.",
"text":"Nested relationships can be expressed by using serializers as fields. If the field is used to represent a to-many relationship, you should add the many=True flag to the serializer field.",
"text":"By default nested serializers are read-only. If you want to support write-operations to a nested serializer field you'll need to create create() and/or update() methods in order to explicitly specify how the child relationships should be saved. class TrackSerializer(serializers.ModelSerializer):\n class Meta:\n model = Track\n fields = ('order', 'title', 'duration')\n\nclass AlbumSerializer(serializers.ModelSerializer):\n tracks = TrackSerializer(many=True)\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks')\n\n def create(self, validated_data):\n tracks_data = validated_data.pop('tracks')\n album = Album.objects.create(**validated_data)\n for track_data in tracks_data:\n Track.objects.create(album=album, **track_data)\n return album data = {\n 'album_name': 'The Grey Album',\n 'artist': 'Danger Mouse',\n 'tracks': [\n {'order': 1, 'title': 'Public Service Announcement', 'duration': 245},\n {'order': 2, 'title': 'What More Can I Say', 'duration': 264},\n {'order': 3, 'title': 'Encore', 'duration': 159},\n ],\n} serializer = AlbumSerializer(data=data) serializer.is_valid()\nTrue serializer.save() Album: Album object",
"text":"To implement a custom relational field, you should override RelatedField , and implement the .to_representation(self, value) method. This method takes the target of the field as the value argument, and should return the representation that should be used to serialize the target. The value argument will typically be a model instance. If you want to implement a read-write relational field, you must also implement the .to_internal_value(self, data) method. To provide a dynamic queryset based on the context , you can also override .get_queryset(self) instead of specifying .queryset on the class or when initializing the field.",
"text":"For example, we could define a relational field to serialize a track to a custom string representation, using its ordering, title, and duration. import time\n\nclass TrackListingField(serializers.RelatedField):\n def to_representation(self, value):\n duration = time.strftime('%M:%S', time.gmtime(value.duration))\n return 'Track %d: %s (%s)' % (value.order, value.name, duration)\n\nclass AlbumSerializer(serializers.ModelSerializer):\n tracks = TrackListingField(many=True)\n\n class Meta:\n model = Album\n fields = ('album_name', 'artist', 'tracks') This custom field would then serialize to the following representation. {\n 'album_name': 'Sometimes I Wish We Were an Eagle',\n 'artist': 'Bill Callahan',\n 'tracks': [\n 'Track 1: Jim Cain (04:39)',\n 'Track 2: Eid Ma Clack Shaw (04:19)',\n 'Track 3: The Wind and the Dove (04:34)',\n ...\n ]\n}",
"text":"In some cases you may need to customize the behavior of a hyperlinked field, in order to represent URLs that require more than a single lookup field. You can achieve this by overriding HyperlinkedRelatedField . There are two methods that may be overridden: get_url(self, obj, view_name, request, format) The get_url method is used to map the object instance to its URL representation. May raise a NoReverseMatch if the view_name and lookup_field \nattributes are not configured to correctly match the URL conf. get_object(self, queryset, view_name, view_args, view_kwargs) If you want to support a writable hyperlinked field then you'll also want to override get_object , in order to map incoming URLs back to the object they represent. For read-only hyperlinked fields there is no need to override this method. The return value of this method should the object that corresponds to the matched URL conf arguments. May raise an ObjectDoesNotExist exception.",
"text":"Say we have a URL for a customer object that takes two keyword arguments, like so: /api/ organization_slug /customers/ customer_pk / This cannot be represented with the default implementation, which accepts only a single lookup field. In this case we'd need to override HyperlinkedRelatedField to get the behavior we want: from rest_framework import serializers\nfrom rest_framework.reverse import reverse\n\nclass CustomerHyperlink(serializers.HyperlinkedRelatedField):\n # We define these as class attributes, so we don't need to pass them as arguments.\n view_name = 'customer-detail'\n queryset = Customer.objects.all()\n\n def get_url(self, obj, view_name, request, format):\n url_kwargs = {\n 'organization_slug': obj.organization.slug,\n 'customer_pk': obj.pk\n }\n return reverse(view_name, kwargs=url_kwargs, request=request, format=format)\n\n def get_object(self, view_name, view_args, view_kwargs):\n lookup_kwargs = {\n 'organization__slug': view_kwargs['organization_slug'],\n 'pk': view_kwargs['customer_pk']\n }\n return self.get_queryset().get(**lookup_kwargs) Note that if you wanted to use this style together with the generic views then you'd also need to override .get_object on the view in order to get the correct lookup behavior. Generally we recommend a flat style for API representations where possible, but the nested URL style can also be reasonable when used in moderation.",
"text":"The queryset argument is only ever required for writable relationship field, in which case it is used for performing the model instance lookup, that maps from the primitive user input, into a model instance. In version 2.x a serializer class could sometimes automatically determine the queryset argument if a ModelSerializer class was being used. This behavior is now replaced with always using an explicit queryset argument for writable relational fields. Doing so reduces the amount of hidden 'magic' that ModelSerializer provides, makes the behavior of the field more clear, and ensures that it is trivial to move between using the ModelSerializer shortcut, or using fully explicit Serializer classes.",
"text":"The built-in __str__ method of the model will be used to generate string representations of the objects used to populate the choices property. These choices are used to populate select HTML inputs in the browsable API. To provide customized representations for such inputs, override display_value() of a RelatedField subclass. This method will receive a model object, and should return a string suitable for representing it. For example: class TrackPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):\n def display_value(self, instance):\n return 'Track: %s' % (instance.title)",
"text":"When rendered in the browsable API relational fields will default to only displaying a maximum of 1000 selectable items. If more items are present then a disabled option with \"More than 1000 items\u2026\" will be displayed. This behavior is intended to prevent a template from being unable to render in an acceptable timespan due to a very large number of relationships being displayed. There are two keyword arguments you can use to control this behavior: html_cutoff - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Set to None to disable any limiting. Defaults to 1000 . html_cutoff_text - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to \"More than {count} items\u2026\" In cases where the cutoff is being enforced you may want to instead use a plain input field in the HTML form. You can do so using the style keyword argument. For example: assigned_to = serializers.SlugRelatedField(\n queryset=User.objects.all(),\n slug_field='username',\n style={'base_template': 'input.html'}\n)",
"text":"Note that reverse relationships are not automatically included by the ModelSerializer and HyperlinkedModelSerializer classes. To include a reverse relationship, you must explicitly add it to the fields list. For example: class AlbumSerializer(serializers.ModelSerializer):\n class Meta:\n fields = ('tracks', ...) You'll normally want to ensure that you've set an appropriate related_name argument on the relationship, that you can use as the field name. For example: class Track(models.Model):\n album = models.ForeignKey(Album, related_name='tracks')\n ... If you have not set a related name for the reverse relationship, you'll need to use the automatically generated related name in the fields argument. For example: class AlbumSerializer(serializers.ModelSerializer):\n class Meta:\n fields = ('track_set', ...) See the Django documentation on reverse relationships for more details.",
"text":"If you want to serialize a generic foreign key, you need to define a custom field, to determine explicitly how you want to serialize the targets of the relationship. For example, given the following model for a tag, which has a generic relationship with other arbitrary models: class TaggedItem(models.Model):\n \"\"\"\n Tags arbitrary model instances using a generic relation.\n\n See: https://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/\n \"\"\"\n tag_name = models.SlugField()\n content_type = models.ForeignKey(ContentType)\n object_id = models.PositiveIntegerField()\n tagged_object = GenericForeignKey('content_type', 'object_id')\n\n def __unicode__(self):\n return self.tag_name And the following two models, which may have associated tags: class Bookmark(models.Model):\n \"\"\"\n A bookmark consists of a URL, and 0 or more descriptive tags.\n \"\"\"\n url = models.URLField()\n tags = GenericRelation(TaggedItem)\n\n\nclass Note(models.Model):\n \"\"\"\n A note consists of some text, and 0 or more descriptive tags.\n \"\"\"\n text = models.CharField(max_length=1000)\n tags = GenericRelation(TaggedItem) We could define a custom field that could be used to serialize tagged instances, using the type of each instance to determine how it should be serialized. class TaggedObjectRelatedField(serializers.RelatedField):\n \"\"\"\n A custom field to use for the `tagged_object` generic relationship.\n \"\"\"\n\n def to_representation(self, value):\n \"\"\"\n Serialize tagged objects to a simple textual representation.\n \"\"\"\n if isinstance(value, Bookmark):\n return 'Bookmark: ' + value.url\n elif isinstance(value, Note):\n return 'Note: ' + value.text\n raise Exception('Unexpected type of tagged object') If you need the target of the relationship to have a nested representation, you can use the required serializers inside the .to_representation() method: def to_representation(self, value):\n \"\"\"\n Serialize bookmark instances using a bookmark serializer,\n and note instances using a note serializer.\n \"\"\"\n if isinstance(value, Bookmark):\n serializer = BookmarkSerializer(value)\n elif isinstance(value, Note):\n serializer = NoteSerializer(value)\n else:\n raise Exception('Unexpected type of tagged object')\n\n return serializer.data Note that reverse generic keys, expressed using the GenericRelation field, can be serialized using the regular relational field types, since the type of the target in the relationship is always known. For more information see the Django documentation on generic relations .",
"text":"By default, relational fields that target a ManyToManyField with a through model specified are set to read-only. If you explicitly specify a relational field pointing to a ManyToManyField with a through model, be sure to set read_only \nto True .",
"text":"Validators can be useful for re-using validation logic between different types of fields. Django documentation Most of the time you're dealing with validation in REST framework you'll simply be relying on the default field validation, or writing explicit validation methods on serializer or field classes. However, sometimes you'll want to place your validation logic into reusable components, so that it can easily be reused throughout your codebase. This can be achieved by using validator functions and validator classes.",
"text":"Validation in Django REST framework serializers is handled a little differently to how validation works in Django's ModelForm class. With ModelForm the validation is performed partially on the form, and partially on the model instance. With REST framework the validation is performed entirely on the serializer class. This is advantageous for the following reasons: It introduces a proper separation of concerns, making your code behavior more obvious. It is easy to switch between using shortcut ModelSerializer classes and using explicit Serializer classes. Any validation behavior being used for ModelSerializer is simple to replicate. Printing the repr of a serializer instance will show you exactly what validation rules it applies. There's no extra hidden validation behavior being called on the model instance. When you're using ModelSerializer all of this is handled automatically for you. If you want to drop down to using a Serializer classes instead, then you need to define the validation rules explicitly. Example As an example of how REST framework uses explicit validation, we'll take a simple model class that has a field with a uniqueness constraint. class CustomerReportRecord(models.Model):\n time_raised = models.DateTimeField(default=timezone.now, editable=False)\n reference = models.CharField(unique=True, max_length=20)\n description = models.TextField() Here's a basic ModelSerializer that we can use for creating or updating instances of CustomerReportRecord : class CustomerReportSerializer(serializers.ModelSerializer):\n class Meta:\n model = CustomerReportRecord If we open up the Django shell using manage.py shell we can now from project.example.serializers import CustomerReportSerializer serializer = CustomerReportSerializer() print(repr(serializer))\nCustomerReportSerializer():\n id = IntegerField(label='ID', read_only=True)\n time_raised = DateTimeField(read_only=True)\n reference = CharField(max_length=20, validators=[ UniqueValidator(queryset=CustomerReportRecord.objects.all()) ])\n description = CharField(style={'type': 'textarea'}) The interesting bit here is the reference field. We can see that the uniqueness constraint is being explicitly enforced by a validator on the serializer field. Because of this more explicit style REST framework includes a few validator classes that are not available in core Django. These classes are detailed below.",
"text":"This validator can be used to enforce the unique=True constraint on model fields.\nIt takes a single required argument, and an optional messages argument: queryset required - This is the queryset against which uniqueness should be enforced. message - The error message that should be used when validation fails. This validator should be applied to serializer fields , like so: slug = SlugField(\n max_length=100,\n validators=[UniqueValidator(queryset=BlogPost.objects.all())]\n)",
"text":"This validator can be used to enforce unique_together constraints on model instances.\nIt has two required arguments, and a single optional messages argument: queryset required - This is the queryset against which uniqueness should be enforced. fields required - A list or tuple of field names which should make a unique set. These must exist as fields on the serializer class. message - The error message that should be used when validation fails. The validator should be applied to serializer classes , like so: class ExampleSerializer(serializers.Serializer):\n # ...\n class Meta:\n # ToDo items belong to a parent list, and have an ordering defined\n #\u00a0by the 'position' field. No two items in a given list may share\n # the same position.\n validators = [\n UniqueTogetherValidator(\n queryset=ToDoItem.objects.all(),\n fields=('list', 'position')\n )\n ] Note : The UniqueTogetherValidation class always imposes an implicit constraint that all the fields it applies to are always treated as required. Fields with default values are an exception to this as they always supply a value even when omitted from user input.",
"text":"These validators can be used to enforce the unique_for_date , unique_for_month and unique_for_year constraints on model instances. They take the following arguments: queryset required - This is the queryset against which uniqueness should be enforced. field required - A field name against which uniqueness in the given date range will be validated. This must exist as a field on the serializer class. date_field required - A field name which will be used to determine date range for the uniqueness constrain. This must exist as a field on the serializer class. message - The error message that should be used when validation fails. The validator should be applied to serializer classes , like so: class ExampleSerializer(serializers.Serializer):\n # ...\n class Meta:\n # Blog posts should have a slug that is unique for the current year.\n validators = [\n UniqueForYearValidator(\n queryset=BlogPostItem.objects.all(),\n field='slug',\n date_field='published'\n )\n ] The date field that is used for the validation is always required to be present on the serializer class. You can't simply rely on a model class default=... , because the value being used for the default wouldn't be generated until after the validation has run. There are a couple of styles you may want to use for this depending on how you want your API to behave. If you're using ModelSerializer you'll probably simply rely on the defaults that REST framework generates for you, but if you are using Serializer or simply want more explicit control, use on of the styles demonstrated below. Using with a writable date field. If you want the date field to be writable the only thing worth noting is that you should ensure that it is always available in the input data, either by setting a default argument, or by setting required=True . published = serializers.DateTimeField(required=True) Using with a read-only date field. If you want the date field to be visible, but not editable by the user, then set read_only=True and additionally set a default=... argument. published = serializers.DateTimeField(read_only=True, default=timezone.now) The field will not be writable to the user, but the default value will still be passed through to the validated_data . Using with a hidden date field. If you want the date field to be entirely hidden from the user, then use HiddenField . This field type does not accept user input, but instead always returns it's default value to the validated_data in the serializer. published = serializers.HiddenField(default=timezone.now) Note : The UniqueFor Range Validation classes always imposes an implicit constraint that the fields they are applied to are always treated as required. Fields with default values are an exception to this as they always supply a value even when omitted from user input.",
"text":"Validators that are applied across multiple fields in the serializer can sometimes require a field input that should not be provided by the API client, but that is available as input to the validator. Two patterns that you may want to use for this sort of validation include: Using HiddenField . This field will be present in validated_data but will not be used in the serializer output representation. Using a standard field with read_only=True , but that also includes a default=\u2026 argument. This field will be used in the serializer output representation, but cannot be set directly by the user. REST framework includes a couple of defaults that may be useful in this context. CurrentUserDefault A default class that can be used to represent the current user. In order to use this, the 'request' must have been provided as part of the context dictionary when instantiating the serializer. owner = serializers.HiddenField(\n default=serializers.CurrentUserDefault()\n) CreateOnlyDefault A default class that can be used to only set a default argument during create operations . During updates the field is omitted. It takes a single argument, which is the default value or callable that should be used during create operations. created_at = serializers.DateTimeField(\n read_only=True,\n default=CreateOnlyDefault(timezone.now)\n)",
"text":"A validator may be any callable that raises a serializers.ValidationError on failure. def even_number(value):\n if value % 2 != 0:\n raise serializers.ValidationError('This field must be an even number.')",
"text":"To write a class based validator, use the __call__ method. Class based validators are useful as they allow you to parameterize and reuse behavior. class MultipleOf(object):\n def __init__(self, base):\n self.base = base\n\n def __call__(self, value):\n if value % self.base != 0:\n message = 'This field must be a multiple of %d.' % self.base\n raise serializers.ValidationError(message) Using set_context() In some advanced cases you might want a validator to be passed the serializer field it is being used with as additional context. You can do so by declaring a set_context method on a class based validator. def set_context(self, serializer_field):\n # Determine if this is an update or a create operation.\n # In `__call__` we can then use that information to modify the validation behavior.\n self.is_update = serializer_field.parent.instance is not None",
"text":"Authentication\n\n\n\n\nAuth needs to be pluggable.\n\n\n Jacob Kaplan-Moss, \n\"REST worst practices\"\n\n\n\n\nAuthenticationisthemechanismofassociatinganincomingrequestwithasetofidentifyingcredentials,suchastheusertherequestcamefrom,orthetokenthatitwassignedwith.The\npermission\nand\nthrottling\npoliciescanthenusethosecredentialstodetermineiftherequestshouldbepermitted.\n\n\nRESTframeworkprovidesanumberofauthenticationschemesoutofthebox,andalsoallowsyoutoimplementcustomschemes.\n\n\nAuthenticationisalwaysrunattheverystartoftheview,beforethepermissionandthrottlingchecksoccur,andbeforeanyothercodeisallowedtoproceed.\n\n\nThe\nrequest.user\npropertywilltypicallybesettoaninstanceofthe\ncontrib.auth\npackage's\nUser\nclass.\n\n\nThe\nrequest.auth\npropertyisusedforanyadditionalauthenticationinformation,forexample,itmaybeusedtorepresentanauthenticationtokenthattherequestwassignedwith.\n\n\n\n\nNote:\nDon'tforgetthat\nauthenticationbyitselfwon'tallowordisallowanincomingrequest\n,itsimplyidentifiesthecredentialsthattherequestwasmadewith.\n\n\nForinformationonhowtosetupthepermissionpolicesforyourAPIpleaseseethe\npermissionsdocumentation\n.\n\n\n\n\nHowauthenticationisdetermined\n\n\nTheauthenticationschemesarealwaysdefinedasalistofclasses.RESTframeworkwillattempttoauthenticatewitheachclassinthelist,andwillset\nrequest.user\nand\nrequest.auth\nusingthereturnvalueofthefirstclassthatsuccessfullyauthenticates.\n\n\nIfnoclassauthenticates,\nrequest.user\nwillbesettoaninstanceof\ndjango.contrib.auth.models.AnonymousUser\n,and\nrequest.auth\nwillbesetto\nNone\n.\n\n\nThevalueof\nrequest.user\nand\nrequest.auth\nforunauthenticatedrequestscanbemodifiedusingthe\nUNAUTHENTICATED_USER\nand\nUNAUTHENTICATED_TOKEN\nsettings.\n\n\nSettingtheauthenticationscheme\n\n\nThedefaultauthenticationschemesmaybesetglobally,usingthe\nDEFAULT_AUTHENTICATION_CLASSES\nsetting.Forexample.\n\n\nREST_FRAMEWORK={\n'DEFAULT_AUTHENTICATION_CLASSES':(\n'rest_framework.authentication.BasicAuthentication',\n'rest_framework.authentication.SessionAuthentication',\n)\n}\n\n\n\nYoucanalsosettheauthenticationschemeonaper-vieworper-viewsetbasis,\nusingthe\nAPIView\nclassbasedviews.\n\n\nfromrest_framework.authenticationimportSessionAuthentication,BasicAuthentication\nfromrest_framework.permissionsimportIsAuthenticated\nfromrest_framework.responseimportResponse\nfromrest_framework.viewsimportAPIView\n\nclassExampleView(APIView):\nauthentication_classes=(SessionAuthentication,BasicAuthentication)\npermission_classes=(IsAuthenticated,)\n\ndefget(self,request,format=None):\ncontent={\n'user':unicode(request.user),#`django.contrib.auth.User`instance.\n'auth':unicode(request.auth),#None\n}\nreturnResponse(content)\n\n\n\nOr,ifyou'reusingthe\n@api_view\ndecoratorwithfunctionbasedviews.\n\n\n@api_view(['GET'])\n@authentication_classes((SessionAuthentication,BasicAuthentication))\n@permission_classes((IsAuthenticated,))\ndefexample_view(request,format=None):\ncontent={\n'user':unicode(request.user),#`django.contrib.auth.User`instance.\n'auth':unicode(request.auth),#None\n}\nreturnResponse(content)\n\n\n\nUnauthorizedandForbiddenresponses\n\n\nWhenanunauthenticatedrequestisdeniedpermissiontherearetwodifferenterrorcodesthatmaybeappropriate.\n\n\n\n\nHTTP401Unauthorized\n\n\nHTTP403PermissionDenied\n\n\n\n\nHTTP401responsesmustalwaysincludea\nWWW-Authenticate\nheader,thatinstructstheclienthowtoauthenticate.HTTP403responsesdonotincludethe\nWWW-Authenticate\nheader.\n\n\nThekindofresponsethatwillbeuseddependsontheauthenticationscheme.Althoughmult
"text":"Auth needs to be pluggable. Jacob Kaplan-Moss, \"REST worst practices\" Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The permission and throttling policies can then use those credentials to determine if the request should be permitted. REST framework provides a number of authentication schemes out of the box, and also allows you to implement custom schemes. Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed. The request.user property will typically be set to an instance of the contrib.auth package's User class. The request.auth property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with. Note: Don't forget that authentication by itself won't allow or disallow an incoming request , it simply identifies the credentials that the request was made with. For information on how to setup the permission polices for your API please see the permissions documentation .",
"text":"The authentication schemes are always defined as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set request.user and request.auth using the return value of the first class that successfully authenticates. If no class authenticates, request.user will be set to an instance of django.contrib.auth.models.AnonymousUser , and request.auth will be set to None . The value of request.user and request.auth for unauthenticated requests can be modified using the UNAUTHENTICATED_USER and UNAUTHENTICATED_TOKEN settings.",
"text":"The default authentication schemes may be set globally, using the DEFAULT_AUTHENTICATION_CLASSES setting. For example. REST_FRAMEWORK = {\n 'DEFAULT_AUTHENTICATION_CLASSES': (\n 'rest_framework.authentication.BasicAuthentication',\n 'rest_framework.authentication.SessionAuthentication',\n )\n} You can also set the authentication scheme on a per-view or per-viewset basis,\nusing the APIView class based views. from rest_framework.authentication import SessionAuthentication, BasicAuthentication\nfrom rest_framework.permissions import IsAuthenticated\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass ExampleView(APIView):\n authentication_classes = (SessionAuthentication, BasicAuthentication)\n permission_classes = (IsAuthenticated,)\n\n def get(self, request, format=None):\n content = {\n 'user': unicode(request.user), # `django.contrib.auth.User` instance.\n 'auth': unicode(request.auth), # None\n }\n return Response(content) Or, if you're using the @api_view decorator with function based views. @api_view(['GET'])\n@authentication_classes((SessionAuthentication, BasicAuthentication))\n@permission_classes((IsAuthenticated,))\ndef example_view(request, format=None):\n content = {\n 'user': unicode(request.user), # `django.contrib.auth.User` instance.\n 'auth': unicode(request.auth), # None\n }\n return Response(content)",
"text":"When an unauthenticated request is denied permission there are two different error codes that may be appropriate. HTTP 401 Unauthorized HTTP 403 Permission Denied HTTP 401 responses must always include a WWW-Authenticate header, that instructs the client how to authenticate. HTTP 403 responses do not include the WWW-Authenticate header. The kind of response that will be used depends on the authentication scheme. Although multiple authentication schemes may be in use, only one scheme may be used to determine the type of response. The first authentication class set on the view is used when determining the type of response . Note that when a request may successfully authenticate, but still be denied permission to perform the request, in which case a 403 Permission Denied response will always be used, regardless of the authentication scheme.",
"text":"Note that if deploying to Apache using mod_wsgi , the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level. If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On' . # this can go in either server config, virtual host, directory or .htaccess\nWSGIPassAuthorization On",
"text":"This authentication scheme uses HTTP Basic Authentication , signed against a user's username and password. Basic authentication is generally only appropriate for testing. If successfully authenticated, BasicAuthentication provides the following credentials. request.user will be a Django User instance. request.auth will be None . Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response with an appropriate WWW-Authenticate header. For example: WWW-Authenticate: Basic realm=\"api\" Note: If you use BasicAuthentication in production you must ensure that your API is only available over https . You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.",
"text":"This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. To use the TokenAuthentication scheme you'll need to configure the authentication classes to include TokenAuthentication , and additionally include rest_framework.authtoken in your INSTALLED_APPS setting: INSTALLED_APPS = (\n ...\n 'rest_framework.authtoken'\n) Note: Make sure to run manage.py migrate after changing your settings. The rest_framework.authtoken app provides Django database migrations. You'll also need to create tokens for your users. from rest_framework.authtoken.models import Token\n\ntoken = Token.objects.create(user=...)\nprint token.key For clients to authenticate, the token key should be included in the Authorization HTTP header. The key should be prefixed by the string literal \"Token\",withwhitespaceseparatingthetwostrings.Forexample:Authorization:Token9944b09199c62bcf9418ad846dd0e4bbdfc6ee4bNote:Ifyouwanttouseadifferentkeywordintheheader,suchasBearer,simplysubclassTokenAuthenticationandsetthekeywordclassvariable.Ifsuccessfullyauthenticated,TokenAuthenticationprovidesthefollowingcredentials.request.userwillbeaDjangoUserinstance.request.authwillbearest_framework.authtoken.models.BasicTokeninstance.UnauthenticatedresponsesthataredeniedpermissionwillresultinanHTTP401UnauthorizedresponsewithanappropriateWWW-Authenticateheader.Forexample:WWW-Authenticate:TokenThecurlcommandlinetoolmaybeusefulfortestingtokenauthenticatedAPIs.Forexample:curl-XGEThttp://127.0.0.1:8000/api/example/ -H 'Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' Note: If you use TokenAuthentication in production you must ensure that your API is only available over https . Generating Tokens By using signals If you want every user to have an automatically generated Token, you can simply catch the User's post_save signal. from django.conf import settings\nfrom django.db.models.signals import post_save\nfrom django.dispatch import receiver\nfrom rest_framework.authtoken.models import Token\n\n@receiver(post_save, sender=settings.AUTH_USER_MODEL)\ndef create_auth_token(sender, instance=None, created=False, **kwargs):\n if created:\n Token.objects.create(user=instance) Note that you'll want to ensure you place this code snippet in an installed models.py module, or some other location that will be imported by Django on startup. If you've already created some users, you can generate tokens for all existing users like this: from django.contrib.auth.models import User\nfrom rest_framework.authtoken.models import Token\n\nfor user in User.objects.all():\n Token.objects.get_or_create(user=user) By exposing an api endpoint When using TokenAuthentication , you may want to provide a mechanism for clients to obtain a token given the username and password. REST framework provides a built-in view to provide this behavior. To use it, add the obtain_auth_token view to your URLconf: from rest_framework.authtoken import views\nurlpatterns += [\n url(r'^api-token-auth/', views.obtain_auth_token)\n] Note that the URL part of the pattern can be whatever you want to use. The obtain_auth_token view will return a JSON response when valid username and password fields are POSTed to the view using form data or JSON: { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } Note that the default obtain_auth_token view explicitly uses JSON requests and responses, rather than using default renderer and parser classes in your settings. If you need a customized version of the obtain_auth_token view, you can do so by overriding the ObtainAuthToken view class, and using that in your url conf instead. With Django admin It is also possible to create Tokens manually through admin interface. In case you are using a large user base, we recomm
"text":"This authentication scheme uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website. If successfully authenticated, SessionAuthentication provides the following credentials. request.user will be a Django User instance. request.auth will be None . Unauthenticated responses that are denied permission will result in an HTTP 403 Forbidden response. If you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any \"unsafe\" HTTP method calls, such as PUT , PATCH , POST or DELETE requests. See the Django CSRF documentation for more details. Warning : Always use Django's standard login view when creating login pages. This will ensure your login views are properly protected. CSRF validation in REST framework works slightly differently to standard Django due to the need to support both session and non-session based authentication to the same views. This means that only authenticated requests require CSRF tokens, and anonymous requests may be sent without CSRF tokens. This behaviour is not suitable for login views, which should always have CSRF validation applied.",
"text":"To implement a custom authentication scheme, subclass BaseAuthentication and override the .authenticate(self, request) method. The method should return a two-tuple of (user, auth) if authentication succeeds, or None otherwise. In some circumstances instead of returning None , you may want to raise an AuthenticationFailed exception from the .authenticate() method. Typically the approach you should take is: If authentication is not attempted, return None . Any other authentication schemes also in use will still be checked. If authentication is attempted but fails, raise a AuthenticationFailed exception. An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes. You may also override the .authenticate_header(self, request) method. If implemented, it should return a string that will be used as the value of the WWW-Authenticate header in a HTTP 401 Unauthorized response. If the .authenticate_header() method is not overridden, the authentication scheme will return HTTP 403 Forbidden responses when an unauthenticated request is denied access.",
"title":"Custom authentication"
},
{
"location":"/api-guide/authentication/#example",
"text":"The following example will authenticate any incoming request as the user given by the username in a custom request header named 'X_USERNAME'. from django.contrib.auth.models import User\nfrom rest_framework import authentication\nfrom rest_framework import exceptions\n\nclass ExampleAuthentication(authentication.BaseAuthentication):\n def authenticate(self, request):\n username = request.META.get('X_USERNAME')\n if not username:\n return None\n\n try:\n user = User.objects.get(username=username)\n except User.DoesNotExist:\n raise exceptions.AuthenticationFailed('No such user')\n\n return (user, None)",
"text":"The Django OAuth Toolkit package provides OAuth 2.0 support, and works with Python 2.7 and Python 3.3+. The package is maintained by Evonove and uses the excellent OAuthLib . The package is well documented, and well supported and is currently our recommended package for OAuth 2.0 support . Installation configuration Install using pip . pip install django-oauth-toolkit Add the package to your INSTALLED_APPS and modify your REST framework settings. INSTALLED_APPS = (\n ...\n 'oauth2_provider',\n)\n\nREST_FRAMEWORK = {\n 'DEFAULT_AUTHENTICATION_CLASSES': (\n 'oauth2_provider.ext.rest_framework.OAuth2Authentication',\n )\n} For more details see the Django REST framework - Getting started documentation.",
"text":"The Django REST framework OAuth package provides both OAuth1 and OAuth2 support for REST framework. This package was previously included directly in REST framework but is now supported and maintained as a third party package. Installation configuration Install the package using pip . pip install djangorestframework-oauth For details on configuration and usage see the Django REST framework OAuth documentation for authentication and permissions .",
"text":"HTTP digest authentication is a widely implemented scheme that was intended to replace HTTP basic authentication, and which provides a simple encrypted authentication mechanism. Juan Riaza maintains the djangorestframework-digestauth package which provides HTTP digest authentication support for REST framework.",
"text":"The Django OAuth2 Consumer library from Rediker Software is another package that provides OAuth 2.0 support for REST framework . The package includes token scoping permissions on tokens, which allows finer-grained access to your API.",
"text":"JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. Blimp maintains the djangorestframework-jwt package which provides a JWT Authentication class as well as a mechanism for clients to obtain a JWT given the username and password.",
"text":"The HawkREST library builds on the Mohawk library to let you work with Hawk signed requests and responses in your API. Hawk lets two parties securely communicate with each other using messages signed by a shared key. It is based on HTTP MAC access authentication (which was based on parts of OAuth 1.0 ).",
"text":"HTTP Signature (currently a IETF draft ) provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to Amazon's HTTP Signature scheme , used by many of its services, it permits stateless, per-request authentication. Elvio Toccalino maintains the djangorestframework-httpsignature package which provides an easy to use HTTP Signature Authentication mechanism.",
"title":"HTTP Signature Authentication"
},
{
"location":"/api-guide/authentication/#djoser",
"text":"Djoser library provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. The package works with a custom user model and it uses token based authentication. This is a ready to use REST implementation of Django authentication system.",
"text":"Django-rest-auth library provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. By having these API endpoints, your client apps such as AngularJS, iOS, Android, and others can communicate to your Django backend site independently via REST APIs for user management.",
"text":"Django-rest-framework-social-oauth2 library provides an easy way to integrate social plugins (facebook, twitter, google, etc.) to your authentication system and an easy oauth2 setup. With this library, you will be able to authenticate users based on external tokens (e.g. facebook access token), convert these tokens to \"in-house\" oauth2 tokens and use and generate oauth2 tokens to authenticate your users.",
"text":"Django-rest-knox library provides models and views to handle token based authentication in a more secure and extensible way than the built-in TokenAuthentication scheme - with Single Page Applications and Mobile clients in mind. It provides per-client tokens, and views to generate them when provided some other authentication (usually basic authentication), to delete the token (providing a server enforced logout) and to delete all tokens (logs out all clients that a user is logged into).",
"text":"Permissions\n\n\n\n\nAuthentication or identification by itself is not usually sufficient to gain access to information or code. For that, the entity requesting access must have authorization.\n\n\n \nApple Developer Documentation\n\n\n\n\nTogether with \nauthentication\n and \nthrottling\n, permissions determine whether a request should be granted or denied access.\n\n\nPermission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information in the \nrequest.user\n and \nrequest.auth\n properties to determine if the incoming request should be permitted.\n\n\nPermissions are used to grant or deny access different classes of users to different parts of the API.\n\n\nThe simplest style of permission would be to allow access to any authenticated user, and deny access to any unauthenticated user. This corresponds the \nIsAuthenticated\n class in REST framework.\n\n\nA slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the \nIsAuthenticatedOrReadOnly\n class in REST framework.\n\n\nHow permissions are determined\n\n\nPermissions in REST framework are always defined as a list of permission classes.\n\n\nBefore running the main body of the view each permission in the list is checked.\nIf any permission check fails an \nexceptions.PermissionDenied\n or \nexceptions.NotAuthenticated\n exception will be raised, and the main body of the view will not run.\n\n\nWhen the permissions checks fail either a \"403 Forbidden\" or a \"401 Unauthorized\"responsewillbereturned,accordingtothefollowingrules:\n\n\n\n\nTherequestwassuccessfullyauthenticated,butpermissionwasdenied.\nAnHTTP403Forbiddenresponsewillbereturned.\n\n\nTherequestwasnotsuccessfullyauthenticated,andthehighestpriorityauthenticationclass\ndoesnot\nuse\nWWW-Authenticate\nheaders.\nAnHTTP403Forbiddenresponsewillbereturned.\n\n\nTherequestwasnotsuccessfullyauthenticated,andthehighestpriorityauthenticationclass\ndoes\nuse\nWWW-Authenticate\nheaders.\nAnHTTP401Unauthorizedresponse,withanappropriate\nWWW-Authenticate\nheaderwillbereturned.\n\n\n\n\nObjectlevelpermissions\n\n\nRESTframeworkpermissionsalsosupportobject-levelpermissioning.Objectlevelpermissionsareusedtodetermineifausershouldbeallowedtoactonaparticularobject,whichwilltypicallybeamodelinstance.\n\n\nObjectlevelpermissionsarerunbyRESTframework'sgenericviewswhen\n.get_object()\niscalled.\nAswithviewlevelpermissions,an\nexceptions.PermissionDenied\nexceptionwillberaisediftheuserisnotallowedtoactonthegivenobject.\n\n\nIfyou'rewritingyourownviewsandwanttoenforceobjectlevelpermissions,\norifyouoverridethe\nget_object\nmethodonagenericview,thenyou'llneedtoexplicitlycallthe\n.check_object_permissions(request,obj)\nmethodontheviewatthepointatwhichyou'veretrievedtheobject.\n\n\nThiswilleitherraisea\nPermissionDenied\nor\nNotAuthenticated\nexception,orsimplyreturniftheviewhastheappropriatepermissions.\n\n\nForexample:\n\n\ndefget_object(self):\nobj=get_object_or_404(self.get_queryset())\nself.check_object_permissions(self.request,obj)\nreturnobj\n\n\n\nLimitationsofobjectlevelpermissions\n\n\nForperformancereasonsthegenericviewswillnotautomaticallyapplyobjectlevelpermissionstoeachinstanceinaquerysetwhenreturningalistofobjects.\n\n\nOftenwhenyou'reusingobjectlevelpermissionsyou'llalsowantto\nfilterthequeryset\nappropriately,toensurethatusersonlyhavevisibilityontoinstancesthattheyarepermittedtoview.\n\n\nSettingthepermissionpolicy\n\n\nThedefaultpermissionpolicymaybesetglobally,usingthe\nDEFAULT_PERMISSION_CLASSES\nsetting.Forexample.\n\n\nREST_FRAMEWORK={\n'DEFAULT_PERMISSION_CLASSES':
"text":"Authentication or identification by itself is not usually sufficient to gain access to information or code. For that, the entity requesting access must have authorization. Apple Developer Documentation Together with authentication and throttling , permissions determine whether a request should be granted or denied access. Permission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information in the request.user and request.auth properties to determine if the incoming request should be permitted. Permissions are used to grant or deny access different classes of users to different parts of the API. The simplest style of permission would be to allow access to any authenticated user, and deny access to any unauthenticated user. This corresponds the IsAuthenticated class in REST framework. A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the IsAuthenticatedOrReadOnly class in REST framework.",
"text":"Permissions in REST framework are always defined as a list of permission classes. Before running the main body of the view each permission in the list is checked.\nIf any permission check fails an exceptions.PermissionDenied or exceptions.NotAuthenticated exception will be raised, and the main body of the view will not run. When the permissions checks fail either a \"403 Forbidden\" or a \"401 Unauthorized\" response will be returned, according to the following rules: The request was successfully authenticated, but permission was denied. An HTTP 403 Forbidden response will be returned. The request was not successfully authenticated, and the highest priority authentication class does not use WWW-Authenticate headers. An HTTP 403 Forbidden response will be returned. The request was not successfully authenticated, and the highest priority authentication class does use WWW-Authenticate headers. An HTTP 401 Unauthorized response, with an appropriate WWW-Authenticate header will be returned.",
"text":"REST framework permissions also support object-level permissioning. Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance. Object level permissions are run by REST framework's generic views when .get_object() is called.\nAs with view level permissions, an exceptions.PermissionDenied exception will be raised if the user is not allowed to act on the given object. If you're writing your own views and want to enforce object level permissions,\nor if you override the get_object method on a generic view, then you'll need to explicitly call the .check_object_permissions(request, obj) method on the view at the point at which you've retrieved the object. This will either raise a PermissionDenied or NotAuthenticated exception, or simply return if the view has the appropriate permissions. For example: def get_object(self):\n obj = get_object_or_404(self.get_queryset())\n self.check_object_permissions(self.request, obj)\n return obj Limitations of object level permissions For performance reasons the generic views will not automatically apply object level permissions to each instance in a queryset when returning a list of objects. Often when you're using object level permissions you'll also want to filter the queryset appropriately, to ensure that users only have visibility onto instances that they are permitted to view.",
"text":"The default permission policy may be set globally, using the DEFAULT_PERMISSION_CLASSES setting. For example. REST_FRAMEWORK = {\n 'DEFAULT_PERMISSION_CLASSES': (\n 'rest_framework.permissions.IsAuthenticated',\n )\n} If not specified, this setting defaults to allowing unrestricted access: 'DEFAULT_PERMISSION_CLASSES': (\n 'rest_framework.permissions.AllowAny',\n) You can also set the authentication policy on a per-view, or per-viewset basis,\nusing the APIView class based views. from rest_framework.permissions import IsAuthenticated\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass ExampleView(APIView):\n permission_classes = (IsAuthenticated,)\n\n def get(self, request, format=None):\n content = {\n 'status': 'request was permitted'\n }\n return Response(content) Or, if you're using the @api_view decorator with function based views. from rest_framework.decorators import api_view, permission_classes\nfrom rest_framework.permissions import IsAuthenticated\nfrom rest_framework.response import Response\n\n@api_view('GET')\n@permission_classes((IsAuthenticated, ))\ndef example_view(request, format=None):\n content = {\n 'status': 'request was permitted'\n }\n return Response(content) Note: when you set new permission classes through class attribute or decorators you're telling the view to ignore the default list set over the settings.py file.",
"text":"The AllowAny permission class will allow unrestricted access, regardless of if the request was authenticated or unauthenticated . This permission is not strictly required, since you can achieve the same result by using an empty list or tuple for the permissions setting, but you may find it useful to specify this class because it makes the intention explicit.",
"text":"The IsAuthenticated permission class will deny permission to any unauthenticated user, and allow permission otherwise. This permission is suitable if you want your API to only be accessible to registered users.",
"title":"IsAuthenticated"
},
{
"location":"/api-guide/permissions/#isadminuser",
"text":"The IsAdminUser permission class will deny permission to any user, unless user.is_staff is True in which case permission will be allowed. This permission is suitable if you want your API to only be accessible to a subset of trusted administrators.",
"text":"The IsAuthenticatedOrReadOnly will allow authenticated users to perform any request. Requests for unauthorised users will only be permitted if the request method is one of the \"safe\" methods; GET , HEAD or OPTIONS . This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.",
"text":"This permission class ties into Django's standard django.contrib.auth model permissions . This permission must only be applied to views that has a .queryset property set. Authorization will only be granted if the user is authenticated and has the relevant model permissions assigned. POST requests require the user to have the add permission on the model. PUT and PATCH requests require the user to have the change permission on the model. DELETE requests require the user to have the delete permission on the model. The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a view model permission for GET requests. To use custom model permissions, override DjangoModelPermissions and set the .perms_map property. Refer to the source code for details. Using with views that do not include a queryset attribute. If you're using this permission with a view that uses an overridden get_queryset() method there may not be a queryset attribute on the view. In this case we suggest also marking the view with a sentinel queryset, so that this class can determine the required permissions. For example: queryset = User.objects.none() # Required for DjangoModelPermissions",
"text":"This permission class ties into Django's standard object permissions framework that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as django-guardian . As with DjangoModelPermissions , this permission must only be applied to views that have a .queryset property or .get_queryset() method. Authorization will only be granted if the user is authenticated and has the relevant per-object permissions and relevant model permissions assigned. POST requests require the user to have the add permission on the model instance. PUT and PATCH requests require the user to have the change permission on the model instance. DELETE requests require the user to have the delete permission on the model instance. Note that DjangoObjectPermissions does not require the django-guardian package, and should support other object-level backends equally well. As with DjangoModelPermissions you can use custom model permissions by overriding DjangoModelPermissions and setting the .perms_map property. Refer to the source code for details. Note : If you need object level view permissions for GET , HEAD and OPTIONS requests, you'll want to consider also adding the DjangoObjectPermissionsFilter class to ensure that list endpoints only return results including objects for which the user has appropriate view permissions.",
"text":"To implement a custom permission, override BasePermission and implement either, or both, of the following methods: .has_permission(self, request, view) .has_object_permission(self, request, view, obj) The methods should return True if the request should be granted access, and False otherwise. If you need to test if a request is a read operation or a write operation, you should check the request method against the constant SAFE_METHODS , which is a tuple containing 'GET' , 'OPTIONS' and 'HEAD' . For example: if request.method in permissions.SAFE_METHODS:\n # Check permissions for read-only request\nelse:\n # Check permissions for write request Note : The instance-level has_object_permission method will only be called if the view-level has_permission checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call .check_object_permissions(request, obj) . If you are using the generic views then this will be handled for you by default. Custom permissions will raise a PermissionDenied exception if the test fails. To change the error message associated with the exception, implement a message attribute directly on your custom permission. Otherwise the default_detail attribute from PermissionDenied will be used. from rest_framework import permissions\n\nclass CustomerAccessPermission(permissions.BasePermission):\n message = 'Adding customers not allowed.'\n\n def has_permission(self, request, view):\n ...",
"text":"The following is an example of a permission class that checks the incoming request's IP address against a blacklist, and denies the request if the IP has been blacklisted. from rest_framework import permissions\n\nclass BlacklistPermission(permissions.BasePermission):\n \"\"\"\n Global permission check for blacklisted IPs.\n \"\"\"\n\n def has_permission(self, request, view):\n ip_addr = request.META['REMOTE_ADDR']\n blacklisted = Blacklist.objects.filter(ip_addr=ip_addr).exists()\n return not blacklisted As well as global permissions, that are run against all incoming requests, you can also create object-level permissions, that are only run against operations that affect a particular object instance. For example: class IsOwnerOrReadOnly(permissions.BasePermission):\n \"\"\"\n Object-level permission to only allow owners of an object to edit it.\n Assumes the model instance has an `owner` attribute.\n \"\"\"\n\n def has_object_permission(self, request, view, obj):\n # Read permissions are allowed to any request,\n # so we'll always allow GET, HEAD or OPTIONS requests.\n if request.method in permissions.SAFE_METHODS:\n return True\n\n # Instance must have an attribute named `owner`.\n return obj.owner == request.user Note that the generic views will check the appropriate object level permissions, but if you're writing your own custom views, you'll need to make sure you check the object level permission checks yourself. You can do so by calling self.check_object_permissions(request, obj) from the view once you have the object instance. This call will raise an appropriate APIException if any object-level permission checks fail, and will otherwise simply return. Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance. If you require object-level filtering of list views, you'll need to filter the queryset separately. See the filtering documentation for more details.",
"text":"The Composed Permissions package provides a simple way to define complex and multi-depth (with logic operators) permission objects, using small and reusable components.",
"text":"The REST Condition package is another extension for building complex permissions in a simple and convenient way. The extension allows you to combine permissions with logical operators.",
"text":"The DRY Rest Permissions package provides the ability to define different permissions for individual default and custom actions. This package is made for apps with permissions that are derived from relationships defined in the app's data model. It also supports permission checks being returned to a client app through the API's serializer. Additionally it supports adding permissions to the default and custom list actions to restrict the data they retrive per user.",
"text":"HTTP/1.1 420 Enhance Your Calm Twitter API rate limiting response Throttling is similar to permissions , in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API. As with permissions, multiple throttles may be used. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests. Another scenario where you might want to use multiple throttles would be if you need to impose different constraints on different parts of the API, due to some services being particularly resource-intensive. Multiple throttles can also be used if you want to impose both burst throttling rates, and sustained throttling rates. For example, you might want to limit a user to a maximum of 60 requests per minute, and 1000 requests per day. Throttles do not necessarily only refer to rate-limiting requests. For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed.",
"text":"As with permissions and authentication, throttling in REST framework is always defined as a list of classes. Before running the main body of the view each throttle in the list is checked.\nIf any throttle check fails an exceptions.Throttled exception will be raised, and the main body of the view will not run.",
"text":"The default throttling policy may be set globally, using the DEFAULT_THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES settings. For example. REST_FRAMEWORK = {\n 'DEFAULT_THROTTLE_CLASSES': (\n 'rest_framework.throttling.AnonRateThrottle',\n 'rest_framework.throttling.UserRateThrottle'\n ),\n 'DEFAULT_THROTTLE_RATES': {\n 'anon': '100/day',\n 'user': '1000/day'\n }\n} The rate descriptions used in DEFAULT_THROTTLE_RATES may include second , minute , hour or day as the throttle period. You can also set the throttling policy on a per-view or per-viewset basis,\nusing the APIView class based views. from rest_framework.response import Response\nfrom rest_framework.throttling import UserRateThrottle\nfrom rest_framework.views import APIView\n\nclass ExampleView(APIView):\n throttle_classes = (UserRateThrottle,)\n\n def get(self, request, format=None):\n content = {\n 'status': 'request was permitted'\n }\n return Response(content) Or, if you're using the @api_view decorator with function based views. @api_view(['GET'])\n@throttle_classes([UserRateThrottle])\ndef example_view(request, format=None):\n content = {\n 'status': 'request was permitted'\n }\n return Response(content)",
"text":"The X-Forwarded-For and Remote-Addr HTTP headers are used to uniquely identify client IP addresses for throttling. If the X-Forwarded-For header is present then it will be used, otherwise the value of the Remote-Addr header will be used. If you need to strictly identify unique client IP addresses, you'll need to first configure the number of application proxies that the API runs behind by setting the NUM_PROXIES setting. This setting should be an integer of zero or more. If set to non-zero then the client IP will be identified as being the last IP address in the X-Forwarded-For header, once any application proxy IP addresses have first been excluded. If set to zero, then the Remote-Addr header will always be used as the identifying IP address. It is important to understand that if you configure the NUM_PROXIES setting, then all clients behind a unique NAT'd gateway will be treated as a single client. Further context on how the X-Forwarded-For header works, and identifying a remote client IP can be found here .",
"text":"The throttle classes provided by REST framework use Django's cache backend. You should make sure that you've set appropriate cache settings . The default value of LocMemCache backend should be okay for simple setups. See Django's cache documentation for more details. If you need to use a cache other than 'default' , you can do so by creating a custom throttle class and setting the cache attribute. For example: class CustomAnonRateThrottle(AnonRateThrottle):\n cache = get_cache('alternate') You'll need to remember to also set your custom throttle class in the 'DEFAULT_THROTTLE_CLASSES' settings key, or using the throttle_classes view attribute.",
"text":"The AnonRateThrottle will only ever throttle unauthenticated users. The IP address of the incoming request is used to generate a unique key to throttle against. The allowed request rate is determined from one of the following (in order of preference). The rate property on the class, which may be provided by overriding AnonRateThrottle and setting the property. The DEFAULT_THROTTLE_RATES['anon'] setting. AnonRateThrottle is suitable if you want to restrict the rate of requests from unknown sources.",
"text":"The UserRateThrottle will throttle users to a given rate of requests across the API. The user id is used to generate a unique key to throttle against. Unauthenticated requests will fall back to using the IP address of the incoming request to generate a unique key to throttle against. The allowed request rate is determined from one of the following (in order of preference). The rate property on the class, which may be provided by overriding UserRateThrottle and setting the property. The DEFAULT_THROTTLE_RATES['user'] setting. An API may have multiple UserRateThrottles in place at the same time. To do so, override UserRateThrottle and set a unique \"scope\" for each class. For example, multiple user throttle rates could be implemented by using the following classes... class BurstRateThrottle(UserRateThrottle):\n scope = 'burst'\n\nclass SustainedRateThrottle(UserRateThrottle):\n scope = 'sustained' ...and the following settings. REST_FRAMEWORK = {\n 'DEFAULT_THROTTLE_CLASSES': (\n 'example.throttles.BurstRateThrottle',\n 'example.throttles.SustainedRateThrottle'\n ),\n 'DEFAULT_THROTTLE_RATES': {\n 'burst': '60/min',\n 'sustained': '1000/day'\n }\n} UserRateThrottle is suitable if you want simple global rate restrictions per-user.",
"text":"The ScopedRateThrottle class can be used to restrict access to specific parts of the API. This throttle will only be applied if the view that is being accessed includes a .throttle_scope property. The unique throttle key will then be formed by concatenating the \"scope\" of the request with the unique user id or IP address. The allowed request rate is determined by the DEFAULT_THROTTLE_RATES setting using a key from the request \"scope\". For example, given the following views... class ContactListView(APIView):\n throttle_scope = 'contacts'\n ...\n\nclass ContactDetailView(APIView):\n throttle_scope = 'contacts'\n ...\n\nclass UploadView(APIView):\n throttle_scope = 'uploads'\n ... ...and the following settings. REST_FRAMEWORK = {\n 'DEFAULT_THROTTLE_CLASSES': (\n 'rest_framework.throttling.ScopedRateThrottle',\n ),\n 'DEFAULT_THROTTLE_RATES': {\n 'contacts': '1000/day',\n 'uploads': '20/day'\n }\n} User requests to either ContactListView or ContactDetailView would be restricted to a total of 1000 requests per-day. User requests to UploadView would be restricted to 20 requests per day.",
"text":"To create a custom throttle, override BaseThrottle and implement .allow_request(self, request, view) . The method should return True if the request should be allowed, and False otherwise. Optionally you may also override the .wait() method. If implemented, .wait() should return a recommended number of seconds to wait before attempting the next request, or None . The .wait() method will only be called if .allow_request() has previously returned False . If the .wait() method is implemented and the request is throttled, then a Retry-After header will be included in the response.",
"text":"The following is an example of a rate throttle, that will randomly throttle 1 in every 10 requests. class RandomRateThrottle(throttling.BaseThrottle):\n def allow_request(self, request, view):\n return random.randint(1, 10) == 1",
"text":"Filtering\n\n\n\n\nThe root QuerySet provided by the Manager describes all objects in the database table. Usually, though, you'll need to select only a subset of the complete set of objects.\n\n\n \nDjango documentation\n\n\n\n\nThe default behavior of REST framework's generic list views is to return the entire queryset for a model manager. Often you will want your API to restrict the items that are returned by the queryset.\n\n\nThe simplest way to filter the queryset of any view that subclasses \nGenericAPIView\n is to override the \n.get_queryset()\n method.\n\n\nOverriding this method allows you to customize the queryset returned by the view in a number of different ways.\n\n\nFiltering against the current user\n\n\nYou might want to filter the queryset to ensure that only results relevant to the currently authenticated user making the request are returned.\n\n\nYou can do so by filtering based on the value of \nrequest.user\n.\n\n\nFor example:\n\n\nfrom myapp.models import Purchase\nfrom myapp.serializers import PurchaseSerializer\nfrom rest_framework import generics\n\nclass PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n This view should return a list of all the purchases\n for the currently authenticated user.\n \"\"\"\n user = self.request.user\n return Purchase.objects.filter(purchaser=user)\n\n\n\nFiltering against the URL\n\n\nAnother style of filtering might involve restricting the queryset based on some part of the URL.\n\n\nFor example if your URL config contained an entry like this:\n\n\nurl('^purchases/(?P\nusername\n.+)/$', PurchaseList.as_view()),\n\n\n\nYou could then write a view that returned a purchase queryset filtered by the username portion of the URL:\n\n\nclass PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n This view should return a list of all the purchases for\n the user as determined by the username portion of the URL.\n \"\"\"\n username = self.kwargs['username']\n return Purchase.objects.filter(purchaser__username=username)\n\n\n\nFiltering against query parameters\n\n\nA final example of filtering the initial queryset would be to determine the initial queryset based on query parameters in the url.\n\n\nWe can override \n.get_queryset()\n to deal with URLs such as \nhttp://example.com/api/purchases?username=denvercoder9\n, and filter the queryset only if the \nusername\n parameter is included in the URL:\n\n\nclass PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n Optionally restricts the returned purchases to a given user,\n by filtering against a `username` query parameter in the URL.\n \"\"\"\nqueryset=Purchase.objects.all()\nusername=self.request.query_params.get('username',None)\nifusernameisnotNone:\nqueryset=queryset.filter(purchaser__username=username)\nreturnqueryset\n\n\n\n\n\nGenericFiltering\n\n\nAswellasbeingabletooverridethedefaultqueryset,RESTframeworkalsoincludessupportforgenericfilteringbackendsthatallowyoutoeasilyconstructcomplexsearchesandfilters.\n\n\nGenericfilterscanalsopresentthemselvesasHTMLcontrolsinthebrowsableAPIandadminAPI.\n\n\n\n\nSettingfilterbackends\n\n\nThedefaultfilterbackendsmaybesetglobally,usingthe\nDEFAULT_FILTER_BACKENDS\nsetting.Forexample.\n\n\nREST_FRAMEWORK={\n'DEFAULT_FILTER_BACKENDS':('rest_framework.filters.DjangoFilterBackend',)\n}\n\n\n\nYoucanalsosetthefilterbackendsonaper-view,orper-viewsetbasis,\nusingthe\nGenericAPIView\nclassbasedviews.\n\n\nfromdjango.contrib.auth.modelsimportUser\nfrommyapp.serializersimportUserSerializer\nfromrest_frameworkimportfilters\nfromrest_frameworkimportgenerics\n\nclassUserListView(generics.ListAPIView):\n
"text":"The root QuerySet provided by the Manager describes all objects in the database table. Usually, though, you'll need to select only a subset of the complete set of objects. Django documentation The default behavior of REST framework's generic list views is to return the entire queryset for a model manager. Often you will want your API to restrict the items that are returned by the queryset. The simplest way to filter the queryset of any view that subclasses GenericAPIView is to override the .get_queryset() method. Overriding this method allows you to customize the queryset returned by the view in a number of different ways.",
"text":"You might want to filter the queryset to ensure that only results relevant to the currently authenticated user making the request are returned. You can do so by filtering based on the value of request.user . For example: from myapp.models import Purchase\nfrom myapp.serializers import PurchaseSerializer\nfrom rest_framework import generics\n\nclass PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n This view should return a list of all the purchases\n for the currently authenticated user.\n \"\"\"\n user = self.request.user\n return Purchase.objects.filter(purchaser=user)",
"text":"Another style of filtering might involve restricting the queryset based on some part of the URL. For example if your URL config contained an entry like this: url('^purchases/(?P username .+)/$', PurchaseList.as_view()), You could then write a view that returned a purchase queryset filtered by the username portion of the URL: class PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n This view should return a list of all the purchases for\n the user as determined by the username portion of the URL.\n \"\"\"\n username = self.kwargs['username']\n return Purchase.objects.filter(purchaser__username=username)",
"text":"A final example of filtering the initial queryset would be to determine the initial queryset based on query parameters in the url. We can override .get_queryset() to deal with URLs such as http://example.com/api/purchases?username=denvercoder9 , and filter the queryset only if the username parameter is included in the URL: class PurchaseList(generics.ListAPIView):\n serializer_class = PurchaseSerializer\n\n def get_queryset(self):\n \"\"\"\n Optionally restricts the returned purchases to a given user,\n by filtering against a `username` query parameter in the URL.\n \"\"\"\n queryset = Purchase.objects.all()\n username = self.request.query_params.get('username', None)\n if username is not None:\n queryset = queryset.filter(purchaser__username=username)\n return queryset",
"text":"As well as being able to override the default queryset, REST framework also includes support for generic filtering backends that allow you to easily construct complex searches and filters. Generic filters can also present themselves as HTML controls in the browsable API and admin API.",
"text":"The default filter backends may be set globally, using the DEFAULT_FILTER_BACKENDS setting. For example. REST_FRAMEWORK = {\n 'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)\n} You can also set the filter backends on a per-view, or per-viewset basis,\nusing the GenericAPIView class based views. from django.contrib.auth.models import User\nfrom myapp.serializers import UserSerializer\nfrom rest_framework import filters\nfrom rest_framework import generics\n\nclass UserListView(generics.ListAPIView):\n queryset = User.objects.all()\n serializer = UserSerializer\n filter_backends = (filters.DjangoFilterBackend,)",
"text":"Note that if a filter backend is configured for a view, then as well as being used to filter list views, it will also be used to filter the querysets used for returning a single object. For instance, given the previous example, and a product with an id of 4675 , the following URL would either return the corresponding object, or return a 404 response, depending on if the filtering conditions were met by the given product instance: http://example.com/api/products/4675/?category=clothing max_price=10.00",
"text":"Note that you can use both an overridden .get_queryset() and generic filtering together, and everything will work as expected. For example, if Product had a many-to-many relationship with User , named purchase , you might want to write a view like this: class PurchasedProductsList(generics.ListAPIView):\n \"\"\"\n Return a list of all the products that the authenticated\n user has ever purchased, with optional filtering.\n \"\"\"\n model = Product\n serializer_class = ProductSerializer\n filter_class = ProductFilter\n\n def get_queryset(self):\n user = self.request.user\n return user.purchase_set.all()",
"text":"The DjangoFilterBackend class supports highly customizable field filtering, using the django-filter package . To use REST framework's DjangoFilterBackend , first install django-filter . pip install django-filter If you are using the browsable API or admin API you may also want to install django-crispy-forms , which will enhance the presentation of the filter forms in HTML views, by allowing them to render Bootstrap 3 HTML. pip install django-crispy-forms With crispy forms installed and added to Django's INSTALLED_APPS , the browsable API will present a filtering control for DjangoFilterBackend , like so: Specifying filter fields If all you need is simple equality-based filtering, you can set a filter_fields attribute on the view, or viewset, listing the set of fields you wish to filter against. class ProductList(generics.ListAPIView):\n queryset = Product.objects.all()\n serializer_class = ProductSerializer\n filter_backends = (filters.DjangoFilterBackend,)\n filter_fields = ('category', 'in_stock') This will automatically create a FilterSet class for the given fields, and will allow you to make requests such as: http://example.com/api/products?category=clothing in_stock=True Specifying a FilterSet For more advanced filtering requirements you can specify a FilterSet class that should be used by the view. For example: import django_filters\nfrom myapp.models import Product\nfrom myapp.serializers import ProductSerializer\nfrom rest_framework import filters\nfrom rest_framework import generics\n\nclass ProductFilter(filters.FilterSet):\n min_price = django_filters.NumberFilter(name=\"price\", lookup_type='gte')\n max_price = django_filters.NumberFilter(name=\"price\", lookup_type='lte')\n class Meta:\n model = Product\n fields = ['category', 'in_stock', 'min_price', 'max_price']\n\nclass ProductList(generics.ListAPIView):\n queryset = Product.objects.all()\n serializer_class = ProductSerializer\n filter_backends = (filters.DjangoFilterBackend,)\n filter_class = ProductFilter Which will allow you to make requests such as: http://example.com/api/products?category=clothing max_price=10.00 You can also span relationships using django-filter , let's assume that each\nproduct has foreign key to Manufacturer model, so we create filter that\nfilters using Manufacturer name. For example: from myapp.models import Product\nfrom myapp.serializers import ProductSerializer\nfrom rest_framework import filters\nfrom rest_framework import generics\n\nclass ProductFilter(filters.FilterSet):\n class Meta:\n model = Product\n fields = ['category', 'in_stock', 'manufacturer__name'] This enables us to make queries like: http://example.com/api/products?manufacturer__name=foo This is nice, but it exposes the Django's double underscore convention as part of the API. If you instead want to explicitly name the filter argument you can instead explicitly include it on the FilterSet class: import django_filters\nfrom myapp.models import Product\nfrom myapp.serializers import ProductSerializer\nfrom rest_framework import filters\nfrom rest_framework import generics\n\nclass ProductFilter(filters.FilterSet):\n manufacturer = django_filters.CharFilter(name=\"manufacturer__name\")\n\nclassMeta:\nmodel=Product\nfields=['category','in_stock','manufacturer']Andnowyoucanexecute:http://example.com/api/products?manufacturer=foo For more details on using filter sets see the django-filter documentation . Hints Tips By default filtering is not enabled. If you want to use DjangoFilterBackend remember to make sure it is installed by using the 'DEFAULT_FILTER_BACKENDS' setting. When using boolean fields, you should use the values True and False in the URL query parameters, rather than 0 , 1 , true or false . (The allowed boolean values are currently hardwired in Django's NullBooleanSelect implementation .) django-filter supports filtering across relationships, using Django's
"text":"The SearchFilter class supports simple single query parameter based searching, and is based on the Django admin's search functionality . When in use, the browsable API will include a SearchFilter control: The SearchFilter class will only be applied if the view has a search_fields attribute set. The search_fields attribute should be a list of names of text type fields on the model, such as CharField or TextField . class UserListView(generics.ListAPIView):\n queryset = User.objects.all()\n serializer = UserSerializer\n filter_backends = (filters.SearchFilter,)\n search_fields = ('username', 'email') This will allow the client to filter the items in the list by making queries such as: http://example.com/api/users?search=russell You can also perform a related lookup on a ForeignKey or ManyToManyField with the lookup API double-underscore notation: search_fields = ('username', 'email', 'profile__profession') By default, searches will use case-insensitive partial matches. The search parameter may contain multiple search terms, which should be whitespace and/or comma separated. If multiple search terms are used then objects will be returned in the list only if all the provided terms are matched. The search behavior may be restricted by prepending various characters to the search_fields . '^' Starts-with search. '=' Exact matches. '@' Full-text search. (Currently only supported Django's MySQL backend.) '$' Regex search. For example: search_fields = ('=username', '=email') By default, the search parameter is named 'search ', but this may be overridden with the SEARCH_PARAM setting. For more details, see the Django documentation .",
"text":"The OrderingFilter class supports simple query parameter controlled ordering of results. By default, the query parameter is named 'ordering' , but this may by overridden with the ORDERING_PARAM setting. For example, to order users by username: http://example.com/api/users?ordering=username The client may also specify reverse orderings by prefixing the field name with '-', like so: http://example.com/api/users?ordering=-username Multiple orderings may also be specified: http://example.com/api/users?ordering=account,username Specifying which fields may be ordered against It's recommended that you explicitly specify which fields the API should allowing in the ordering filter. You can do this by setting an ordering_fields attribute on the view, like so: class UserListView(generics.ListAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n filter_backends = (filters.OrderingFilter,)\n ordering_fields = ('username', 'email') This helps prevent unexpected data leakage, such as allowing users to order against a password hash field or other sensitive data. If you don't specify an ordering_fields attribute on the view, the filter class will default to allowing the user to filter on any readable fields on the serializer specified by the serializer_class attribute. If you are confident that the queryset being used by the view doesn't contain any sensitive data, you can also explicitly specify that a view should allow ordering on any model field or queryset aggregate, by using the special value '__all__' . class BookingsListView(generics.ListAPIView):\n queryset = Booking.objects.all()\n serializer_class = BookingSerializer\n filter_backends = (filters.OrderingFilter,)\n ordering_fields = '__all__' Specifying a default ordering If an ordering attribute is set on the view, this will be used as the default ordering. Typically you'd instead control this by setting order_by on the initial queryset, but using the ordering parameter on the view allows you to specify the ordering in a way that it can then be passed automatically as context to a rendered template. This makes it possible to automatically render column headers differently if they are being used to order the results. class UserListView(generics.ListAPIView):\n queryset = User.objects.all()\n serializer_class = UserSerializer\n filter_backends = (filters.OrderingFilter,)\n ordering_fields = ('username', 'email')\n ordering = ('username',) The ordering attribute may be either a string or a list/tuple of strings.",
"text":"The DjangoObjectPermissionsFilter is intended to be used together with the django-guardian package, with custom 'view' permissions added. The filter will ensure that querysets only returns objects for which the user has the appropriate view permission. If you're using DjangoObjectPermissionsFilter , you'll probably also want to add an appropriate object permissions class, to ensure that users can only operate on instances if they have the appropriate object permissions. The easiest way to do this is to subclass DjangoObjectPermissions and add 'view' permissions to the perms_map attribute. A complete example using both DjangoObjectPermissionsFilter and DjangoObjectPermissions might look something like this. permissions.py : class CustomObjectPermissions(permissions.DjangoObjectPermissions):\n \"\"\"\n Similar to `DjangoObjectPermissions`, but adding 'view' permissions.\n \"\"\"\n perms_map = {\n 'GET': ['%(app_label)s.view_%(model_name)s'],\n 'OPTIONS': ['%(app_label)s.view_%(model_name)s'],\n 'HEAD': ['%(app_label)s.view_%(model_name)s'],\n 'POST': ['%(app_label)s.add_%(model_name)s'],\n 'PUT': ['%(app_label)s.change_%(model_name)s'],\n 'PATCH': ['%(app_label)s.change_%(model_name)s'],\n 'DELETE': ['%(app_label)s.delete_%(model_name)s'],\n } views.py : class EventViewSet(viewsets.ModelViewSet):\n \"\"\"\n Viewset that only lists events if user has 'view' permissions, and only\n allows operations on individual events if user has appropriate 'view', 'add',\n 'change' or 'delete' permissions.\n \"\"\"\n queryset = Event.objects.all()\n serializer = EventSerializer\n filter_backends = (filters.DjangoObjectPermissionsFilter,)\n permission_classes = (myapp.permissions.CustomObjectPermissions,) For more information on adding 'view' permissions for models, see the relevant section of the django-guardian documentation, and this blogpost .",
"text":"You can also provide your own generic filtering backend, or write an installable app for other developers to use. To do so override BaseFilterBackend , and override the .filter_queryset(self, request, queryset, view) method. The method should return a new, filtered queryset. As well as allowing clients to perform searches and filtering, generic filter backends can be useful for restricting which objects should be visible to any given request or user.",
"title":"Custom generic filtering"
},
{
"location":"/api-guide/filtering/#example",
"text":"For example, you might need to restrict users to only being able to see objects they created. class IsOwnerFilterBackend(filters.BaseFilterBackend):\n \"\"\"\n Filter that only allows users to see their own objects.\n \"\"\"\n def filter_queryset(self, request, queryset, view):\n return queryset.filter(owner=request.user) We could achieve the same behavior by overriding get_queryset() on the views, but using a filter backend allows you to more easily add this restriction to multiple views, or to apply it across the entire API.",
"text":"Generic filters may also present an interface in the browsable API. To do so you should implement a to_html() method which returns a rendered HTML representation of the filter. This method should have the following signature: to_html(self, request, queryset, view) The method should return a rendered HTML string.",
"text":"The django-rest-framework-filters package works together with the DjangoFilterBackend class, and allows you to easily create filters across relationships, or create multiple filter lookup types for a given field.",
"text":"django-url-filter provides a safe way to filter data via human-friendly URLs. It works very similar to DRF serializers and fields in a sense that they can be nested except they are called filtersets and filters. That provides easy way to filter related data. Also this library is generic-purpose so it can be used to filter other sources of data and not only Django QuerySet s.",
"text":"Pagination\n\n\n\n\nDjango provides a few classes that help you manage paginated data \u2013 that is, data that\u2019s split across several pages, with \u201cPrevious/Next\u201d links.\n\n\n \nDjango documentation\n\n\n\n\nREST framework includes support for customizable pagination styles. This allows you to modify how large result sets are split into individual pages of data.\n\n\nThe pagination API can support either:\n\n\n\n\nPagination links that are provided as part of the content of the response.\n\n\nPagination links that are included in response headers, such as \nContent-Range\n or \nLink\n.\n\n\n\n\nThe built-in styles currently all use links included as part of the content of the response. This style is more accessible when using the browsable API.\n\n\nPagination is only performed automatically if you're using the generic views or viewsets. If you're using a regular \nAPIView\n, you'll need to call into the pagination API yourself to ensure you return a paginated response. See the source code for the \nmixins.ListModelMixin\n and \ngenerics.GenericAPIView\n classes for an example.\n\n\nPagination can be turned off by setting the pagination class to \nNone\n.\n\n\nSetting the pagination style\n\n\nThe default pagination style may be set globally, using the \nDEFAULT_PAGINATION_CLASS\n settings key. For example, to use the built-in limit/offset pagination, you would do:\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'\n}\n\n\n\nYou can also set the pagination class on an individual view by using the \npagination_class\n attribute. Typically you'll want to use the same pagination style throughout your API, although you might want to vary individual aspects of the pagination, such as default or maximum page size, on a per-view basis.\n\n\nModifying the pagination style\n\n\nIf you want to modify particular aspects of the pagination style, you'll want to override one of the pagination classes, and set the attributes that you want to change.\n\n\nclass LargeResultsSetPagination(PageNumberPagination):\n page_size = 1000\n page_size_query_param = 'page_size'\n max_page_size = 10000\n\nclass StandardResultsSetPagination(PageNumberPagination):\n page_size = 100\n page_size_query_param = 'page_size'\n max_page_size = 1000\n\n\n\nYou can then apply your new style to a view using the \n.pagination_class\n attribute:\n\n\nclass BillingRecordsView(generics.ListAPIView):\n queryset = Billing.objects.all()\n serializer = BillingRecordsSerializer\n pagination_class = LargeResultsSetPagination\n\n\n\nOr apply the style globally, using the \nDEFAULT_PAGINATION_CLASS\n settings key. For example:\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'apps.core.pagination.StandardResultsSetPagination'\n}\n\n\n\n\n\nAPI Reference\n\n\nPageNumberPagination\n\n\nThis pagination style accepts a single number page number in the request query parameters.\n\n\nRequest\n:\n\n\nGET https://api.example.org/accounts/?page=4\n\n\n\nResponse\n:\n\n\nHTTP 200 OK\n{\n \"count\": 1023\n \"next\": \"https://api.example.org/accounts/?page=5\",\n \"previous\": \"https://api.example.org/accounts/?page=3\",\n \"results\":[\n\u2026\n]\n}\n\n\n\nSetup\n\n\nToenablethe\nPageNumberPagination\nstyleglobally,usethefollowingconfiguration,modifyingthe\nPAGE_SIZE\nasdesired:\n\n\nREST_FRAMEWORK={\n'DEFAULT_PAGINATION_CLASS':'rest_framework.pagination.PageNumberPagination',\n'PAGE_SIZE':100\n}\n\n\n\nOn\nGenericAPIView\nsubclassesyoumayalsosetthe\npagination_class\nattributetoselect\nPageNumberPagination\nonaper-viewbasis.\n\n\nConfiguration\n\n\nThe\nPageNumberPagination\nclassincludesanumberofattributesthatmaybeoverriddentomodifythepaginationstyle.\n\n\nTosettheseattributesyoushouldoverridethe\nPageNumberPagination\nclass,andthenenableyourcustompaginationclassasabove.\n\n\n\n\ndjango_paginator_class\n-TheDjangoPaginatorclasstouse.Defaultis\ndja
"text":"Django provides a few classes that help you manage paginated data \u2013 that is, data that\u2019s split across several pages, with \u201cPrevious/Next\u201d links. Django documentation REST framework includes support for customizable pagination styles. This allows you to modify how large result sets are split into individual pages of data. The pagination API can support either: Pagination links that are provided as part of the content of the response. Pagination links that are included in response headers, such as Content-Range or Link . The built-in styles currently all use links included as part of the content of the response. This style is more accessible when using the browsable API. Pagination is only performed automatically if you're using the generic views or viewsets. If you're using a regular APIView , you'll need to call into the pagination API yourself to ensure you return a paginated response. See the source code for the mixins.ListModelMixin and generics.GenericAPIView classes for an example. Pagination can be turned off by setting the pagination class to None .",
"text":"The default pagination style may be set globally, using the DEFAULT_PAGINATION_CLASS settings key. For example, to use the built-in limit/offset pagination, you would do: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'\n} You can also set the pagination class on an individual view by using the pagination_class attribute. Typically you'll want to use the same pagination style throughout your API, although you might want to vary individual aspects of the pagination, such as default or maximum page size, on a per-view basis.",
"text":"If you want to modify particular aspects of the pagination style, you'll want to override one of the pagination classes, and set the attributes that you want to change. class LargeResultsSetPagination(PageNumberPagination):\n page_size = 1000\n page_size_query_param = 'page_size'\n max_page_size = 10000\n\nclass StandardResultsSetPagination(PageNumberPagination):\n page_size = 100\n page_size_query_param = 'page_size'\n max_page_size = 1000 You can then apply your new style to a view using the .pagination_class attribute: class BillingRecordsView(generics.ListAPIView):\n queryset = Billing.objects.all()\n serializer = BillingRecordsSerializer\n pagination_class = LargeResultsSetPagination Or apply the style globally, using the DEFAULT_PAGINATION_CLASS settings key. For example: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'apps.core.pagination.StandardResultsSetPagination'\n}",
"text":"This pagination style accepts a single number page number in the request query parameters. Request : GET https://api.example.org/accounts/?page=4 Response : HTTP 200 OK\n{\n \"count\": 1023\n \"next\": \"https://api.example.org/accounts/?page=5\",\n \"previous\": \"https://api.example.org/accounts/?page=3\",\n \"results\": [\n \u2026\n ]\n} Setup To enable the PageNumberPagination style globally, use the following configuration, modifying the PAGE_SIZE as desired: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',\n 'PAGE_SIZE': 100\n} On GenericAPIView subclasses you may also set the pagination_class attribute to select PageNumberPagination on a per-view basis. Configuration The PageNumberPagination class includes a number of attributes that may be overridden to modify the pagination style. To set these attributes you should override the PageNumberPagination class, and then enable your custom pagination class as above. django_paginator_class - The Django Paginator class to use. Default is django.core.paginator.Paginator , which should be fine for most use cases. page_size - A numeric value indicating the page size. If set, this overrides the PAGE_SIZE setting. Defaults to the same value as the PAGE_SIZE settings key. page_query_param - A string value indicating the name of the query parameter to use for the pagination control. page_size_query_param - If set, this is a string value indicating the name of a query parameter that allows the client to set the page size on a per-request basis. Defaults to None , indicating that the client may not control the requested page size. max_page_size - If set, this is a numeric value indicating the maximum allowable requested page size. This attribute is only valid if page_size_query_param is also set. last_page_strings - A list or tuple of string values indicating values that may be used with the page_query_param to request the final page in the set. Defaults to ('last',) template - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to None to disable HTML pagination controls completely. Defaults to \"rest_framework/pagination/numbers.html\" .",
"text":"This pagination style mirrors the syntax used when looking up multiple database records. The client includes both a \"limit\" and an \n\"offset\" query parameter. The limit indicates the maximum number of items to return, and is equivalent to the page_size in other styles. The offset indicates the starting position of the query in relation to the complete set of unpaginated items. Request : GET https://api.example.org/accounts/?limit=100 offset=400 Response : HTTP 200 OK\n{\n \"count\": 1023\n \"next\": \"https://api.example.org/accounts/?limit=100 offset=500\",\n \"previous\": \"https://api.example.org/accounts/?limit=100 offset=300\",\n \"results\": [\n \u2026\n ]\n} Setup To enable the LimitOffsetPagination style globally, use the following configuration: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'\n} Optionally, you may also set a PAGE_SIZE key. If the PAGE_SIZE parameter is also used then the limit query parameter will be optional, and may be omitted by the client. On GenericAPIView subclasses you may also set the pagination_class attribute to select LimitOffsetPagination on a per-view basis. Configuration The LimitOffsetPagination class includes a number of attributes that may be overridden to modify the pagination style. To set these attributes you should override the LimitOffsetPagination class, and then enable your custom pagination class as above. default_limit - A numeric value indicating the limit to use if one is not provided by the client in a query parameter. Defaults to the same value as the PAGE_SIZE settings key. limit_query_param - A string value indicating the name of the \"limit\" query parameter. Defaults to 'limit' . offset_query_param - A string value indicating the name of the \"offset\" query parameter. Defaults to 'offset' . max_limit - If set this is a numeric value indicating the maximum allowable limit that may be requested by the client. Defaults to None . template - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to None to disable HTML pagination controls completely. Defaults to \"rest_framework/pagination/numbers.html\" .",
"text":"The cursor-based pagination presents an opaque \"cursor\" indicator that the client may use to page through the result set. This pagination style only presents forward and reverse controls, and does not allow the client to navigate to arbitrary positions. Cursor based pagination requires that there is a unique, unchanging ordering of items in the result set. This ordering might typically be a creation timestamp on the records, as this presents a consistent ordering to paginate against. Cursor based pagination is more complex than other schemes. It also requires that the result set presents a fixed ordering, and does not allow the client to arbitrarily index into the result set. However it does provide the following benefits: Provides a consistent pagination view. When used properly CursorPagination ensures that the client will never see the same item twice when paging through records, even when new items are being inserted by other clients during the pagination process. Supports usage with very large datasets. With extremely large datasets pagination using offset-based pagination styles may become inefficient or unusable. Cursor based pagination schemes instead have fixed-time properties, and do not slow down as the dataset size increases. Details and limitations Proper use of cursor based pagination requires a little attention to detail. You'll need to think about what ordering you want the scheme to be applied against. The default is to order by \"-created\" . This assumes that there must be a 'created' timestamp field on the model instances, and will present a \"timeline\" style paginated view, with the most recently added items first. You can modify the ordering by overriding the 'ordering' attribute on the pagination class, or by using the OrderingFilter filter class together with CursorPagination . When used with OrderingFilter you should strongly consider restricting the fields that the user may order by. Proper usage of cursor pagination should have an ordering field that satisfies the following: Should be an unchanging value, such as a timestamp, slug, or other field that is only set once, on creation. Should be unique, or nearly unique. Millisecond precision timestamps are a good example. This implementation of cursor pagination uses a smart \"position plus offset\" style that allows it to properly support not-strictly-unique values as the ordering. Should be a non-nullable value that can be coerced to a string. The field should have a database index. Using an ordering field that does not satisfy these constraints will generally still work, but you'll be losing some of the benefits of cursor pagination. For more technical details on the implementation we use for cursor pagination, the \"Building cursors for the Disqus API\" blog post gives a good overview of the basic approach. Setup To enable the CursorPagination style globally, use the following configuration, modifying the PAGE_SIZE as desired: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.CursorPagination',\n 'PAGE_SIZE': 100\n} On GenericAPIView subclasses you may also set the pagination_class attribute to select CursorPagination on a per-view basis. Configuration The CursorPagination class includes a number of attributes that may be overridden to modify the pagination style. To set these attributes you should override the CursorPagination class, and then enable your custom pagination class as above. page_size = A numeric value indicating the page size. If set, this overrides the PAGE_SIZE setting. Defaults to the same value as the PAGE_SIZE settings key. cursor_query_param = A string value indicating the name of the \"cursor\"queryparameter.Defaultsto'cursor'.ordering=Thisshouldbeastring,orlistofstrings,indicatingthefieldagainstwhichthecursorbasedpaginationwillbeapplied.Forexample:ordering='slug'.Defaultsto-created.ThisvaluemayalsobeoverriddenbyusingOrderingFilterontheview.templ
"text":"To create a custom pagination serializer class you should subclass pagination.BasePagination and override the paginate_queryset(self, queryset, request, view=None) and get_paginated_response(self, data) methods: The paginate_queryset method is passed the initial queryset and should return an iterable object that contains only the data in the requested page. The get_paginated_response method is passed the serialized page data and should return a Response instance. Note that the paginate_queryset method may set state on the pagination instance, that may later be used by the get_paginated_response method.",
"title":"Custom pagination styles"
},
{
"location":"/api-guide/pagination/#example",
"text":"Suppose we want to replace the default pagination output style with a modified format that includes the next and previous links under in a nested 'links' key. We could specify a custom pagination class like so: class CustomPagination(pagination.PageNumberPagination):\n def get_paginated_response(self, data):\n return Response({\n 'links': {\n 'next': self.get_next_link(),\n 'previous': self.get_previous_link()\n },\n 'count': self.page.paginator.count,\n 'results': data\n }) We'd then need to setup the custom class in our configuration: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'my_project.apps.core.pagination.CustomPagination',\n 'PAGE_SIZE': 100\n} Note that if you care about how the ordering of keys is displayed in responses in the browsable API you might choose to use an OrderedDict when constructing the body of paginated responses, but this is optional.",
"text":"Let's modify the built-in PageNumberPagination style, so that instead of include the pagination links in the body of the response, we'll instead include a Link header, in a similar style to the GitHub API . class LinkHeaderPagination(pagination.PageNumberPagination):\n def get_paginated_response(self, data):\n next_url = self.get_next_link()\n previous_url = self.get_previous_link()\n\n if next_url is not None and previous_url is not None:\n link = ' {next_url} ; rel=\"next\", {previous_url} ; rel=\"prev\"'\n elif next_url is not None:\n link = ' {next_url} ; rel=\"next\"'\n elif previous_url is not None:\n link = ' {previous_url} ; rel=\"prev\"'\n else:\n link = ''\n\n link = link.format(next_url=next_url, previous_url=previous_url)\n headers = {'Link': link} if link else {}\n\n return Response(data, headers=headers)",
"text":"To have your custom pagination class be used by default, use the DEFAULT_PAGINATION_CLASS setting: REST_FRAMEWORK = {\n 'DEFAULT_PAGINATION_CLASS': 'my_project.apps.core.pagination.LinkHeaderPagination',\n 'PAGE_SIZE': 100\n} API responses for list endpoints will now include a Link header, instead of including the pagination links as part of the body of the response, for example: A custom pagination style, using the 'Link' header'",
"text":"By default using the pagination classes will cause HTML pagination controls to be displayed in the browsable API. There are two built-in display styles. The PageNumberPagination and LimitOffsetPagination classes display a list of page numbers with previous and next controls. The CursorPagination class displays a simpler style that only displays a previous and next control.",
"text":"You can override the templates that render the HTML pagination controls. The two built-in styles are: rest_framework/pagination/numbers.html rest_framework/pagination/previous_and_next.html Providing a template with either of these paths in a global template directory will override the default rendering for the relevant pagination classes. Alternatively you can disable HTML pagination controls completely by subclassing on of the existing classes, setting template = None as an attribute on the class. You'll then need to configure your DEFAULT_PAGINATION_CLASS settings key to use your custom class as the default pagination style. Low-level API The low-level API for determining if a pagination class should display the controls or not is exposed as a display_page_controls attribute on the pagination instance. Custom pagination classes should be set to True in the paginate_queryset method if they require the HTML pagination controls to be displayed. The .to_html() and .get_html_context() methods may also be overridden in a custom pagination class in order to further customize how the controls are rendered.",
"text":"The DRF-extensions package includes a PaginateByMaxMixin mixin class that allows your API clients to specify ?page_size=max to obtain the maximum allowed page size.",
"text":"Versioning\n\n\n\n\nVersioning an interface is just a \"polite\"waytokilldeployedclients.\n\n\n\nRoyFielding\n.\n\n\n\n\nAPIversioningallowsyoutoalterbehaviorbetweendifferentclients.RESTframeworkprovidesforanumberofdifferentversioningschemes.\n\n\nVersioningisdeterminedbytheincomingclientrequest,andmayeitherbebasedontherequestURL,orbasedontherequestheaders.\n\n\nThereareanumberofvalidapproachestoapproachingversioning.\nNon-versionedsystemscanalsobeappropriate\n,particularlyifyou'reengineeringforverylong-termsystemswithmultipleclientsoutsideofyourcontrol.\n\n\nVersioningwithRESTframework\n\n\nWhenAPIversioningisenabled,the\nrequest.version\nattributewillcontainastringthatcorrespondstotheversionrequestedintheincomingclientrequest.\n\n\nBydefault,versioningisnotenabled,and\nrequest.version\nwillalwaysreturn\nNone\n.\n\n\nVaryingbehaviorbasedontheversion\n\n\nHowyouvarytheAPIbehaviorisuptoyou,butoneexampleyoumighttypicallywantistoswitchtoadifferentserializationstyleinanewerversion.Forexample:\n\n\ndefget_serializer_class(self):\nifself.request.version=='v1':\nreturnAccountSerializerVersion1\nreturnAccountSerializer\n\n\n\nReversingURLsforversionedAPIs\n\n\nThe\nreverse\nfunctionincludedbyRESTframeworktiesinwiththeversioningscheme.Youneedtomakesuretoincludethecurrent\nrequest\nasakeywordargument,likeso.\n\n\nfromrest_framework.reverseimportreverse\n\nreverse('bookings-list',request=request)\n\n\n\nTheabovefunctionwillapplyanyURLtransformationsappropriatetotherequestversion.Forexample:\n\n\n\n\nIf\nNamespacedVersioning\nwasbeingused,andtheAPIversionwas'v1',thentheURLlookupusedwouldbe\n'v1:bookings-list'\n,whichmightresolvetoaURLlike\nhttp://example.org/v1/bookings/\n.\n\n\nIf \nQueryParameterVersioning\n was being used, and the API version was \n1.0\n, then the returned URL might be something like \nhttp://example.org/bookings/?version=1.0\n\n\n\n\nVersioned APIs and hyperlinked serializers\n\n\nWhen using hyperlinked serialization styles together with a URL based versioning scheme make sure to include the request as context to the serializer.\n\n\ndef get(self, request):\n queryset = Booking.objects.all()\n serializer = BookingsSerializer(queryset, many=True, context={'request': request})\n return Response({'all_bookings': serializer.data})\n\n\n\nDoing so will allow any returned URLs to include the appropriate versioning.\n\n\nConfiguring the versioning scheme\n\n\nThe versioning scheme is defined by the \nDEFAULT_VERSIONING_CLASS\n settings key.\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_VERSIONING_CLASS': 'rest_framework.versioning.NamespaceVersioning'\n}\n\n\n\nUnless it is explicitly set, the value for \nDEFAULT_VERSIONING_CLASS\n will be \nNone\n. In this case the \nrequest.version\n attribute will always return \nNone\n.\n\n\nYou can also set the versioning scheme on an individual view. Typically you won't need to do this, as it makes more sense to have a single versioning scheme used globally. If you do need to do so, use the \nversioning_class\n attribute.\n\n\nclass ProfileList(APIView):\n versioning_class = versioning.QueryParameterVersioning\n\n\n\nOther versioning settings\n\n\nThe following settings keys are also used to control versioning:\n\n\n\n\nDEFAULT_VERSION\n. The value that should be used for \nrequest.version\n when no versioning information is present. Defaults to \nNone\n.\n\n\nALLOWED_VERSIONS\n. If set, this value will restrict the set of versions that may be returned by the versioning scheme, and will raise an error if the provided version if not in this set. Note that the value used for the \nDEFAULT_VERSION\n setting is always considered to be part of the \nALLOWED_VERSIONS\n set. Defaults to \nNone\n.\n\n\nVERSION_PARAM\n. The string that should used for any versioning parameters, such as in the media type or URL query para
"text":"Versioning an interface is just a \"polite\" way to kill deployed clients. Roy Fielding . API versioning allows you to alter behavior between different clients. REST framework provides for a number of different versioning schemes. Versioning is determined by the incoming client request, and may either be based on the request URL, or based on the request headers. There are a number of valid approaches to approaching versioning. Non-versioned systems can also be appropriate , particularly if you're engineering for very long-term systems with multiple clients outside of your control.",
"text":"When API versioning is enabled, the request.version attribute will contain a string that corresponds to the version requested in the incoming client request. By default, versioning is not enabled, and request.version will always return None . Varying behavior based on the version How you vary the API behavior is up to you, but one example you might typically want is to switch to a different serialization style in a newer version. For example: def get_serializer_class(self):\n if self.request.version == 'v1':\n return AccountSerializerVersion1\n return AccountSerializer Reversing URLs for versioned APIs The reverse function included by REST framework ties in with the versioning scheme. You need to make sure to include the current request as a keyword argument, like so. from rest_framework.reverse import reverse\n\nreverse('bookings-list', request=request) The above function will apply any URL transformations appropriate to the request version. For example: If NamespacedVersioning was being used, and the API version was 'v1', then the URL lookup used would be 'v1:bookings-list' , which might resolve to a URL like http://example.org/v1/bookings/ . If QueryParameterVersioning was being used, and the API version was 1.0 , then the returned URL might be something like http://example.org/bookings/?version=1.0 Versioned APIs and hyperlinked serializers When using hyperlinked serialization styles together with a URL based versioning scheme make sure to include the request as context to the serializer. def get(self, request):\n queryset = Booking.objects.all()\n serializer = BookingsSerializer(queryset, many=True, context={'request': request})\n return Response({'all_bookings': serializer.data}) Doing so will allow any returned URLs to include the appropriate versioning.",
"text":"The versioning scheme is defined by the DEFAULT_VERSIONING_CLASS settings key. REST_FRAMEWORK = {\n 'DEFAULT_VERSIONING_CLASS': 'rest_framework.versioning.NamespaceVersioning'\n} Unless it is explicitly set, the value for DEFAULT_VERSIONING_CLASS will be None . In this case the request.version attribute will always return None . You can also set the versioning scheme on an individual view. Typically you won't need to do this, as it makes more sense to have a single versioning scheme used globally. If you do need to do so, use the versioning_class attribute. class ProfileList(APIView):\n versioning_class = versioning.QueryParameterVersioning Other versioning settings The following settings keys are also used to control versioning: DEFAULT_VERSION . The value that should be used for request.version when no versioning information is present. Defaults to None . ALLOWED_VERSIONS . If set, this value will restrict the set of versions that may be returned by the versioning scheme, and will raise an error if the provided version if not in this set. Note that the value used for the DEFAULT_VERSION setting is always considered to be part of the ALLOWED_VERSIONS set. Defaults to None . VERSION_PARAM . The string that should used for any versioning parameters, such as in the media type or URL query parameters. Defaults to 'version' . You can also set your versioning class plus those three values on a per-view or a per-viewset basis by defining your own versioning scheme and using the default_version , allowed_versions and version_param class variables. For example, if you want to use URLPathVersioning : from rest_framework.versioning import URLPathVersioning\nfrom rest_framework.views import APIView\n\nclass ExampleVersioning(URLPathVersioning):\n default_version = ...\n allowed_versions = ...\n version_param = ...\n\nclass ExampleView(APIVIew):\n versioning_class = ExampleVersioning",
"text":"This scheme requires the client to specify the version as part of the media type in the Accept header. The version is included as a media type parameter, that supplements the main media type. Here's an example HTTP request using the accept header versioning style. GET /bookings/ HTTP/1.1\nHost: example.com\nAccept: application/json; version=1.0 In the example request above request.version attribute would return the string '1.0' . Versioning based on accept headers is generally considered as best practice , although other styles may be suitable depending on your client requirements. Using accept headers with vendor media types Strictly speaking the json media type is not specified as including additional parameters . If you are building a well-specified public API you might consider using a vendor media type . To do so, configure your renderers to use a JSON based renderer with a custom media type: class BookingsAPIRenderer(JSONRenderer):\n media_type = 'application/vnd.megacorp.bookings+json' Your client requests would now look like this: GET /bookings/ HTTP/1.1\nHost: example.com\nAccept: application/vnd.megacorp.bookings+json; version=1.0",
"text":"This scheme requires the client to specify the version as part of the URL path. GET /v1/bookings/ HTTP/1.1\nHost: example.com\nAccept: application/json Your URL conf must include a pattern that matches the version with a 'version' keyword argument, so that this information is available to the versioning scheme. urlpatterns = [\n url(\n r'^(?P version (v1|v2))/bookings/$',\n bookings_list,\n name='bookings-list'\n ),\n url(\n r'^(?P version (v1|v2))/bookings/(?P pk [0-9]+)/$',\n bookings_detail,\n name='bookings-detail'\n )\n]",
"text":"To the client, this scheme is the same as URLPathVersioning . The only difference is how it is configured in your Django application, as it uses URL namespacing, instead of URL keyword arguments. GET /v1/something/ HTTP/1.1\nHost: example.com\nAccept: application/json With this scheme the request.version attribute is determined based on the namespace that matches the incoming request path. In the following example we're giving a set of views two different possible URL prefixes, each under a different namespace: # bookings/urls.py\nurlpatterns = [\n url(r'^$', bookings_list, name='bookings-list'),\n url(r'^(?P pk [0-9]+)/$', bookings_detail, name='bookings-detail')\n]\n\n# urls.py\nurlpatterns = [\n url(r'^v1/bookings/', include('bookings.urls', namespace='v1')),\n url(r'^v2/bookings/', include('bookings.urls', namespace='v2'))\n] Both URLPathVersioning and NamespaceVersioning are reasonable if you just need a simple versioning scheme. The URLPathVersioning approach might be better suitable for small ad-hoc projects, and the NamespaceVersioning is probably easier to manage for larger projects.",
"text":"The hostname versioning scheme requires the client to specify the requested version as part of the hostname in the URL. For example the following is an HTTP request to the http://v1.example.com/bookings/ URL: GET /bookings/ HTTP/1.1\nHost: v1.example.com\nAccept: application/json By default this implementation expects the hostname to match this simple regular expression: ^([a-zA-Z0-9]+)\\.[a-zA-Z0-9]+\\.[a-zA-Z0-9]+$ Note that the first group is enclosed in brackets, indicating that this is the matched portion of the hostname. The HostNameVersioning scheme can be awkward to use in debug mode as you will typically be accessing a raw IP address such as 127.0.0.1 . There are various online services which you to access localhost with a custom subdomain which you may find helpful in this case. Hostname based versioning can be particularly useful if you have requirements to route incoming requests to different servers based on the version, as you can configure different DNS records for different API versions.",
"text":"This scheme is a simple style that includes the version as a query parameter in the URL. For example: GET /something/?version=0.1 HTTP/1.1\nHost: example.com\nAccept: application/json",
"text":"To implement a custom versioning scheme, subclass BaseVersioning and override the .determine_version method.",
"title":"Custom versioning schemes"
},
{
"location":"/api-guide/versioning/#example",
"text":"The following example uses a custom X-API-Version header to determine the requested version. class XAPIVersionScheme(versioning.BaseVersioning):\n def determine_version(self, request, *args, **kwargs):\n return request.META.get('HTTP_X_API_VERSION', None) If your versioning scheme is based on the request URL, you will also want to alter how versioned URLs are determined. In order to do so you should override the .reverse() method on the class. See the source code for examples.",
"title":"Example"
},
{
"location":"/api-guide/content-negotiation/",
"text":"Content negotiation\n\n\n\n\nHTTP has provisions for several mechanisms for \"content negotiation\" - the process of selecting the best representation for a given response when there are multiple representations available.\n\n\n \nRFC 2616\n, Fielding et al.\n\n\n\n\nContent negotiation is the process of selecting one of multiple possible representations to return to a client, based on client or server preferences.\n\n\nDetermining the accepted renderer\n\n\nREST framework uses a simple style of content negotiation to determine which media type should be returned to a client, based on the available renderers, the priorities of each of those renderers, and the client's \nAccept:\n header. The style used is partly client-driven, and partly server-driven.\n\n\n\n\nMore specific media types are given preference to less specific media types.\n\n\nIf multiple media types have the same specificity, then preference is given to based on the ordering of the renderers configured for the given view.\n\n\n\n\nFor example, given the following \nAccept\n header:\n\n\napplication/json; indent=4, application/json, application/yaml, text/html, */*\n\n\n\nThe priorities for each of the given media types would be:\n\n\n\n\napplication/json; indent=4\n\n\napplication/json\n, \napplication/yaml\n and \ntext/html\n\n\n*/*\n\n\n\n\nIf the requested view was only configured with renderers for \nYAML\n and \nHTML\n, then REST framework would select whichever renderer was listed first in the \nrenderer_classes\n list or \nDEFAULT_RENDERER_CLASSES\n setting.\n\n\nFor more information on the \nHTTP Accept\n header, see \nRFC 2616\n\n\n\n\nNote\n: \"q\" values are not taken into account by REST framework when determining preference. The use of \"q\" values negatively impacts caching, and in the author's opinion they are an unnecessary and overcomplicated approach to content negotiation.\n\n\nThis is a valid approach as the HTTP spec deliberately underspecifies how a server should weight server-based preferences against client-based preferences.\n\n\n\n\nCustom content negotiation\n\n\nIt's unlikely that you'll want to provide a custom content negotiation scheme for REST framework, but you can do so if needed. To implement a custom content negotiation scheme override \nBaseContentNegotiation\n.\n\n\nREST framework's content negotiation classes handle selection of both the appropriate parser for the request, and the appropriate renderer for the response, so you should implement both the \n.select_parser(request, parsers)\n and \n.select_renderer(request, renderers, format_suffix)\n methods.\n\n\nThe \nselect_parser()\n method should return one of the parser instances from the list of available parsers, or \nNone\n if none of the parsers can handle the incoming request.\n\n\nThe \nselect_renderer()\n method should return a two-tuple of (renderer instance, media type), or raise a \nNotAcceptable\n exception.\n\n\nExample\n\n\nThe following is a custom content negotiation class which ignores the client\nrequest when selecting the appropriate parser or renderer.\n\n\nfrom rest_framework.negotiation import BaseContentNegotiation\n\nclass IgnoreClientContentNegotiation(BaseContentNegotiation):\n def select_parser(self, request, parsers):\n \"\"\"\n Select the first parser in the `.parser_classes` list.\n \"\"\"\n return parsers[0]\n\n def select_renderer(self, request, renderers, format_suffix):\n \"\"\"\n Select the first renderer in the `.renderer_classes` list.\n \"\"\"\nreturn(renderers[0],renderers[0].media_type)\n\n\n\nSettingthecontentnegotiation\n\n\nThedefaultcontentnegotiationclassmaybesetglobally,usingthe\nDEFAULT_CONTENT_NEGOTIATION_CLASS\nsetting.Forexample,thefollowingsettingswoulduseourexample\nIgnoreClientContentNegotiation\nclass.\n\n\nREST_FRAMEWORK={\n'DEFAULT_CONTENT_NEGOTIATION_CLASS':'myapp.negotiation.IgnoreClientContentNegotiation',\n}\n\n\n\nYoucanalsosetthecontentnegotiationusedforanindividualview,o
"text":"HTTP has provisions for several mechanisms for \"content negotiation\" - the process of selecting the best representation for a given response when there are multiple representations available. RFC 2616 , Fielding et al. Content negotiation is the process of selecting one of multiple possible representations to return to a client, based on client or server preferences.",
"text":"REST framework uses a simple style of content negotiation to determine which media type should be returned to a client, based on the available renderers, the priorities of each of those renderers, and the client's Accept: header. The style used is partly client-driven, and partly server-driven. More specific media types are given preference to less specific media types. If multiple media types have the same specificity, then preference is given to based on the ordering of the renderers configured for the given view. For example, given the following Accept header: application/json; indent=4, application/json, application/yaml, text/html, */* The priorities for each of the given media types would be: application/json; indent=4 application/json , application/yaml and text/html */* If the requested view was only configured with renderers for YAML and HTML , then REST framework would select whichever renderer was listed first in the renderer_classes list or DEFAULT_RENDERER_CLASSES setting. For more information on the HTTP Accept header, see RFC 2616 Note : \"q\" values are not taken into account by REST framework when determining preference. The use of \"q\" values negatively impacts caching, and in the author's opinion they are an unnecessary and overcomplicated approach to content negotiation. This is a valid approach as the HTTP spec deliberately underspecifies how a server should weight server-based preferences against client-based preferences.",
"text":"It's unlikely that you'll want to provide a custom content negotiation scheme for REST framework, but you can do so if needed. To implement a custom content negotiation scheme override BaseContentNegotiation . REST framework's content negotiation classes handle selection of both the appropriate parser for the request, and the appropriate renderer for the response, so you should implement both the .select_parser(request, parsers) and .select_renderer(request, renderers, format_suffix) methods. The select_parser() method should return one of the parser instances from the list of available parsers, or None if none of the parsers can handle the incoming request. The select_renderer() method should return a two-tuple of (renderer instance, media type), or raise a NotAcceptable exception.",
"text":"The following is a custom content negotiation class which ignores the client\nrequest when selecting the appropriate parser or renderer. from rest_framework.negotiation import BaseContentNegotiation\n\nclass IgnoreClientContentNegotiation(BaseContentNegotiation):\n def select_parser(self, request, parsers):\n \"\"\"\n Select the first parser in the `.parser_classes` list.\n \"\"\"\n return parsers[0]\n\n def select_renderer(self, request, renderers, format_suffix):\n \"\"\"\n Select the first renderer in the `.renderer_classes` list.\n \"\"\"\n return (renderers[0], renderers[0].media_type)",
"text":"The default content negotiation class may be set globally, using the DEFAULT_CONTENT_NEGOTIATION_CLASS setting. For example, the following settings would use our example IgnoreClientContentNegotiation class. REST_FRAMEWORK = {\n 'DEFAULT_CONTENT_NEGOTIATION_CLASS': 'myapp.negotiation.IgnoreClientContentNegotiation',\n} You can also set the content negotiation used for an individual view, or viewset, using the APIView class based views. from myapp.negotiation import IgnoreClientContentNegotiation\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\nclass NoNegotiationView(APIView):\n \"\"\"\n An example view that does not perform content negotiation.\n \"\"\"\n content_negotiation_class = IgnoreClientContentNegotiation\n\n def get(self, request, format=None):\n return Response({\n 'accepted media type': request.accepted_renderer.media_type\n })",
"text":"Metadata\n\n\n\n\n[The \nOPTIONS\n] method allows a client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.\n\n\n \nRFC7231, Section 4.3.7.\n\n\n\n\nREST framework includes a configurable mechanism for determining how your API should respond to \nOPTIONS\n requests. This allows you to return API schema or other resource information.\n\n\nThere are not currently any widely adopted conventions for exactly what style of response should be returned for HTTP \nOPTIONS\n requests, so we provide an ad-hoc style that returns some useful information.\n\n\nHere's an example response that demonstrates the information that is returned by default.\n\n\nHTTP 200 OK\nAllow: GET, POST, HEAD, OPTIONS\nContent-Type: application/json\n\n{\n \"name\": \"To Do List\",\n \"description\": \"List existing 'To Do' items, or create a new item.\",\n \"renders\": [\n \"application/json\",\n \"text/html\"\n ],\n \"parses\": [\n \"application/json\",\n \"application/x-www-form-urlencoded\",\n \"multipart/form-data\"\n ],\n \"actions\": {\n \"POST\": {\n \"note\": {\n \"type\": \"string\",\n \"required\": false,\n \"read_only\": false,\n \"label\": \"title\",\n \"max_length\": 100\n }\n }\n }\n}\n\n\n\nSetting the metadata scheme\n\n\nYou can set the metadata class globally using the \n'DEFAULT_METADATA_CLASS'\n settings key:\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_METADATA_CLASS': 'rest_framework.metadata.SimpleMetadata'\n}\n\n\n\nOr you can set the metadata class individually for a view:\n\n\nclass APIRoot(APIView):\n metadata_class = APIRootMetadata\n\n def get(self, request, format=None):\n return Response({\n ...\n })\n\n\n\nThe REST framework package only includes a single metadata class implementation, named \nSimpleMetadata\n. If you want to use an alternative style you'll need to implement a custom metadata class.\n\n\nCreating schema endpoints\n\n\nIf you have specific requirements for creating schema endpoints that are accessed with regular \nGET\n requests, you might consider re-using the metadata API for doing so.\n\n\nFor example, the following additional route could be used on a viewset to provide a linkable schema endpoint.\n\n\n@list_route(methods=['GET'])\ndef schema(self, request):\n meta = self.metadata_class()\n data = meta.determine_metadata(request, self)\n return Response(data)\n\n\n\nThere are a couple of reasons that you might choose to take this approach, including that \nOPTIONS\n responses \nare not cacheable\n.\n\n\n\n\nCustom metadata classes\n\n\nIf you want to provide a custom metadata class you should override \nBaseMetadata\n and implement the \ndetermine_metadata(self, request, view)\n method.\n\n\nUseful things that you might want to do could include returning schema information, using a format such as \nJSON schema\n, or returning debug information to admin users.\n\n\nExample\n\n\nThe following class could be used to limit the information that is returned to \nOPTIONS\n requests.\n\n\nclass MinimalMetadata(BaseMetadata):\n \"\"\"\n Don't include field and other information for `OPTIONS` requests.\n Just return the name and description.\n \"\"\"\n def determine_metadata(self, request, view):\n return {\n 'name': view.get_view_name(),\n 'description': view.get_view_description()\n }\n\n\n\nThen configure your settings to use this custom class:\n\n\nREST_FRAMEWORK = {\n 'DEFAULT_METADATA_CLASS': 'myproject.apps.core.MinimalMetadata'\n}",
"text":"[The OPTIONS ] method allows a client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval. RFC7231, Section 4.3.7. REST framework includes a configurable mechanism for determining how your API should respond to OPTIONS requests. This allows you to return API schema or other resource information. There are not currently any widely adopted conventions for exactly what style of response should be returned for HTTP OPTIONS requests, so we provide an ad-hoc style that returns some useful information. Here's an example response that demonstrates the information that is returned by default. HTTP 200 OK\nAllow: GET, POST, HEAD, OPTIONS\nContent-Type: application/json\n\n{\n \"name\": \"To Do List\",\n \"description\": \"List existing 'To Do' items, or create a new item.\",\n \"renders\": [\n \"application/json\",\n \"text/html\"\n ],\n \"parses\": [\n \"application/json\",\n \"application/x-www-form-urlencoded\",\n \"multipart/form-data\"\n ],\n \"actions\": {\n \"POST\": {\n \"note\": {\n \"type\": \"string\",\n \"required\": false,\n \"read_only\": false,\n \"label\": \"title\",\n \"max_length\": 100\n }\n }\n }\n}",
"text":"You can set the metadata class globally using the 'DEFAULT_METADATA_CLASS' settings key: REST_FRAMEWORK = {\n 'DEFAULT_METADATA_CLASS': 'rest_framework.metadata.SimpleMetadata'\n} Or you can set the metadata class individually for a view: class APIRoot(APIView):\n metadata_class = APIRootMetadata\n\n def get(self, request, format=None):\n return Response({\n ...\n }) The REST framework package only includes a single metadata class implementation, named SimpleMetadata . If you want to use an alternative style you'll need to implement a custom metadata class.",
"text":"If you have specific requirements for creating schema endpoints that are accessed with regular GET requests, you might consider re-using the metadata API for doing so. For example, the following additional route could be used on a viewset to provide a linkable schema endpoint. @list_route(methods=['GET'])\ndef schema(self, request):\n meta = self.metadata_class()\n data = meta.determine_metadata(request, self)\n return Response(data) There are a couple of reasons that you might choose to take this approach, including that OPTIONS responses are not cacheable .",
"text":"If you want to provide a custom metadata class you should override BaseMetadata and implement the determine_metadata(self, request, view) method. Useful things that you might want to do could include returning schema information, using a format such as JSON schema , or returning debug information to admin users.",
"text":"The following class could be used to limit the information that is returned to OPTIONS requests. class MinimalMetadata(BaseMetadata):\n \"\"\"\n Don't include field and other information for `OPTIONS` requests.\n Just return the name and description.\n \"\"\"\n def determine_metadata(self, request, view):\n return {\n 'name': view.get_view_name(),\n 'description': view.get_view_description()\n } Then configure your settings to use this custom class: REST_FRAMEWORK = {\n 'DEFAULT_METADATA_CLASS': 'myproject.apps.core.MinimalMetadata'\n}",
"text":"Format suffixes\n\n\n\n\nSection 6.2.1 does not say that content negotiation should be\nused all the time.\n\n\n Roy Fielding, \nREST discuss mailing list\n\n\n\n\nA common pattern for Web APIs is to use filename extensions on URLs to provide an endpoint for a given media type. For example, 'http://example.com/api/users.json' to serve a JSON representation.\n\n\nAdding format-suffix patterns to each individual entry in the URLconf for your API is error-prone and non-DRY, so REST framework provides a shortcut to adding these patterns to your URLConf.\n\n\nformat_suffix_patterns\n\n\nSignature\n: format_suffix_patterns(urlpatterns, suffix_required=False, allowed=None)\n\n\nReturns a URL pattern list which includes format suffix patterns appended to each of the URL patterns provided.\n\n\nArguments:\n\n\n\n\nurlpatterns\n: Required. A URL pattern list.\n\n\nsuffix_required\n: Optional. A boolean indicating if suffixes in the URLs should be optional or mandatory. Defaults to \nFalse\n, meaning that suffixes are optional by default.\n\n\nallowed\n: Optional. A list or tuple of valid format suffixes. If not provided, a wildcard format suffix pattern will be used.\n\n\n\n\nExample:\n\n\nfrom rest_framework.urlpatterns import format_suffix_patterns\nfrom blog import views\n\nurlpatterns = [\n url(r'^/$', views.apt_root),\n url(r'^comments/$', views.comment_list),\n url(r'^comments/(?P\npk\n[0-9]+)/$', views.comment_detail)\n]\n\nurlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html'])\n\n\n\nWhen using \nformat_suffix_patterns\n, you must make sure to add the \n'format'\n keyword argument to the corresponding views. For example:\n\n\n@api_view(('GET', 'POST'))\ndef comment_list(request, format=None):\n # do stuff...\n\n\n\nOr with class based views:\n\n\nclass CommentList(APIView):\n def get(self, request, format=None):\n # do stuff...\n\n def post(self, request, format=None):\n # do stuff...\n\n\n\nThe name of the kwarg used may be modified by using the \nFORMAT_SUFFIX_KWARG\n setting.\n\n\nAlso note that \nformat_suffix_patterns\n does not support descending into \ninclude\n URL patterns.\n\n\nUsing with \ni18n_patterns\n\n\nIf using the \ni18n_patterns\n function provided by Django, as well as \nformat_suffix_patterns\n you should make sure that the \ni18n_patterns\n function is applied as the final, or outermost function. For example:\n\n\nurl patterns = [\n \u2026\n]\n\nurlpatterns = i18n_patterns(\n format_suffix_patterns(urlpatterns, allowed=['json', 'html'])\n)\n\n\n\n\n\nQuery parameter formats\n\n\nAn alternative to the format suffixes is to include the requested format in a query parameter. REST framework provides this option by default, and it is used in the browsable API to switch between differing available representations.\n\n\nTo select a representation using its short format, use the \nformat\n query parameter. For example: \nhttp://example.com/organizations/?format=csv\n.\n\n\nThe name of this query parameter can be modified using the \nURL_FORMAT_OVERRIDE\n setting. Set the value to \nNone\n to disable this behavior.\n\n\n\n\nAccept headers vs. format suffixes\n\n\nThere seems to be a view among some of the Web community that filename extensions are not a RESTful pattern, and that \nHTTP Accept\n headers should always be used instead.\n\n\nIt is actually a misconception. For example, take the following quote from Roy Fielding discussing the relative merits of query parameter media-type indicators vs. file extension media-type indicators:\n\n\nThat's why I always prefer extensions. Neither choice has anything to do with REST.\n \n Roy Fielding, \nREST discuss mailing list\n\n\nThe quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern.",
"text":"Section 6.2.1 does not say that content negotiation should be\nused all the time. Roy Fielding, REST discuss mailing list A common pattern for Web APIs is to use filename extensions on URLs to provide an endpoint for a given media type. For example, 'http://example.com/api/users.json' to serve a JSON representation. Adding format-suffix patterns to each individual entry in the URLconf for your API is error-prone and non-DRY, so REST framework provides a shortcut to adding these patterns to your URLConf.",
"text":"Signature : format_suffix_patterns(urlpatterns, suffix_required=False, allowed=None) Returns a URL pattern list which includes format suffix patterns appended to each of the URL patterns provided. Arguments: urlpatterns : Required. A URL pattern list. suffix_required : Optional. A boolean indicating if suffixes in the URLs should be optional or mandatory. Defaults to False , meaning that suffixes are optional by default. allowed : Optional. A list or tuple of valid format suffixes. If not provided, a wildcard format suffix pattern will be used. Example: from rest_framework.urlpatterns import format_suffix_patterns\nfrom blog import views\n\nurlpatterns = [\n url(r'^/$', views.apt_root),\n url(r'^comments/$', views.comment_list),\n url(r'^comments/(?P pk [0-9]+)/$', views.comment_detail)\n]\n\nurlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html']) When using format_suffix_patterns , you must make sure to add the 'format' keyword argument to the corresponding views. For example: @api_view(('GET', 'POST'))\ndef comment_list(request, format=None):\n # do stuff... Or with class based views: class CommentList(APIView):\n def get(self, request, format=None):\n # do stuff...\n\n def post(self, request, format=None):\n # do stuff... The name of the kwarg used may be modified by using the FORMAT_SUFFIX_KWARG setting. Also note that format_suffix_patterns does not support descending into include URL patterns. Using with i18n_patterns If using the i18n_patterns function provided by Django, as well as format_suffix_patterns you should make sure that the i18n_patterns function is applied as the final, or outermost function. For example: url patterns = [\n \u2026\n]\n\nurlpatterns = i18n_patterns(\n format_suffix_patterns(urlpatterns, allowed=['json', 'html'])\n)",
"text":"An alternative to the format suffixes is to include the requested format in a query parameter. REST framework provides this option by default, and it is used in the browsable API to switch between differing available representations. To select a representation using its short format, use the format query parameter. For example: http://example.com/organizations/?format=csv . The name of this query parameter can be modified using the URL_FORMAT_OVERRIDE setting. Set the value to None to disable this behavior.",
"text":"There seems to be a view among some of the Web community that filename extensions are not a RESTful pattern, and that HTTP Accept headers should always be used instead. It is actually a misconception. For example, take the following quote from Roy Fielding discussing the relative merits of query parameter media-type indicators vs. file extension media-type indicators: That's why I always prefer extensions. Neither choice has anything to do with REST. Roy Fielding, REST discuss mailing list The quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern.",
"title":"Accept headers vs. format suffixes"
},
{
"location":"/api-guide/reverse/",
"text":"Returning URLs\n\n\n\n\nThe central feature that distinguishes the REST architectural style from other network-based styles is its emphasis on a uniform interface between components.\n\n\n Roy Fielding, \nArchitectural Styles and the Design of Network-based Software Architectures\n\n\n\n\nAs a rule, it's probably better practice to return absolute URIs from your Web APIs, such as \nhttp://example.com/foobar\n, rather than returning relative URIs, such as \n/foobar\n.\n\n\nThe advantages of doing so are:\n\n\n\n\nIt's more explicit.\n\n\nIt leaves less work for your API clients.\n\n\nThere's no ambiguity about the meaning of the string when it's found in representations such as JSON that do not have a native URI type.\n\n\nIt makes it easy to do things like markup HTML representations with hyperlinks.\n\n\n\n\nREST framework provides two utility functions to make it more simple to return absolute URIs from your Web API.\n\n\nThere's no requirement for you to use them, but if you do then the self-describing API will be able to automatically hyperlink its output for you, which makes browsing the API much easier.\n\n\nreverse\n\n\nSignature:\n \nreverse(viewname, *args, **kwargs)\n\n\nHas the same behavior as \ndjango.core.urlresolvers.reverse\n, except that it returns a fully qualified URL, using the request to determine the host and port.\n\n\nYou should \ninclude the request as a keyword argument\n to the function, for example:\n\n\nfrom rest_framework.reverse import reverse\nfrom rest_framework.views import APIView\nfrom django.utils.timezone import now\n\nclass APIRootView(APIView):\n def get(self, request):\n year = now().year\n data = {\n ...\n 'year-summary-url': reverse('year-summary', args=[year], request=request)\n }\n return Response(data)\n\n\n\nreverse_lazy\n\n\nSignature:\n \nreverse_lazy(viewname, *args, **kwargs)\n\n\nHas the same behavior as \ndjango.core.urlresolvers.reverse_lazy\n, except that it returns a fully qualified URL, using the request to determine the host and port.\n\n\nAs with the \nreverse\n function, you should \ninclude the request as a keyword argument\n to the function, for example:\n\n\napi_root = reverse_lazy('api-root', request=request)",
"title":"Returning URLs"
},
{
"location":"/api-guide/reverse/#returning-urls",
"text":"The central feature that distinguishes the REST architectural style from other network-based styles is its emphasis on a uniform interface between components. Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures As a rule, it's probably better practice to return absolute URIs from your Web APIs, such as http://example.com/foobar , rather than returning relative URIs, such as /foobar . The advantages of doing so are: It's more explicit. It leaves less work for your API clients. There's no ambiguity about the meaning of the string when it's found in representations such as JSON that do not have a native URI type. It makes it easy to do things like markup HTML representations with hyperlinks. REST framework provides two utility functions to make it more simple to return absolute URIs from your Web API. There's no requirement for you to use them, but if you do then the self-describing API will be able to automatically hyperlink its output for you, which makes browsing the API much easier.",
"title":"Returning URLs"
},
{
"location":"/api-guide/reverse/#reverse",
"text":"Signature: reverse(viewname, *args, **kwargs) Has the same behavior as django.core.urlresolvers.reverse , except that it returns a fully qualified URL, using the request to determine the host and port. You should include the request as a keyword argument to the function, for example: from rest_framework.reverse import reverse\nfrom rest_framework.views import APIView\nfrom django.utils.timezone import now\n\nclass APIRootView(APIView):\n def get(self, request):\n year = now().year\n data = {\n ...\n 'year-summary-url': reverse('year-summary', args=[year], request=request)\n }\n return Response(data)",
"title":"reverse"
},
{
"location":"/api-guide/reverse/#reverse_lazy",
"text":"Signature: reverse_lazy(viewname, *args, **kwargs) Has the same behavior as django.core.urlresolvers.reverse_lazy , except that it returns a fully qualified URL, using the request to determine the host and port. As with the reverse function, you should include the request as a keyword argument to the function, for example: api_root = reverse_lazy('api-root', request=request)",
"title":"reverse_lazy"
},
{
"location":"/api-guide/exceptions/",
"text":"Exceptions\n\n\n\n\nExceptions\u2026 allow error handling to be organized cleanly in a central or high-level place within the program structure.\n\n\n Doug Hellmann, \nPython Exception Handling Techniques\n\n\n\n\nException handling in REST framework views\n\n\nREST framework's views handle various exceptions, and deal with returning appropriate error responses.\n\n\nThe handled exceptions are:\n\n\n\n\nSubclasses of \nAPIException\n raised inside REST framework.\n\n\nDjango's \nHttp404\n exception.\n\n\nDjango's \nPermissionDenied\n exception.\n\n\n\n\nIn each case, REST framework will return a response with an appropriate status code and content-type. The body of the response will include any additional details regarding the nature of the error.\n\n\nMost error responses will include a key \ndetail\n in the body of the response.\n\n\nFor example, the following request:\n\n\nDELETE http://api.example.com/foo/bar HTTP/1.1\nAccept: application/json\n\n\n\nMight receive an error response indicating that the \nDELETE\n method is not allowed on that resource:\n\n\nHTTP/1.1 405 Method Not Allowed\nContent-Type: application/json\nContent-Length: 42\n\n{\"detail\": \"Method 'DELETE' not allowed.\"}\n\n\n\nValidation errors are handled slightly differently, and will include the field names as the keys in the response. If the validation error was not specific to a particular field then it will use the \"non_field_errors\" key, or whatever string value has been set for the \nNON_FIELD_ERRORS_KEY\n setting.\n\n\nAny example validation error might look like this:\n\n\nHTTP/1.1 400 Bad Request\nContent-Type: application/json\nContent-Length: 94\n\n{\"amount\": [\"A valid integer is required.\"], \"description\": [\"This field may not be blank.\"]}\n\n\n\nCustom exception handling\n\n\nYou can implement custom exception handling by creating a handler function that converts exceptions raised in your API views into response objects. This allows you to control the style of error responses used by your API.\n\n\nThe function must take a pair of arguments, this first is the exception to be handled, and the second is a dictionary containing any extra context such as the view currently being handled. The exception handler function should either return a \nResponse\n object, or return \nNone\n if the exception cannot be handled. If the handler returns \nNone\n then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response.\n\n\nFor example, you might want to ensure that all error responses include the HTTP status code in the body of the response, like so:\n\n\nHTTP/1.1 405 Method Not Allowed\nContent-Type: application/json\nContent-Length: 62\n\n{\"status_code\": 405, \"detail\": \"Method 'DELETE' not allowed.\"}\n\n\n\nInordertoalterthestyleoftheresponse,youcouldwritethefollowingcustomexceptionhandler:\n\n\nfromrest_framework.viewsimportexception_handler\n\ndefcustom_exception_handler(exc,context):\n#CallRESTframework'sdefaultexceptionhandlerfirst,\n#togetthestandarderrorresponse.\nresponse=exception_handler(exc,context)\n\n#\u00a0NowaddtheHTTPstatuscodetotheresponse.\nifresponseisnotNone:\nresponse.data['status_code']=response.status_code\n\nreturnresponse\n\n\n\nThecontextargumentisnotusedbythedefaulthandler,butcanbeusefuliftheexceptionhandlerneedsfurtherinformationsuchastheviewcurrentlybeinghandled,whichcanbeaccessedas\ncontext['view']\n.\n\n\nTheexceptionhandlermustalsobeconfiguredinyoursettings,usingthe\nEXCEPTION_HANDLER\nsettingkey.Forexample:\n\n\nREST_FRAMEWORK={\n'EXCEPTION_HANDLER':'my_project.my_app.utils.custom_exception_handler'\n}\n\n\n\nIfnotspecified,the\n'EXCEPTION_HANDLER'\nsettingdefaultstothestandardexceptionhandlerprovidedbyRESTframework:\n\n\nREST_FRAMEWORK={\n'EXCEPTION_HANDLER':'rest_framework.views.exception_handler'\n}\n\n\n\nNotethattheexceptionhandlerwillonlybecalledforresponses
"title":"Exceptions"
},
{
"location":"/api-guide/exceptions/#exceptions",
"text":"Exceptions\u2026 allow error handling to be organized cleanly in a central or high-level place within the program structure. Doug Hellmann, Python Exception Handling Techniques",
"text":"REST framework's views handle various exceptions, and deal with returning appropriate error responses. The handled exceptions are: Subclasses of APIException raised inside REST framework. Django's Http404 exception. Django's PermissionDenied exception. In each case, REST framework will return a response with an appropriate status code and content-type. The body of the response will include any additional details regarding the nature of the error. Most error responses will include a key detail in the body of the response. For example, the following request: DELETE http://api.example.com/foo/bar HTTP/1.1\nAccept: application/json Might receive an error response indicating that the DELETE method is not allowed on that resource: HTTP/1.1 405 Method Not Allowed\nContent-Type: application/json\nContent-Length: 42\n\n{\"detail\": \"Method 'DELETE' not allowed.\"} Validation errors are handled slightly differently, and will include the field names as the keys in the response. If the validation error was not specific to a particular field then it will use the \"non_field_errors\" key, or whatever string value has been set for the NON_FIELD_ERRORS_KEY setting. Any example validation error might look like this: HTTP/1.1 400 Bad Request\nContent-Type: application/json\nContent-Length: 94\n\n{\"amount\": [\"A valid integer is required.\"], \"description\": [\"This field may not be blank.\"]}",
"title":"Exception handling in REST framework views"
"text":"You can implement custom exception handling by creating a handler function that converts exceptions raised in your API views into response objects. This allows you to control the style of error responses used by your API. The function must take a pair of arguments, this first is the exception to be handled, and the second is a dictionary containing any extra context such as the view currently being handled. The exception handler function should either return a Response object, or return None if the exception cannot be handled. If the handler returns None then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response. For example, you might want to ensure that all error responses include the HTTP status code in the body of the response, like so: HTTP/1.1 405 Method Not Allowed\nContent-Type: application/json\nContent-Length: 62\n\n{\"status_code\": 405, \"detail\": \"Method 'DELETE' not allowed.\"} In order to alter the style of the response, you could write the following custom exception handler: from rest_framework.views import exception_handler\n\ndef custom_exception_handler(exc, context):\n # Call REST framework's default exception handler first,\n # to get the standard error response.\n response = exception_handler(exc, context)\n\n #\u00a0Now add the HTTP status code to the response.\n if response is not None:\n response.data['status_code'] = response.status_code\n\n return response The context argument is not used by the default handler, but can be useful if the exception handler needs further information such as the view currently being handled, which can be accessed as context['view'] . The exception handler must also be configured in your settings, using the EXCEPTION_HANDLER setting key. For example: REST_FRAMEWORK = {\n 'EXCEPTION_HANDLER': 'my_project.my_app.utils.custom_exception_handler'\n} If not specified, the 'EXCEPTION_HANDLER' setting defaults to the standard exception handler provided by REST framework: REST_FRAMEWORK = {\n 'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler'\n} Note that the exception handler will only be called for responses generated by raised exceptions. It will not be used for any responses returned directly by the view, such as the HTTP_400_BAD_REQUEST responses that are returned by the generic views when serializer validation fails.",
"text":"Signature: APIException() The base class for all exceptions raised inside an APIView class or @api_view . To provide a custom exception, subclass APIException and set the .status_code and .default_detail properties on the class. For example, if your API relies on a third party service that may sometimes be unreachable, you might want to implement an exception for the \"503 Service Unavailable\" HTTP response code. You could do this like so: from rest_framework.exceptions import APIException\n\nclass ServiceUnavailable(APIException):\n status_code = 503\n default_detail = 'Service temporarily unavailable, try again later.'",
"title":"APIException"
},
{
"location":"/api-guide/exceptions/#parseerror",
"text":"Signature: ParseError(detail=None) Raised if the request contains malformed data when accessing request.data . By default this exception results in a response with the HTTP status code \"400 Bad Request\".",
"text":"Signature: AuthenticationFailed(detail=None) Raised when an incoming request includes incorrect authentication. By default this exception results in a response with the HTTP status code \"401 Unauthenticated\", but it may also result in a \"403 Forbidden\" response, depending on the authentication scheme in use. See the authentication documentation for more details.",
"text":"Signature: NotAuthenticated(detail=None) Raised when an unauthenticated request fails the permission checks. By default this exception results in a response with the HTTP status code \"401 Unauthenticated\", but it may also result in a \"403 Forbidden\" response, depending on the authentication scheme in use. See the authentication documentation for more details.",
"text":"Signature: PermissionDenied(detail=None) Raised when an authenticated request fails the permission checks. By default this exception results in a response with the HTTP status code \"403 Forbidden\".",
"title":"PermissionDenied"
},
{
"location":"/api-guide/exceptions/#notfound",
"text":"Signature: NotFound(detail=None) Raised when a resource does not exists at the given URL. This exception is equivalent to the standard Http404 Django exception. By default this exception results in a response with the HTTP status code \"404 Not Found\".",
"text":"Signature: MethodNotAllowed(method, detail=None) Raised when an incoming request occurs that does not map to a handler method on the view. By default this exception results in a response with the HTTP status code \"405 Method Not Allowed\".",
"text":"Signature: NotAcceptable(detail=None) Raised when an incoming request occurs with an Accept header that cannot be satisfied by any of the available renderers. By default this exception results in a response with the HTTP status code \"406 Not Acceptable\".",
"text":"Signature: UnsupportedMediaType(media_type, detail=None) Raised if there are no parsers that can handle the content type of the request data when accessing request.data . By default this exception results in a response with the HTTP status code \"415 Unsupported Media Type\".",
"title":"UnsupportedMediaType"
},
{
"location":"/api-guide/exceptions/#throttled",
"text":"Signature: Throttled(wait=None, detail=None) Raised when an incoming request fails the throttling checks. By default this exception results in a response with the HTTP status code \"429 Too Many Requests\".",
"text":"Signature: ValidationError(detail) The ValidationError exception is slightly different from the other APIException classes: The detail argument is mandatory, not optional. The detail argument may be a list or dictionary of error details, and may also be a nested data structure. By convention you should import the serializers module and use a fully qualified ValidationError style, in order to differentiate it from Django's built-in validation error. For example. raise serializers.ValidationError('This field must be an integer value.') The ValidationError class should be used for serializer and field validation, and by validator classes. It is also raised when calling serializer.is_valid with the raise_exception keyword argument: serializer.is_valid(raise_exception=True) The generic views use the raise_exception=True flag, which means that you can override the style of validation error responses globally in your API. To do so, use a custom exception handler, as described above. By default this exception results in a response with the HTTP status code \"400 Bad Request\".",
"text":"Status Codes\n\n\n\n\n418 I'm a teapot - Any attempt to brew coffee with a teapot should result in the error code \"418 I'm a teapot\". The resulting entity body MAY be short and stout.\n\n\n \nRFC 2324\n, Hyper Text Coffee Pot Control Protocol\n\n\n\n\nUsing bare status codes in your responses isn't recommended. REST framework includes a set of named constants that you can use to make more code more obvious and readable.\n\n\nfrom rest_framework import status\nfrom rest_framework.response import Response\n\ndef empty_view(self):\n content = {'please move along': 'nothing to see here'}\n return Response(content, status=status.HTTP_404_NOT_FOUND)\n\n\n\nThe full set of HTTP status codes included in the \nstatus\n module is listed below.\n\n\nThe module also includes a set of helper functions for testing if a status code is in a given range.\n\n\nfrom rest_framework import status\nfrom rest_framework.test import APITestCase\n\nclass ExampleTestCase(APITestCase):\n def test_url_root(self):\n url = reverse('index')\n response = self.client.get(url)\n self.assertTrue(status.is_success(response.status_code))\n\n\n\nFor more information on proper usage of HTTP status codes see \nRFC 2616\n\nand \nRFC 6585\n.\n\n\nInformational - 1xx\n\n\nThis class of status code indicates a provisional response. There are no 1xx status codes used in REST framework by default.\n\n\nHTTP_100_CONTINUE\nHTTP_101_SWITCHING_PROTOCOLS\n\n\n\nSuccessful - 2xx\n\n\nThis class of status code indicates that the client's request was successfully received, understood, and accepted.\n\n\nHTTP_200_OK\nHTTP_201_CREATED\nHTTP_202_ACCEPTED\nHTTP_203_NON_AUTHORITATIVE_INFORMATION\nHTTP_204_NO_CONTENT\nHTTP_205_RESET_CONTENT\nHTTP_206_PARTIAL_CONTENT\n\n\n\nRedirection - 3xx\n\n\nThis class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request.\n\n\nHTTP_300_MULTIPLE_CHOICES\nHTTP_301_MOVED_PERMANENTLY\nHTTP_302_FOUND\nHTTP_303_SEE_OTHER\nHTTP_304_NOT_MODIFIED\nHTTP_305_USE_PROXY\nHTTP_306_RESERVED\nHTTP_307_TEMPORARY_REDIRECT\n\n\n\nClient Error - 4xx\n\n\nThe 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition.\n\n\nHTTP_400_BAD_REQUEST\nHTTP_401_UNAUTHORIZED\nHTTP_402_PAYMENT_REQUIRED\nHTTP_403_FORBIDDEN\nHTTP_404_NOT_FOUND\nHTTP_405_METHOD_NOT_ALLOWED\nHTTP_406_NOT_ACCEPTABLE\nHTTP_407_PROXY_AUTHENTICATION_REQUIRED\nHTTP_408_REQUEST_TIMEOUT\nHTTP_409_CONFLICT\nHTTP_410_GONE\nHTTP_411_LENGTH_REQUIRED\nHTTP_412_PRECONDITION_FAILED\nHTTP_413_REQUEST_ENTITY_TOO_LARGE\nHTTP_414_REQUEST_URI_TOO_LONG\nHTTP_415_UNSUPPORTED_MEDIA_TYPE\nHTTP_416_REQUESTED_RANGE_NOT_SATISFIABLE\nHTTP_417_EXPECTATION_FAILED\nHTTP_428_PRECONDITION_REQUIRED\nHTTP_429_TOO_MANY_REQUESTS\nHTTP_431_REQUEST_HEADER_FIELDS_TOO_LARGE\nHTTP_451_UNAVAILABLE_FOR_LEGAL_REASONS\n\n\n\nServer Error - 5xx\n\n\nResponse status codes beginning with the digit \"5\" indicate cases in which the server is aware that it has erred or is incapable of performing the request. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition.\n\n\nHTTP_500_INTERNAL_SERVER_ERROR\nHTTP_501_NOT_IMPLEMENTED\nHTTP_502_BAD_GATEWAY\nHTTP_503_SERVICE_UNAVAILABLE\nHTTP_504_GATEWAY_TIMEOUT\nHTTP_505_HTTP_VERSION_NOT_SUPPORTED\nHTTP_511_NETWORK_AUTHENTICATION_REQUIRED\n\n\n\nHelper functions\n\n\nThe following helper functions are available for identifying the category of the response code.\n\n\nis_informational() # 1xx\nis_success() #\u00a02xx\nis_redirect() # 3xx\nis_client_error() # 4xx\nis_server_error() # 5xx",
"text":"418 I'm a teapot - Any attempt to brew coffee with a teapot should result in the error code \"418 I'm a teapot\". The resulting entity body MAY be short and stout. RFC 2324 , Hyper Text Coffee Pot Control Protocol Using bare status codes in your responses isn't recommended. REST framework includes a set of named constants that you can use to make more code more obvious and readable. from rest_framework import status\nfrom rest_framework.response import Response\n\ndef empty_view(self):\n content = {'please move along': 'nothing to see here'}\n return Response(content, status=status.HTTP_404_NOT_FOUND) The full set of HTTP status codes included in the status module is listed below. The module also includes a set of helper functions for testing if a status code is in a given range. from rest_framework import status\nfrom rest_framework.test import APITestCase\n\nclass ExampleTestCase(APITestCase):\n def test_url_root(self):\n url = reverse('index')\n response = self.client.get(url)\n self.assertTrue(status.is_success(response.status_code)) For more information on proper usage of HTTP status codes see RFC 2616 \nand RFC 6585 .",
"text":"This class of status code indicates a provisional response. There are no 1xx status codes used in REST framework by default. HTTP_100_CONTINUE\nHTTP_101_SWITCHING_PROTOCOLS",
"text":"This class of status code indicates that the client's request was successfully received, understood, and accepted. HTTP_200_OK\nHTTP_201_CREATED\nHTTP_202_ACCEPTED\nHTTP_203_NON_AUTHORITATIVE_INFORMATION\nHTTP_204_NO_CONTENT\nHTTP_205_RESET_CONTENT\nHTTP_206_PARTIAL_CONTENT",
"text":"This class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request. HTTP_300_MULTIPLE_CHOICES\nHTTP_301_MOVED_PERMANENTLY\nHTTP_302_FOUND\nHTTP_303_SEE_OTHER\nHTTP_304_NOT_MODIFIED\nHTTP_305_USE_PROXY\nHTTP_306_RESERVED\nHTTP_307_TEMPORARY_REDIRECT",
"text":"The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. HTTP_400_BAD_REQUEST\nHTTP_401_UNAUTHORIZED\nHTTP_402_PAYMENT_REQUIRED\nHTTP_403_FORBIDDEN\nHTTP_404_NOT_FOUND\nHTTP_405_METHOD_NOT_ALLOWED\nHTTP_406_NOT_ACCEPTABLE\nHTTP_407_PROXY_AUTHENTICATION_REQUIRED\nHTTP_408_REQUEST_TIMEOUT\nHTTP_409_CONFLICT\nHTTP_410_GONE\nHTTP_411_LENGTH_REQUIRED\nHTTP_412_PRECONDITION_FAILED\nHTTP_413_REQUEST_ENTITY_TOO_LARGE\nHTTP_414_REQUEST_URI_TOO_LONG\nHTTP_415_UNSUPPORTED_MEDIA_TYPE\nHTTP_416_REQUESTED_RANGE_NOT_SATISFIABLE\nHTTP_417_EXPECTATION_FAILED\nHTTP_428_PRECONDITION_REQUIRED\nHTTP_429_TOO_MANY_REQUESTS\nHTTP_431_REQUEST_HEADER_FIELDS_TOO_LARGE\nHTTP_451_UNAVAILABLE_FOR_LEGAL_REASONS",
"text":"Response status codes beginning with the digit \"5\" indicate cases in which the server is aware that it has erred or is incapable of performing the request. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. HTTP_500_INTERNAL_SERVER_ERROR\nHTTP_501_NOT_IMPLEMENTED\nHTTP_502_BAD_GATEWAY\nHTTP_503_SERVICE_UNAVAILABLE\nHTTP_504_GATEWAY_TIMEOUT\nHTTP_505_HTTP_VERSION_NOT_SUPPORTED\nHTTP_511_NETWORK_AUTHENTICATION_REQUIRED",
"text":"The following helper functions are available for identifying the category of the response code. is_informational() # 1xx\nis_success() #\u00a02xx\nis_redirect() # 3xx\nis_client_error() # 4xx\nis_server_error() # 5xx",
"text":"Code without tests is broken as designed. Jacob Kaplan-Moss REST framework includes a few helper classes that extend Django's existing test framework, and improve support for making API requests.",
"text":"The APIRequestFactory class supports an almost identical API to Django's standard RequestFactory class. This means that the standard .get() , .post() , .put() , .patch() , .delete() , .head() and .options() methods are all available. from rest_framework.test import APIRequestFactory\n\n# Using the standard RequestFactory API to create a form POST request\nfactory = APIRequestFactory()\nrequest = factory.post('/notes/', {'title': 'new idea'}) Using the format argument Methods which create a request body, such as post , put and patch , include a format argument, which make it easy to generate requests using a content type other than multipart form data. For example: # Create a JSON POST request\nfactory = APIRequestFactory()\nrequest = factory.post('/notes/', {'title': 'new idea'}, format='json') By default the available formats are 'multipart' and 'json' . For compatibility with Django's existing RequestFactory the default format is 'multipart' . To support a wider set of request formats, or change the default format, see the configuration section . Explicitly encoding the request body If you need to explicitly encode the request body, you can do so by setting the content_type flag. For example: request = factory.post('/notes/', json.dumps({'title': 'new idea'}), content_type='application/json') PUT and PATCH with form data One difference worth noting between Django's RequestFactory and REST framework's APIRequestFactory is that multipart form data will be encoded for methods other than just .post() . For example, using APIRequestFactory , you can make a form PUT request like so: factory = APIRequestFactory()\nrequest = factory.put('/notes/547/', {'title': 'remember to email dave'}) Using Django's RequestFactory , you'd need to explicitly encode the data yourself: from django.test.client import encode_multipart, RequestFactory\n\nfactory = RequestFactory()\ndata = {'title': 'remember to email dave'}\ncontent = encode_multipart('BoUnDaRyStRiNg', data)\ncontent_type = 'multipart/form-data; boundary=BoUnDaRyStRiNg'\nrequest = factory.put('/notes/547/', content, content_type=content_type)",
"text":"When testing views directly using a request factory, it's often convenient to be able to directly authenticate the request, rather than having to construct the correct authentication credentials. To forcibly authenticate a request, use the force_authenticate() method. from rest_framework.test import force_authenticate\n\nfactory = APIRequestFactory()\nuser = User.objects.get(username='olivia')\nview = AccountDetail.as_view()\n\n# Make an authenticated request to the view...\nrequest = factory.get('/accounts/django-superstars/')\nforce_authenticate(request, user=user)\nresponse = view(request) The signature for the method is force_authenticate(request, user=None, token=None) . When making the call, either or both of the user and token may be set. For example, when forcibly authenticating using a token, you might do something like the following: user = User.objects.get(username='olivia')\nrequest = factory.get('/accounts/django-superstars/')\nforce_authenticate(request, user=user, token=user.token) Note : When using APIRequestFactory , the object that is returned is Django's standard HttpRequest , and not REST framework's Request object, which is only generated once the view is called. This means that setting attributes directly on the request object may not always have the effect you expect. For example, setting .token directly will have no effect, and setting .user directly will only work if session authentication is being used. # Request will only authenticate if `SessionAuthentication` is in use.\nrequest = factory.get('/accounts/django-superstars/')\nrequest.user = user\nresponse = view(request)",
"text":"By default, requests created with APIRequestFactory will not have CSRF validation applied when passed to a REST framework view. If you need to explicitly turn CSRF validation on, you can do so by setting the enforce_csrf_checks flag when instantiating the factory. factory = APIRequestFactory(enforce_csrf_checks=True) Note : It's worth noting that Django's standard RequestFactory doesn't need to include this option, because when using regular Django the CSRF validation takes place in middleware, which is not run when testing views directly. When using REST framework, CSRF validation takes place inside the view, so the request factory needs to disable view-level CSRF checks.",
"title":"Forcing CSRF validation"
},
{
"location":"/api-guide/testing/#apiclient",
"text":"Extends Django's existing Client class .",
"title":"APIClient"
},
{
"location":"/api-guide/testing/#making-requests",
"text":"The APIClient class supports the same request interface as Django's standard Client class. This means the that standard .get() , .post() , .put() , .patch() , .delete() , .head() and .options() methods are all available. For example: from rest_framework.test import APIClient\n\nclient = APIClient()\nclient.post('/notes/', {'title': 'new idea'}, format='json') To support a wider set of request formats, or change the default format, see the configuration section .",
"title":"Making requests"
},
{
"location":"/api-guide/testing/#authenticating",
"text":".login(**kwargs) The login method functions exactly as it does with Django's regular Client class. This allows you to authenticate requests against any views which include SessionAuthentication . # Make all requests in the context of a logged in session.\nclient = APIClient()\nclient.login(username='lauren', password='secret') To logout, call the logout method as usual. # Log out\nclient.logout() The login method is appropriate for testing APIs that use session authentication, for example web sites which include AJAX interaction with the API. .credentials(**kwargs) The credentials method can be used to set headers that will then be included on all subsequent requests by the test client. from rest_framework.authtoken.models import Token\nfrom rest_framework.test import APIClient\n\n# Include an appropriate `Authorization:` header on all requests.\ntoken = Token.objects.get(user__username='lauren')\nclient = APIClient()\nclient.credentials(HTTP_AUTHORIZATION='Token ' + token.key) Note that calling credentials a second time overwrites any existing credentials. You can unset any existing credentials by calling the method with no arguments. # Stop including any credentials\nclient.credentials() The credentials method is appropriate for testing APIs that require authentication headers, such as basic authentication, OAuth1a and OAuth2 authentication, and simple token authentication schemes. .force_authenticate(user=None, token=None) Sometimes you may want to bypass authentication, and simple force all requests by the test client to be automatically treated as authenticated. This can be a useful shortcut if you're testing the API but don't want to have to construct valid authentication credentials in order to make test requests. user = User.objects.get(username='lauren')\nclient = APIClient()\nclient.force_authenticate(user=user) To unauthenticate subsequent requests, call force_authenticate setting the user and/or token to None . client.force_authenticate(user=None)",
"title":"Authenticating"
},
{
"location":"/api-guide/testing/#csrf-validation",
"text":"By default CSRF validation is not applied when using APIClient . If you need to explicitly enable CSRF validation, you can do so by setting the enforce_csrf_checks flag when instantiating the client. client = APIClient(enforce_csrf_checks=True) As usual CSRF validation will only apply to any session authenticated views. This means CSRF validation will only occur if the client has been logged in by calling login() .",
"title":"CSRF validation"
},
{
"location":"/api-guide/testing/#test-cases",
"text":"REST framework includes the following test case classes, that mirror the existing Django test case classes, but use APIClient instead of Django's default Client . APISimpleTestCase APITransactionTestCase APITestCase APILiveServerTestCase",
"text":"You can use any of REST framework's test case classes as you would for the regular Django test case classes. The self.client attribute will be an APIClient instance. from django.core.urlresolvers import reverse\nfrom rest_framework import status\nfrom rest_framework.test import APITestCase\nfrom myproject.apps.core.models import Account\n\nclass AccountTests(APITestCase):\n def test_create_account(self):\n \"\"\"\n Ensure we can create a new account object.\n \"\"\"\n url = reverse('account-list')\n data = {'name': 'DabApps'}\n response = self.client.post(url, data, format='json')\n self.assertEqual(response.status_code, status.HTTP_201_CREATED)\n self.assertEqual(Account.objects.count(), 1)\n self.assertEqual(Account.objects.get().name, 'DabApps')",
"text":"When checking the validity of test responses it's often more convenient to inspect the data that the response was created with, rather than inspecting the fully rendered response. For example, it's easier to inspect response.data : response = self.client.get('/users/4/')\nself.assertEqual(response.data, {'id': 4, 'username': 'lauren'}) Instead of inspecting the result of parsing response.content : response = self.client.get('/users/4/')\nself.assertEqual(json.loads(response.content), {'id': 4, 'username': 'lauren'})",
"text":"If you're testing views directly using APIRequestFactory , the responses that are returned will not yet be rendered, as rendering of template responses is performed by Django's internal request-response cycle. In order to access response.content , you'll first need to render the response. view = UserDetail.as_view()\nrequest = factory.get('/users/4')\nresponse = view(request, pk='4')\nresponse.render() # Cannot access `response.content` without this.\nself.assertEqual(response.content, '{\"username\": \"lauren\", \"id\": 4}')",
"text":"The default format used to make test requests may be set using the TEST_REQUEST_DEFAULT_FORMAT setting key. For example, to always use JSON for test requests by default instead of standard multipart form requests, set the following in your settings.py file: REST_FRAMEWORK = {\n ...\n 'TEST_REQUEST_DEFAULT_FORMAT': 'json'\n}",
"text":"If you need to test requests using something other than multipart or json requests, you can do so by setting the TEST_REQUEST_RENDERER_CLASSES setting. For example, to add support for using format='html' in test requests, you might have something like this in your settings.py file. REST_FRAMEWORK = {\n ...\n 'TEST_REQUEST_RENDERER_CLASSES': (\n 'rest_framework.renderers.MultiPartRenderer',\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.TemplateHTMLRenderer'\n )\n}",
"text":"Namespaces are one honking great idea - let's do more of those! The Zen of Python Configuration for REST framework is all namespaced inside a single Django setting, named REST_FRAMEWORK . For example your project's settings.py file might include something like this: REST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': (\n 'rest_framework.renderers.JSONRenderer',\n ),\n 'DEFAULT_PARSER_CLASSES': (\n 'rest_framework.parsers.JSONParser',\n )\n}",
"text":"If you need to access the values of REST framework's API settings in your project,\nyou should use the api_settings object. For example. from rest_framework.settings import api_settings\n\nprint api_settings.DEFAULT_AUTHENTICATION_CLASSES The api_settings object will check for any user-defined settings, and otherwise fall back to the default values. Any setting that uses string import paths to refer to a class will automatically import and return the referenced class, instead of the string literal.",
"text":"The following settings control the basic API policies, and are applied to every APIView class based view, or @api_view function based view. DEFAULT_RENDERER_CLASSES A list or tuple of renderer classes, that determines the default set of renderers that may be used when returning a Response object. Default: (\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.BrowsableAPIRenderer',\n) DEFAULT_PARSER_CLASSES A list or tuple of parser classes, that determines the default set of parsers used when accessing the request.data property. Default: (\n 'rest_framework.parsers.JSONParser',\n 'rest_framework.parsers.FormParser',\n 'rest_framework.parsers.MultiPartParser'\n) DEFAULT_AUTHENTICATION_CLASSES A list or tuple of authentication classes, that determines the default set of authenticators used when accessing the request.user or request.auth properties. Default: (\n 'rest_framework.authentication.SessionAuthentication',\n 'rest_framework.authentication.BasicAuthentication'\n) DEFAULT_PERMISSION_CLASSES A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view. Permission must be granted by every class in the list. Default: (\n 'rest_framework.permissions.AllowAny',\n) DEFAULT_THROTTLE_CLASSES A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view. Default: () DEFAULT_CONTENT_NEGOTIATION_CLASS A content negotiation class, that determines how a renderer is selected for the response, given an incoming request. Default: 'rest_framework.negotiation.DefaultContentNegotiation'",
"text":"The following settings control the behavior of the generic class based views. DEFAULT_PAGINATION_SERIALIZER_CLASS This setting has been removed. The pagination API does not use serializers to determine the output format, and\nyou'll need to instead override the `get_paginated_response method on a\npagination class in order to specify how the output format is controlled. DEFAULT_FILTER_BACKENDS A list of filter backend classes that should be used for generic filtering.\nIf set to None then generic filtering is disabled. PAGINATE_BY This setting has been removed. See the pagination documentation for further guidance on setting the pagination style . PAGE_SIZE The default page size to use for pagination. If set to None , pagination is disabled by default. Default: None PAGINATE_BY_PARAM This setting has been removed. See the pagination documentation for further guidance on setting the pagination style . MAX_PAGINATE_BY This setting is pending deprecation. See the pagination documentation for further guidance on setting the pagination style . SEARCH_PARAM The name of a query parameter, which can be used to specify the search term used by SearchFilter . Default: search ORDERING_PARAM The name of a query parameter, which can be used to specify the ordering of results returned by OrderingFilter . Default: ordering",
"text":"DEFAULT_VERSION The value that should be used for request.version when no versioning information is present. Default: None ALLOWED_VERSIONS If set, this value will restrict the set of versions that may be returned by the versioning scheme, and will raise an error if the provided version if not in this set. Default: None VERSION_PARAMETER The string that should used for any versioning parameters, such as in the media type or URL query parameters. Default: 'version'",
"text":"The following settings control the behavior of unauthenticated requests. UNAUTHENTICATED_USER The class that should be used to initialize request.user for unauthenticated requests. Default: django.contrib.auth.models.AnonymousUser UNAUTHENTICATED_TOKEN The class that should be used to initialize request.auth for unauthenticated requests. Default: None",
"title":"Authentication settings"
},
{
"location":"/api-guide/settings/#test-settings",
"text":"The following settings control the behavior of APIRequestFactory and APIClient TEST_REQUEST_DEFAULT_FORMAT The default format that should be used when making test requests. This should match up with the format of one of the renderer classes in the TEST_REQUEST_RENDERER_CLASSES setting. Default: 'multipart' TEST_REQUEST_RENDERER_CLASSES The renderer classes that are supported when building test requests. The format of any of these renderer classes may be used when constructing a test request, for example: client.post('/users', {'username': 'jamie'}, format='json') Default: (\n 'rest_framework.renderers.MultiPartRenderer',\n 'rest_framework.renderers.JSONRenderer'\n)",
"text":"URL_FORMAT_OVERRIDE The name of a URL parameter that may be used to override the default content negotiation Accept header behavior, by using a format=\u2026 query parameter in the request URL. For example: http://example.com/organizations/?format=csv If the value of this setting is None then URL format overrides will be disabled. Default: 'format' FORMAT_SUFFIX_KWARG The name of a parameter in the URL conf that may be used to provide a format suffix. This setting is applied when using format_suffix_patterns to include suffixed URL patterns. For example: http://example.com/organizations.csv/ Default: 'format'",
"text":"The following settings are used to control how date and time representations may be parsed and rendered. DATETIME_FORMAT A format string that should be used by default for rendering the output of DateTimeField serializer fields. If None , then DateTimeField serializer fields will return Python datetime objects, and the datetime encoding will be determined by the renderer. May be any of None , 'iso-8601' or a Python strftime format string. Default: 'iso-8601' DATETIME_INPUT_FORMATS A list of format strings that should be used by default for parsing inputs to DateTimeField serializer fields. May be a list including the string 'iso-8601' or Python strftime format strings. Default: ['iso-8601'] DATE_FORMAT A format string that should be used by default for rendering the output of DateField serializer fields. If None , then DateField serializer fields will return Python date objects, and the date encoding will be determined by the renderer. May be any of None , 'iso-8601' or a Python strftime format string. Default: 'iso-8601' DATE_INPUT_FORMATS A list of format strings that should be used by default for parsing inputs to DateField serializer fields. May be a list including the string 'iso-8601' or Python strftime format strings. Default: ['iso-8601'] TIME_FORMAT A format string that should be used by default for rendering the output of TimeField serializer fields. If None , then TimeField serializer fields will return Python time objects, and the time encoding will be determined by the renderer. May be any of None , 'iso-8601' or a Python strftime format string. Default: 'iso-8601' TIME_INPUT_FORMATS A list of format strings that should be used by default for parsing inputs to TimeField serializer fields. May be a list including the string 'iso-8601' or Python strftime format strings. Default: ['iso-8601']",
"title":"Date and time formatting"
},
{
"location":"/api-guide/settings/#encodings",
"text":"UNICODE_JSON When set to True , JSON responses will allow unicode characters in responses. For example: {\"unicode black star\":\"\u2605\"} When set to False , JSON responses will escape non-ascii characters, like so: {\"unicode black star\":\"\\u2605\"} Both styles conform to RFC 4627 , and are syntactically valid JSON. The unicode style is preferred as being more user-friendly when inspecting API responses. Default: True COMPACT_JSON When set to True , JSON responses will return compact representations, with no spacing after ':' and ',' characters. For example: {\"is_admin\":false,\"email\":\"jane@example\"} When set to False , JSON responses will return slightly more verbose representations, like so: {\"is_admin\": false, \"email\": \"jane@example\"} The default style is to return minified responses, in line with Heroku's API design guidelines . Default: True COERCE_DECIMAL_TO_STRING When returning decimal objects in API representations that do not support a native decimal type, it is normally best to return the value as a string. This avoids the loss of precision that occurs with binary floating point implementations. When set to True , the serializer DecimalField class will return strings instead of Decimal objects. When set to False , serializers will return Decimal objects, which the default JSON encoder will return as floats. Default: True",
"text":"The following settings are used to generate the view names and descriptions, as used in responses to OPTIONS requests, and as used in the browsable API. VIEW_NAME_FUNCTION A string representing the function that should be used when generating view names. This should be a function with the following signature: view_name(cls, suffix=None) cls : The view class. Typically the name function would inspect the name of the class when generating a descriptive name, by accessing cls.__name__ . suffix : The optional suffix used when differentiating individual views in a viewset. Default: 'rest_framework.views.get_view_name' VIEW_DESCRIPTION_FUNCTION A string representing the function that should be used when generating view descriptions. This setting can be changed to support markup styles other than the default markdown. For example, you can use it to support rst markup in your view docstrings being output in the browsable API. This should be a function with the following signature: view_description(cls, html=False) cls : The view class. Typically the description function would inspect the docstring of the class when generating a description, by accessing cls.__doc__ html : A boolean indicating if HTML output is required. True when used in the browsable API, and False when used in generating OPTIONS responses. Default: 'rest_framework.views.get_view_description'",
"text":"EXCEPTION_HANDLER A string representing the function that should be used when returning a response for any given exception. If the function returns None , a 500 error will be raised. This setting can be changed to support error responses other than the default {\"detail\": \"Failure...\"} responses. For example, you can use it to provide API responses like {\"errors\": [{\"message\": \"Failure...\", \"code\": \"\"} ...]} . This should be a function with the following signature: exception_handler(exc, context) exc : The exception. Default: 'rest_framework.views.exception_handler' NON_FIELD_ERRORS_KEY A string representing the key that should be used for serializer errors that do not refer to a specific field, but are instead general errors. Default: 'non_field_errors' URL_FIELD_NAME A string representing the key that should be used for the URL fields generated by HyperlinkedModelSerializer . Default: 'url' NUM_PROXIES An integer of 0 or more, that may be used to specify the number of application proxies that the API runs behind. This allows throttling to more accurately identify client IP addresses. If set to None then less strict IP matching will be used by the throttle classes. Default: None",
"text":"Documenting your API\n\n\n\n\nA REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state.\n\n\n Roy Fielding, \nREST APIs must be hypertext driven\n\n\n\n\nThere are a variety of approaches to API documentation. This document introduces a few of the various tools and options you might choose from. The approaches should not be considered exclusive - you may want to provide more than one documentation style for you API, such as a self describing API that also includes static documentation of the various API endpoints.\n\n\nEndpoint documentation\n\n\nThe most common way to document Web APIs today is to produce documentation that lists the API endpoints verbatim, and describes the allowable operations on each. There are various tools that allow you to do this in an automated or semi-automated way.\n\n\n\n\nDRF Docs\n\n\nDRF Docs\n allows you to document Web APIs made with Django REST Framework and it is authored by Emmanouil Konstantinidis. It's made to work out of the box and its setup should not take more than a couple of minutes. Complete documentation can be found on the \nwebsite\n while there is also a \ndemo\n available for people to see what it looks like. \nLive API Endpoints\n allow you to utilize the endpoints from within the documentation in a neat way.\n\n\nFeatures include customizing the template with your branding, settings for hiding the docs depending on the environment and more.\n\n\nBoth this package and Django REST Swagger are fully documented, well supported, and come highly recommended.\n\n\n\n\n\n\nDjango REST Swagger\n\n\nMarc Gibbons' \nDjango REST Swagger\n integrates REST framework with the \nSwagger\n API documentation tool. The package produces well presented API documentation, and includes interactive tools for testing API endpoints.\n\n\nDjango REST Swagger supports REST framework versions 2.3 and above.\n\n\nMark is also the author of the \nREST Framework Docs\n package which offers clean, simple autogenerated documentation for your API but is deprecated and has moved to Django REST Swagger.\n\n\nBoth this package and DRF docs are fully documented, well supported, and come highly recommended.\n\n\n\n\n\n\nApiary\n\n\nThere are various other online tools and services for providing API documentation. One notable service is \nApiary\n. With Apiary, you describe your API using a simple markdown-like syntax. The generated documentation includes API interaction, a mock server for testing \n prototyping, and various other tools.\n\n\n\n\n\n\nSelf describing APIs\n\n\nThe browsable API that REST framework provides makes it possible for your API to be entirely self describing. The documentation for each API endpoint can be provided simply by visiting the URL in your browser.\n\n\n\n\n\n\nSetting the title\n\n\nThe title that is used in the browsable API is generated from the view class name or function name. Any trailing \nView\n or \nViewSet\n suffix is stripped, and the string is whitespace separated on uppercase/lowercase boundaries or underscores.\n\n\nFor example, the view \nUserListView\n, will be named \nUser List\n when presented in the browsable API.\n\n\nWhen working with viewsets, an appropriate suffix is appended to each generated view. For example, the view set \nUserViewSet\n will generate views named \nUser List\n and \nUser Instance\n.\n\n\nSetting the description\n\n\nThe description in the browsable API is generated from the docstring of the view or viewset.\n\n\nIf the python \nmarkdown\n library is installed, then \nmarkdown syntax\n may be used in the docstring, and will be converted to HTML in the browsable API. For example:\n\n\nclass AccountListView(views.APIView):\n \"\"\"\n Returns a list of all **active** accounts in the system.\n\n For more details on how accounts are activated please [see here][ref].\n\n [ref]: http://example.com/activating-accounts\n \"\"\"\n\n\n\nNotethatoneconstraintofusingviewsetsisthatanydocumentation
"text":"A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state. Roy Fielding, REST APIs must be hypertext driven There are a variety of approaches to API documentation. This document introduces a few of the various tools and options you might choose from. The approaches should not be considered exclusive - you may want to provide more than one documentation style for you API, such as a self describing API that also includes static documentation of the various API endpoints.",
"text":"The most common way to document Web APIs today is to produce documentation that lists the API endpoints verbatim, and describes the allowable operations on each. There are various tools that allow you to do this in an automated or semi-automated way. DRF Docs DRF Docs allows you to document Web APIs made with Django REST Framework and it is authored by Emmanouil Konstantinidis. It's made to work out of the box and its setup should not take more than a couple of minutes. Complete documentation can be found on the website while there is also a demo available for people to see what it looks like. Live API Endpoints allow you to utilize the endpoints from within the documentation in a neat way. Features include customizing the template with your branding, settings for hiding the docs depending on the environment and more. Both this package and Django REST Swagger are fully documented, well supported, and come highly recommended. Django REST Swagger Marc Gibbons' Django REST Swagger integrates REST framework with the Swagger API documentation tool. The package produces well presented API documentation, and includes interactive tools for testing API endpoints. Django REST Swagger supports REST framework versions 2.3 and above. Mark is also the author of the REST Framework Docs package which offers clean, simple autogenerated documentation for your API but is deprecated and has moved to Django REST Swagger. Both this package and DRF docs are fully documented, well supported, and come highly recommended. Apiary There are various other online tools and services for providing API documentation. One notable service is Apiary . With Apiary, you describe your API using a simple markdown-like syntax. The generated documentation includes API interaction, a mock server for testing prototyping, and various other tools.",
"text":"The browsable API that REST framework provides makes it possible for your API to be entirely self describing. The documentation for each API endpoint can be provided simply by visiting the URL in your browser. Setting the title The title that is used in the browsable API is generated from the view class name or function name. Any trailing View or ViewSet suffix is stripped, and the string is whitespace separated on uppercase/lowercase boundaries or underscores. For example, the view UserListView , will be named User List when presented in the browsable API. When working with viewsets, an appropriate suffix is appended to each generated view. For example, the view set UserViewSet will generate views named User List and User Instance . Setting the description The description in the browsable API is generated from the docstring of the view or viewset. If the python markdown library is installed, then markdown syntax may be used in the docstring, and will be converted to HTML in the browsable API. For example: class AccountListView(views.APIView):\n \"\"\"\n Returns a list of all **active** accounts in the system.\n\n For more details on how accounts are activated please [see here][ref].\n\n [ref]: http://example.com/activating-accounts\n \"\"\" Note that one constraint of using viewsets is that any documentation be used for all generated views, so for example, you cannot have differing documentation for the generated list view and detail view. The OPTIONS method REST framework APIs also support programmatically accessible descriptions, using the OPTIONS HTTP method. A view will respond to an OPTIONS request with metadata including the name, description, and the various media types it accepts and responds with. When using the generic views, any OPTIONS requests will additionally respond with metadata regarding any POST or PUT actions available, describing which fields are on the serializer. You can modify the response behavior to OPTIONS requests by overriding the metadata view method. For example: def metadata(self, request):\n \"\"\"\n Don't include the view description in OPTIONS responses.\n \"\"\"\n data = super(ExampleView, self).metadata(request)\n data.pop('description')\n return data",
"text":"To be fully RESTful an API should present its available actions as hypermedia controls in the responses that it sends. In this approach, rather than documenting the available API endpoints up front, the description instead concentrates on the media types that are used. The available actions that may be taken on any given URL are not strictly fixed, but are instead made available by the presence of link and form controls in the returned document. To implement a hypermedia API you'll need to decide on an appropriate media type for the API, and implement a custom renderer and parser for that media type. The REST, Hypermedia HATEOAS section of the documentation includes pointers to background reading, as well as links to various hypermedia formats.",
"title":"The hypermedia approach"
},
{
"location":"/topics/internationalization/",
"text":"Internationalization\n\n\n\n\nSupporting internationalization is not optional. It must be a core feature.\n\n\n \nJannis Leidel, speaking at Django Under the Hood, 2015\n.\n\n\n\n\nREST framework ships with translatable error messages. You can make these appear in your language enabling \nDjango's standard translation mechanisms\n.\n\n\nDoing so will allow you to:\n\n\n\n\nSelect a language other than English as the default, using the standard \nLANGUAGE_CODE\n Django setting.\n\n\nAllow clients to choose a language themselves, using the \nLocaleMiddleware\n included with Django. A typical usage for API clients would be to include an \nAccept-Language\n request header.\n\n\n\n\nEnabling internationalized APIs\n\n\nYou can change the default language by using the standard Django \nLANGUAGE_CODE\n setting:\n\n\nLANGUAGE_CODE = \"es-es\"\n\n\n\nYou can turn on per-request language requests by adding \nLocalMiddleware\n to your \nMIDDLEWARE_CLASSES\n setting:\n\n\nMIDDLEWARE_CLASSES = [\n ...\n 'django.middleware.locale.LocaleMiddleware'\n]\n\n\n\nWhen per-request internationalization is enabled, client requests will respect the \nAccept-Language\n header where possible. For example, let's make a request for an unsupported media type:\n\n\nRequest\n\n\nGET /api/users HTTP/1.1\nAccept: application/xml\nAccept-Language: es-es\nHost: example.org\n\n\n\nResponse\n\n\nHTTP/1.0 406 NOT ACCEPTABLE\n\n{\"detail\": \"No se ha podido satisfacer la solicitud de cabecera de Accept.\"}\n\n\n\nREST framework includes these built-in translations both for standard exception cases, and for serializer validation errors.\n\n\nNote that the translations only apply to the error strings themselves. The format of error messages, and the keys of field names will remain the same. An example \n400 Bad Request\n response body might look like this:\n\n\n{\"detail\": {\"username\": [\"Esse campo deve ser unico.\"]}}\n\n\n\nIfyouwanttousedifferentstringforpartsoftheresponsesuchas\ndetail\nand\nnon_field_errors\nthenyoucanmodifythisbehaviorbyusinga\ncustomexceptionhandler\n.\n\n\nSpecifyingthesetofsupportedlanguages.\n\n\nBydefaultallavailablelanguageswillbesupported.\n\n\nIfyouonlywishtosupportasubsetoftheavailablelanguages,useDjango'sstandard\nLANGUAGES\nsetting:\n\n\nLANGUAGES=[\n('de',_('German')),\n('en',_('English')),\n]\n\n\n\nAddingnewtranslations\n\n\nRESTframeworktranslationsaremanagedonlineusing\nTransifex\n.YoucanusetheTransifexservicetoaddnewtranslationlanguages.ThemaintenanceteamwillthenensurethatthesetranslationstringsareincludedintheRESTframeworkpackage.\n\n\nSometimesyoumayneedtoaddtranslationstringstoyourprojectlocally.Youmayneedtodothisif:\n\n\n\n\nYouwanttouseRESTFrameworkinalanguagewhichhasnotbeentranslatedyetonTransifex.\n\n\nYourprojectincludescustomerrormessages,whicharenotpartofRESTframework'sdefaulttranslationstrings.\n\n\n\n\nTranslatinganewlanguagelocally\n\n\nThisguideassumesyouarealreadyfamiliarwithhowtotranslateaDjangoapp.Ifyou'renot,startbyreading\nDjango'stranslationdocs\n.\n\n\nIfyou'retranslatinganewlanguageyou'llneedtotranslatetheexistingRESTframeworkerrormessages:\n\n\n\n\n\n\nMakeanewfolderwhereyouwanttostoretheinternationalizationresources.Addthispathtoyour\nLOCALE_PATHS\nsetting.\n\n\n\n\n\n\nNowcreateasubfolderforthelanguageyouwanttotranslate.Thefoldershouldbenamedusing\nlocalename\nnotation.Forexample:\nde\n,\npt_BR\n,\nes_AR\n.\n\n\n\n\n\n\nNowcopythe\nbasetranslationsfile\nfromtheRESTframeworksourcecodeintoyourtranslationsfolder.\n\n\n\n\n\n\nEditthe\ndjango.po\nfileyou'vejustcopied,translatingalltheerrormessages.\n\n\n\n\n\n\nRun\nmanage.pycompilemessages-lpt_BR\ntomakethetranslations\navailableforDjangotouse.Youshouldseeamessagelike\nprocessingfiledjango.poin\n...\n/locale/pt_BR/LC_MESSAGES\n.\n\n\n\
"text":"Supporting internationalization is not optional. It must be a core feature. Jannis Leidel, speaking at Django Under the Hood, 2015 . REST framework ships with translatable error messages. You can make these appear in your language enabling Django's standard translation mechanisms . Doing so will allow you to: Select a language other than English as the default, using the standard LANGUAGE_CODE Django setting. Allow clients to choose a language themselves, using the LocaleMiddleware included with Django. A typical usage for API clients would be to include an Accept-Language request header.",
"text":"You can change the default language by using the standard Django LANGUAGE_CODE setting: LANGUAGE_CODE = \"es-es\" You can turn on per-request language requests by adding LocalMiddleware to your MIDDLEWARE_CLASSES setting: MIDDLEWARE_CLASSES = [\n ...\n 'django.middleware.locale.LocaleMiddleware'\n] When per-request internationalization is enabled, client requests will respect the Accept-Language header where possible. For example, let's make a request for an unsupported media type: Request GET /api/users HTTP/1.1\nAccept: application/xml\nAccept-Language: es-es\nHost: example.org Response HTTP/1.0 406 NOT ACCEPTABLE\n\n{\"detail\": \"No se ha podido satisfacer la solicitud de cabecera de Accept.\"} REST framework includes these built-in translations both for standard exception cases, and for serializer validation errors. Note that the translations only apply to the error strings themselves. The format of error messages, and the keys of field names will remain the same. An example 400 Bad Request response body might look like this: {\"detail\": {\"username\": [\"Esse campo deve ser unico.\"]}} If you want to use different string for parts of the response such as detail and non_field_errors then you can modify this behavior by using a custom exception handler . Specifying the set of supported languages. By default all available languages will be supported. If you only wish to support a subset of the available languages, use Django's standard LANGUAGES setting: LANGUAGES = [\n ('de', _('German')),\n ('en', _('English')),\n]",
"text":"REST framework translations are managed online using Transifex . You can use the Transifex service to add new translation languages. The maintenance team will then ensure that these translation strings are included in the REST framework package. Sometimes you may need to add translation strings to your project locally. You may need to do this if: You want to use REST Framework in a language which has not been translated yet on Transifex. Your project includes custom error messages, which are not part of REST framework's default translation strings. Translating a new language locally This guide assumes you are already familiar with how to translate a Django app. If you're not, start by reading Django's translation docs . If you're translating a new language you'll need to translate the existing REST framework error messages: Make a new folder where you want to store the internationalization resources. Add this path to your LOCALE_PATHS setting. Now create a subfolder for the language you want to translate. The folder should be named using locale name notation. For example: de , pt_BR , es_AR . Now copy the base translations file from the REST framework source code into your translations folder. Edit the django.po file you've just copied, translating all the error messages. Run manage.py compilemessages -l pt_BR to make the translations \navailable for Django to use. You should see a message like processing file django.po in ... /locale/pt_BR/LC_MESSAGES . Restart your development server to see the changes take effect. If you're only translating custom error messages that exist inside your project codebase you don't need to copy the REST framework source django.po file into a LOCALE_PATHS folder, and can instead simply run Django's standard makemessages process.",
"text":"If you want to allow per-request language preferences you'll need to include django.middleware.locale.LocaleMiddleware in your MIDDLEWARE_CLASSES setting. You can find more information on how the language preference is determined in the Django documentation . For reference, the method is: First, it looks for the language prefix in the requested URL. Failing that, it looks for the LANGUAGE_SESSION_KEY key in the current user\u2019s session. Failing that, it looks for a cookie. Failing that, it looks at the Accept-Language HTTP header. Failing that, it uses the global LANGUAGE_CODE setting. For API clients the most appropriate of these will typically be to use the Accept-Language header; Sessions and cookies will not be available unless using session authentication, and generally better practice to prefer an Accept-Language header for API clients rather than using language URL prefixes.",
"title":"How the language is determined"
},
{
"location":"/topics/ajax-csrf-cors/",
"text":"Working with AJAX, CSRF \n CORS\n\n\n\n\n\"Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability \n very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one.\"\n\n\n \nJeff Atwood\n\n\n\n\nJavascript clients\n\n\nIf you\u2019re building a JavaScript client to interface with your Web API, you'll need to consider if the client can use the same authentication policy that is used by the rest of the website, and also determine if you need to use CSRF tokens or CORS headers.\n\n\nAJAX requests that are made within the same context as the API they are interacting with will typically use \nSessionAuthentication\n. This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website.\n\n\nAJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as \nTokenAuthentication\n.\n\n\nCSRF protection\n\n\nCross Site Request Forgery\n protection is a mechanism of guarding against a particular type of attack, which can occur when a user has not logged out of a web site, and continues to have a valid session. In this circumstance a malicious site may be able to perform actions against the target site, within the context of the logged-in session.\n\n\nTo guard against these type of attacks, you need to do two things:\n\n\n\n\nEnsure that the 'safe' HTTP operations, such as \nGET\n, \nHEAD\n and \nOPTIONS\n cannot be used to alter any server-side state.\n\n\nEnsure that any 'unsafe' HTTP operations, such as \nPOST\n, \nPUT\n, \nPATCH\n and \nDELETE\n, always require a valid CSRF token.\n\n\n\n\nIf you're using \nSessionAuthentication\n you'll need to include valid CSRF tokens for any \nPOST\n, \nPUT\n, \nPATCH\n or \nDELETE\n operations.\n\n\nIn order to make AJAX requests, you need to include CSRF token in the HTTP header, as \ndescribed in the Django documentation\n.\n\n\nCORS\n\n\nCross-Origin Resource Sharing\n is a mechanism for allowing clients to interact with APIs that are hosted on a different domain. CORS works by requiring the server to include a specific set of headers that allow a browser to determine if and when cross-domain requests should be allowed.\n\n\nThe best way to deal with CORS in REST framework is to add the required response headers in middleware. This ensures that CORS is supported transparently, without having to change any behavior in your views.\n\n\nOtto Yiu\n maintains the \ndjango-cors-headers\n package, which is known to work correctly with REST framework APIs.",
"text":"\"Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one.\" Jeff Atwood",
"text":"If you\u2019re building a JavaScript client to interface with your Web API, you'll need to consider if the client can use the same authentication policy that is used by the rest of the website, and also determine if you need to use CSRF tokens or CORS headers. AJAX requests that are made within the same context as the API they are interacting with will typically use SessionAuthentication . This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website. AJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as TokenAuthentication .",
"text":"Cross Site Request Forgery protection is a mechanism of guarding against a particular type of attack, which can occur when a user has not logged out of a web site, and continues to have a valid session. In this circumstance a malicious site may be able to perform actions against the target site, within the context of the logged-in session. To guard against these type of attacks, you need to do two things: Ensure that the 'safe' HTTP operations, such as GET , HEAD and OPTIONS cannot be used to alter any server-side state. Ensure that any 'unsafe' HTTP operations, such as POST , PUT , PATCH and DELETE , always require a valid CSRF token. If you're using SessionAuthentication you'll need to include valid CSRF tokens for any POST , PUT , PATCH or DELETE operations. In order to make AJAX requests, you need to include CSRF token in the HTTP header, as described in the Django documentation .",
"title":"CSRF protection"
},
{
"location":"/topics/ajax-csrf-cors/#cors",
"text":"Cross-Origin Resource Sharing is a mechanism for allowing clients to interact with APIs that are hosted on a different domain. CORS works by requiring the server to include a specific set of headers that allow a browser to determine if and when cross-domain requests should be allowed. The best way to deal with CORS in REST framework is to add the required response headers in middleware. This ensures that CORS is supported transparently, without having to change any behavior in your views. Otto Yiu maintains the django-cors-headers package, which is known to work correctly with REST framework APIs.",
"text":"HTML \n Forms\n\n\nREST framework is suitable for returning both API style responses, and regular HTML pages. Additionally, serializers can used as HTML forms and rendered in templates.\n\n\nRendering HTML\n\n\nIn order to return HTML responses you'll need to either \nTemplateHTMLRenderer\n, or \nStaticHTMLRenderer\n.\n\n\nThe \nTemplateHTMLRenderer\n class expects the response to contain a dictionary of context data, and renders an HTML page based on a template that must be specified either in the view or on the response.\n\n\nThe \nStaticHTMLRender\n class expects the response to contain a string of the pre-rendered HTML content.\n\n\nBecause static HTML pages typically have different behavior from API responses you'll probably need to write any HTML views explicitly, rather than relying on the built-in generic views.\n\n\nHere's an example of a view that returns a list of \"Profile\" instances, rendered in an HTML template:\n\n\nviews.py\n:\n\n\nfrom my_project.example.models import Profile\nfrom rest_framework.renderers import TemplateHTMLRenderer\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\n\nclass ProfileList(APIView):\n renderer_classes = [TemplateHTMLRenderer]\n template_name = 'profile_list.html'\n\n def get(self, request):\n queryset = Profile.objects.all()\n return Response({'profiles': queryset})\n\n\n\nprofile_list.html\n:\n\n\nhtml\nbody\n\n\nh1\nProfiles\n/h1\n\n\nul\n\n {% for profile in profiles %}\n \nli\n{{ profile.name }}\n/li\n\n {% endfor %}\n\n/ul\n\n\n/body\n/html\n\n\n\n\nRendering Forms\n\n\nSerializers may be rendered as forms by using the \nrender_form\n template tag, and including the serializer instance as context to the template.\n\n\nThe following view demonstrates an example of using a serializer in a template for viewing and updating a model instance:\n\n\nviews.py\n:\n\n\nfrom django.shortcuts import get_object_or_404\nfrom my_project.example.models import Profile\nfrom rest_framework.renderers import TemplateHTMLRenderer\nfrom rest_framework.views import APIView\n\n\nclass ProfileDetail(APIView):\n renderer_classes = [TemplateHTMLRenderer]\n template_name = 'profile_detail.html'\n\n def get(self, request, pk):\n profile = get_object_or_404(Profile, pk=pk)\n serializer = ProfileSerializer(profile)\n return Response({'serializer': serializer, 'profile': profile})\n\n def post(self, request, pk):\n profile = get_object_or_404(Profile, pk=pk)\n serializer = ProfileSerializer(profile, data=request.data)\n if not serializer.is_valid():\n return Response({'serializer': serializer, 'profile': profile})\n serializer.save()\n return redirect('profile-list')\n\n\n\nprofile_detail.html\n:\n\n\n{% load rest_framework %}\n\n\nhtml\nbody\n\n\n\nh1\nProfile - {{ profile.name }}\n/h1\n\n\n\nform action=\"{% url 'profile-detail' pk=profile.pk %}\" method=\"POST\"\n\n {% csrf_token %}\n {% render_form serializer %}\n \ninput type=\"submit\" value=\"Save\"\n\n\n/form\n\n\n\n/body\n/html\n\n\n\n\nUsing template packs\n\n\nThe \nrender_form\n tag takes an optional \ntemplate_pack\n argument, that specifies which template directory should be used for rendering the form and form fields.\n\n\nREST framework includes three built-in template packs, all based on Bootstrap 3. The built-in styles are \nhorizontal\n, \nvertical\n, and \ninline\n. The default style is \nhorizontal\n. To use any of these template packs you'll want to also include the Bootstrap 3 CSS.\n\n\nThe following HTML will link to a CDN hosted version of the Bootstrap 3 CSS:\n\n\nhead\n\n \u2026\n \nlink rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css\"\n\n\n/head\n\n\n\n\nThirdpartypackagesmayincludealternatetemplatepacks,bybundlingatemplatedirectorycontainingthenecessaryformandfieldtemplates.\n\n\nLet'stakealookathowtorendereachofthethreeavailabletemplatepacks.Fortheseex
"text":"REST framework is suitable for returning both API style responses, and regular HTML pages. Additionally, serializers can used as HTML forms and rendered in templates.",
"text":"In order to return HTML responses you'll need to either TemplateHTMLRenderer , or StaticHTMLRenderer . The TemplateHTMLRenderer class expects the response to contain a dictionary of context data, and renders an HTML page based on a template that must be specified either in the view or on the response. The StaticHTMLRender class expects the response to contain a string of the pre-rendered HTML content. Because static HTML pages typically have different behavior from API responses you'll probably need to write any HTML views explicitly, rather than relying on the built-in generic views. Here's an example of a view that returns a list of \"Profile\" instances, rendered in an HTML template: views.py : from my_project.example.models import Profile\nfrom rest_framework.renderers import TemplateHTMLRenderer\nfrom rest_framework.response import Response\nfrom rest_framework.views import APIView\n\n\nclass ProfileList(APIView):\n renderer_classes = [TemplateHTMLRenderer]\n template_name = 'profile_list.html'\n\n def get(self, request):\n queryset = Profile.objects.all()\n return Response({'profiles': queryset}) profile_list.html : html body h1 Profiles /h1 ul \n {% for profile in profiles %}\n li {{ profile.name }} /li \n {% endfor %} /ul /body /html",
"text":"Serializers may be rendered as forms by using the render_form template tag, and including the serializer instance as context to the template. The following view demonstrates an example of using a serializer in a template for viewing and updating a model instance: views.py : from django.shortcuts import get_object_or_404\nfrom my_project.example.models import Profile\nfrom rest_framework.renderers import TemplateHTMLRenderer\nfrom rest_framework.views import APIView\n\n\nclass ProfileDetail(APIView):\n renderer_classes = [TemplateHTMLRenderer]\n template_name = 'profile_detail.html'\n\n def get(self, request, pk):\n profile = get_object_or_404(Profile, pk=pk)\n serializer = ProfileSerializer(profile)\n return Response({'serializer': serializer, 'profile': profile})\n\n def post(self, request, pk):\n profile = get_object_or_404(Profile, pk=pk)\n serializer = ProfileSerializer(profile, data=request.data)\n if not serializer.is_valid():\n return Response({'serializer': serializer, 'profile': profile})\n serializer.save()\n return redirect('profile-list') profile_detail.html : {% load rest_framework %} html body h1 Profile - {{ profile.name }} /h1 form action=\"{% url 'profile-detail' pk=profile.pk %}\" method=\"POST\" \n {% csrf_token %}\n {% render_form serializer %}\n input type=\"submit\" value=\"Save\" /form /body /html Using template packs The render_form tag takes an optional template_pack argument, that specifies which template directory should be used for rendering the form and form fields. REST framework includes three built-in template packs, all based on Bootstrap 3. The built-in styles are horizontal , vertical , and inline . The default style is horizontal . To use any of these template packs you'll want to also include the Bootstrap 3 CSS. The following HTML will link to a CDN hosted version of the Bootstrap 3 CSS: head \n \u2026\n link rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css\" /head Third party packages may include alternate template packs, by bundling a template directory containing the necessary form and field templates. Let's take a look at how to render each of the three available template packs. For these examples we'll use a single serializer class to present a \"Login\" form. class LoginSerializer(serializers.Serializer):\n email = serializers.EmailField(\n max_length=100,\n style={'placeholder': 'Email'}\n )\n password = serializers.CharField(\n max_length=100,\n style={'input_type': 'password', 'placeholder': 'Password'}\n )\n remember_me = serializers.BooleanField() rest_framework/vertical Presents form labels above their corresponding control inputs, using the standard Bootstrap layout. This is the default template pack. {% load rest_framework %}\n\n... form action=\"{% url 'login' %}\" method=\"post\" novalidate \n {% csrf_token %}\n {% render_form serializer template_pack='rest_framework/vertical' %}\n button type=\"submit\" class=\"btn btn-default\" Sign in /button /form rest_framework/horizontal Presents labels and controls alongside each other, using a 2/10 column split. This is the form style used in the browsable API and admin renderers. {% load rest_framework %}\n\n... form class=\"form-horizontal\" action=\"{% url 'login' %}\" method=\"post\" novalidate \n {% csrf_token %}\n {% render_form serializer %}\n div class=\"form-group\" \n div class=\"col-sm-offset-2 col-sm-10\" \n button type=\"submit\" class=\"btn btn-default\" Sign in /button \n /div \n /div /form rest_framework/inline A compact form style that presents all the controls inline. {% load rest_framework %}\n\n... form class=\"form-inline\" action=\"{% url 'login' %}\" method=\"post\" novalidate \n {% csrf_token %}\n {% render_form serializer template_pack='rest_framework/inline' %}\n button type=\"submit\"c
"text":"Serializer fields can have their rendering style customized by using the style keyword argument. This argument is a dictionary of options that control the template and layout used. The most common way to customize the field style is to use the base_template style keyword argument to select which template in the template pack should be use. For example, to render a CharField as an HTML textarea rather than the default HTML input, you would use something like this: details = serializers.CharField(\n max_length=1000,\n style={'base_template': 'textarea.html'}\n) If you instead want a field to be rendered using a custom template that is not part of an included template pack , you can instead use the template style option, to fully specify a template name: details = serializers.CharField(\n max_length=1000,\n style={'template': 'my-field-templates/custom-input.html'}\n) Field templates can also use additional style properties, depending on their type. For example, the textarea.html template also accepts a rows property that can be used to affect the sizing of the control. details = serializers.CharField(\n max_length=1000,\n style={'base_template': 'textarea.html', 'rows': 10}\n) The complete list of base_template options and their associated style options is listed below. base_template Valid field types Additional style options input.html Any string, numeric or date/time field input_type, placeholder, hide_label textarea.html CharField rows, placeholder, hide_label select.html ChoiceField or relational field types hide_label radio.html ChoiceField or relational field types inline, hide_label select_multiple.html MultipleChoiceField or relational fields with many=True hide_label checkbox_multiple.html MultipleChoiceField or relational fields with many=True inline, hide_label checkbox.html BooleanField hide_label fieldset.html Nested serializer hide_label list_fieldset.html ListField or nested serializer with many=True hide_label",
"text":"Browser enhancements\n\n\n\n\n\"There are two noncontroversial uses for overloaded POST. The first is to \nsimulate\n HTTP's uniform interface for clients like web browsers that don't support PUT or DELETE\"\n\n\n \nRESTful Web Services\n, Leonard Richardson \n Sam Ruby.\n\n\n\n\nIn order to allow the browsable API to function, there are a couple of browser enhancements that REST framework needs to provide.\n\n\nAs of version 3.3.0 onwards these are enabled with javascript, using the \najax-form\n library.\n\n\nBrowser based PUT, DELETE, etc...\n\n\nThe \nAJAX form library\n supports browser-based \nPUT\n, \nDELETE\n and other methods on HTML forms.\n\n\nAfter including the library, use the \ndata-method\n attribute on the form, like so:\n\n\nform action=\"/\" data-method=\"PUT\"\n\n \ninput name='foo'/\n\n ...\n\n/form\n\n\n\n\nNote that prior to 3.3.0, this support was server-side rather than javascript based. The method overloading style (as used in \nRuby on Rails\n) is no longer supported due to subtle issues that it introduces in request parsing.\n\n\nBrowser based submission of non-form content\n\n\nBrowser-based submission of content types such as JSON are supported by the \nAJAX form library\n, using form fields with \ndata-override='content-type'\n and \ndata-override='content'\n attributes.\n\n\nFor example:\n\n\n \nform action=\"/\"\n\n \ninput data-override='content-type' value='application/json' type='hidden'/\n\n \ntextarea data-override='content'\n{}\n/textarea\n\n \ninput type=\"submit\"/\n\n \n/form\n\n\n\n\nNote that prior to 3.3.0, this support was server-side rather than javascript based.\n\n\nURL based format suffixes\n\n\nREST framework can take \n?format=json\n style URL parameters, which can be a\nuseful shortcut for determining which content type should be returned from\nthe view.\n\n\nThis behavior is controlled using the \nURL_FORMAT_OVERRIDE\n setting.\n\n\nHTTP header based method overriding\n\n\nPrior to version 3.3.0 the semi extension header \nX-HTTP-Method-Override\n was supported for overriding the request method. This behavior is no longer in core, but can be adding if needed using middleware.\n\n\nFor example:\n\n\nMETHOD_OVERRIDE_HEADER = 'HTTP_X_HTTP_METHOD_OVERRIDE'\n\nclass MethodOverrideMiddleware(object):\n def process_view(self, request, callback, callback_args, callback_kwargs):\n if request.method != 'POST':\n return\n if METHOD_OVERRIDE_HEADER not in request.META:\n return\n request.method = request.META[METHOD_OVERRIDE_HEADER]\n\n\n\nURL based accept headers\n\n\nUntil version 3.3.0 REST framework included built-in support for \n?accept=application/json\n style URL parameters, which would allow the \nAccept\n header to be overridden.\n\n\nSince the introduction of the content negotiation API this behavior is no longer included in core, but may be added using a custom content negotiation class, if needed.\n\n\nFor example:\n\n\nclass AcceptQueryParamOverride()\n def get_accept_list(self, request):\n header = request.META.get('HTTP_ACCEPT', '*/*')\n header = request.query_params.get('_accept', header)\n return [token.strip() for token in header.split(',')]\n\n\n\nDoesn't HTML5 support PUT and DELETE forms?\n\n\nNope. It was at one point intended to support \nPUT\n and \nDELETE\n forms, but\nwas later \ndropped from the spec\n. There remains\n\nongoing discussion\n about adding support for \nPUT\n and \nDELETE\n,\nas well as how to support content types other than form-encoded data.",
"text":"\"There are two noncontroversial uses for overloaded POST. The first is to simulate HTTP's uniform interface for clients like web browsers that don't support PUT or DELETE\" RESTful Web Services , Leonard Richardson Sam Ruby. In order to allow the browsable API to function, there are a couple of browser enhancements that REST framework needs to provide. As of version 3.3.0 onwards these are enabled with javascript, using the ajax-form library.",
"text":"The AJAX form library supports browser-based PUT , DELETE and other methods on HTML forms. After including the library, use the data-method attribute on the form, like so: form action=\"/\" data-method=\"PUT\" \n input name='foo'/ \n ... /form Note that prior to 3.3.0, this support was server-side rather than javascript based. The method overloading style (as used in Ruby on Rails ) is no longer supported due to subtle issues that it introduces in request parsing.",
"text":"Browser-based submission of content types such as JSON are supported by the AJAX form library , using form fields with data-override='content-type' and data-override='content' attributes. For example: form action=\"/\" \n input data-override='content-type' value='application/json' type='hidden'/ \n textarea data-override='content' {} /textarea \n input type=\"submit\"/ \n /form Note that prior to 3.3.0, this support was server-side rather than javascript based.",
"text":"REST framework can take ?format=json style URL parameters, which can be a\nuseful shortcut for determining which content type should be returned from\nthe view. This behavior is controlled using the URL_FORMAT_OVERRIDE setting.",
"text":"Prior to version 3.3.0 the semi extension header X-HTTP-Method-Override was supported for overriding the request method. This behavior is no longer in core, but can be adding if needed using middleware. For example: METHOD_OVERRIDE_HEADER = 'HTTP_X_HTTP_METHOD_OVERRIDE'\n\nclass MethodOverrideMiddleware(object):\n def process_view(self, request, callback, callback_args, callback_kwargs):\n if request.method != 'POST':\n return\n if METHOD_OVERRIDE_HEADER not in request.META:\n return\n request.method = request.META[METHOD_OVERRIDE_HEADER]",
"text":"Until version 3.3.0 REST framework included built-in support for ?accept=application/json style URL parameters, which would allow the Accept header to be overridden. Since the introduction of the content negotiation API this behavior is no longer included in core, but may be added using a custom content negotiation class, if needed. For example: class AcceptQueryParamOverride()\n def get_accept_list(self, request):\n header = request.META.get('HTTP_ACCEPT', '*/*')\n header = request.query_params.get('_accept', header)\n return [token.strip() for token in header.split(',')]",
"text":"Nope. It was at one point intended to support PUT and DELETE forms, but\nwas later dropped from the spec . There remains ongoing discussion about adding support for PUT and DELETE ,\nas well as how to support content types other than form-encoded data.",
"title":"Doesn't HTML5 support PUT and DELETE forms?"
"text":"The Browsable API\n\n\n\n\nIt is a profoundly erroneous truism... that we should cultivate the habit of thinking of what we are doing. The precise opposite is the case. Civilization advances by extending the number of important operations which we can perform without thinking about them.\n\n\n \nAlfred North Whitehead\n, An Introduction to Mathematics (1911)\n\n\n\n\nAPI may stand for Application \nProgramming\n Interface, but humans have to be able to read the APIs, too; someone has to do the programming. Django REST Framework supports generating human-friendly HTML output for each resource when the \nHTML\n format is requested. These pages allow for easy browsing of resources, as well as forms for submitting data to the resources using \nPOST\n, \nPUT\n, and \nDELETE\n.\n\n\nURLs\n\n\nIf you include fully-qualified URLs in your resource output, they will be 'urlized' and made clickable for easy browsing by humans. The \nrest_framework\n package includes a \nreverse\n helper for this purpose.\n\n\nFormats\n\n\nBy default, the API will return the format specified by the headers, which in the case of the browser is HTML. The format can be specified using \n?format=\n in the request, so you can look at the raw JSON response in a browser by adding \n?format=json\n to the URL. There are helpful extensions for viewing JSON in \nFirefox\n and \nChrome\n.\n\n\nCustomizing\n\n\nThe browsable API is built with \nTwitter's Bootstrap\n (v 3.3.5), making it easy to customize the look-and-feel.\n\n\nTo customize the default style, create a template called \nrest_framework/api.html\n that extends from \nrest_framework/base.html\n. For example:\n\n\ntemplates/rest_framework/api.html\n\n\n{% extends \"rest_framework/base.html\" %}\n\n... # Override blocks with required customizations\n\n\n\nOverriding the default theme\n\n\nTo replace the default theme, add a \nbootstrap_theme\n block to your \napi.html\n and insert a \nlink\n to the desired Bootstrap theme css file. This will completely replace the included theme.\n\n\n{% block bootstrap_theme %}\n \nlink rel=\"stylesheet\" href=\"/path/to/my/bootstrap.css\" type=\"text/css\"\n\n{% endblock %}\n\n\n\nSuitable pre-made replacement themes are available at \nBootswatch\n. To use any of the Bootswatch themes, simply download the theme's \nbootstrap.min.css\n file, add it to your project, and replace the default one as described above.\n\n\nYou can also change the navbar variant, which by default is \nnavbar-inverse\n, using the \nbootstrap_navbar_variant\n block. The empty \n{% block bootstrap_navbar_variant %}{% endblock %}\n will use the original Bootstrap navbar style.\n\n\nFull example:\n\n\n{% extends \"rest_framework/base.html\" %}\n\n{% block bootstrap_theme %}\n \nlink rel=\"stylesheet\" href=\"http://bootswatch.com/flatly/bootstrap.min.css\" type=\"text/css\"\n\n{%endblock%}\n\n{%blockbootstrap_navbar_variant%}{%endblock%}\n\n\n\nFormorespecificCSStweaksthansimplyoverridingthedefaultbootstrapthemeyoucanoverridethe\nstyle\nblock.\n\n\n\n\n\n\nScreenshotofthebootswatch'Cerulean'theme\n\n\n\n\n\n\nScreenshotofthebootswatch'Slate'theme\n\n\n\n\nBlocks\n\n\nAlloftheblocksavailableinthebrowsableAPIbasetemplatethatcanbeusedinyour\napi.html\n.\n\n\n\n\nbody\n-Theentirehtml\nbody\n.\n\n\nbodyclass\n-Classattributeforthe\nbody\ntag,emptybydefault.\n\n\nbootstrap_theme\n-CSSfortheBootstraptheme.\n\n\nbootstrap_navbar_variant\n-CSSclassforthenavbar.\n\n\nbranding\n-Brandingsectionofthenavbar,see\nBootstrapcomponents\n.\n\n\nbreadcrumbs\n-Linksshowingresourcenesting,allowingtheusertogobackuptheresources.It'srecommendedtopreservethese,buttheycanbeoverriddenusingthebreadcrumbsblock.\n\n\nscript\n-JavaScriptfilesforthepage.\n\n\nstyle\n-CSSstylesheetsforthepage.\n\n\ntitle\n-Titleoft
"text":"It is a profoundly erroneous truism... that we should cultivate the habit of thinking of what we are doing. The precise opposite is the case. Civilization advances by extending the number of important operations which we can perform without thinking about them. Alfred North Whitehead , An Introduction to Mathematics (1911) API may stand for Application Programming Interface, but humans have to be able to read the APIs, too; someone has to do the programming. Django REST Framework supports generating human-friendly HTML output for each resource when the HTML format is requested. These pages allow for easy browsing of resources, as well as forms for submitting data to the resources using POST , PUT , and DELETE .",
"title":"The Browsable API"
},
{
"location":"/topics/browsable-api/#urls",
"text":"If you include fully-qualified URLs in your resource output, they will be 'urlized' and made clickable for easy browsing by humans. The rest_framework package includes a reverse helper for this purpose.",
"title":"URLs"
},
{
"location":"/topics/browsable-api/#formats",
"text":"By default, the API will return the format specified by the headers, which in the case of the browser is HTML. The format can be specified using ?format= in the request, so you can look at the raw JSON response in a browser by adding ?format=json to the URL. There are helpful extensions for viewing JSON in Firefox and Chrome .",
"text":"The browsable API is built with Twitter's Bootstrap (v 3.3.5), making it easy to customize the look-and-feel. To customize the default style, create a template called rest_framework/api.html that extends from rest_framework/base.html . For example: templates/rest_framework/api.html {% extends \"rest_framework/base.html\" %}\n\n... # Override blocks with required customizations Overriding the default theme To replace the default theme, add a bootstrap_theme block to your api.html and insert a link to the desired Bootstrap theme css file. This will completely replace the included theme. {% block bootstrap_theme %}\n link rel=\"stylesheet\" href=\"/path/to/my/bootstrap.css\" type=\"text/css\" \n{% endblock %} Suitable pre-made replacement themes are available at Bootswatch . To use any of the Bootswatch themes, simply download the theme's bootstrap.min.css file, add it to your project, and replace the default one as described above. You can also change the navbar variant, which by default is navbar-inverse , using the bootstrap_navbar_variant block. The empty {% block bootstrap_navbar_variant %}{% endblock %} will use the original Bootstrap navbar style. Full example: {% extends \"rest_framework/base.html\" %}\n\n{% block bootstrap_theme %}\n link rel=\"stylesheet\" href=\"http://bootswatch.com/flatly/bootstrap.min.css\" type=\"text/css\" \n{% endblock %}\n\n{% block bootstrap_navbar_variant %}{% endblock %} For more specific CSS tweaks than simply overriding the default bootstrap theme you can override the style block. Screenshot of the bootswatch 'Cerulean' theme Screenshot of the bootswatch 'Slate' theme Blocks All of the blocks available in the browsable API base template that can be used in your api.html . body - The entire html body . bodyclass - Class attribute for the body tag, empty by default. bootstrap_theme - CSS for the Bootstrap theme. bootstrap_navbar_variant - CSS class for the navbar. branding - Branding section of the navbar, see Bootstrap components . breadcrumbs - Links showing resource nesting, allowing the user to go back up the resources. It's recommended to preserve these, but they can be overridden using the breadcrumbs block. script - JavaScript files for the page. style - CSS stylesheets for the page. title - Title of the page. userlinks - This is a list of links on the right of the header, by default containing login/logout links. To add links instead of replace, use {{ block.super }} to preserve the authentication links. Components All of the standard Bootstrap components are available. Tooltips The browsable API makes use of the Bootstrap tooltips component. Any element with the js-tooltip class and a title attribute has that title content will display a tooltip on hover events. Login Template To add branding and customize the look-and-feel of the login template, create a template called login.html and add it to your project, eg: templates/rest_framework/login.html . The template should extend from rest_framework/login_base.html . You can add your site name or branding by including the branding block: {% block branding %}\n h3 style=\"margin: 0 0 20px;\"MySiteName/h3\n{%endblock%}Youcanalsocustomizethestylebyaddingthebootstrap_themeorstyleblocksimilartoapi.html.AdvancedCustomizationContextThecontextthat'savailabletothetemplate:allowed_methods:Alistofmethodsallowedbytheresourceapi_settings:TheAPIsettingsavailable_formats:Alistofformatsallowedbytheresourcebreadcrumblist:Thelistoflinksfollowingthechainofnestedresourcescontent:ThecontentoftheAPIresponsedescription:Thedescriptionoftheresource,generatedfromitsdocstringname:Thenameoftheresou
"text":"REST, Hypermedia \n HATEOAS\n\n\n\n\nYou keep using that word \"REST\". I do not think it means what you think it means.\n\n\n Mike Amundsen, \nREST fest 2012 keynote\n.\n\n\n\n\nFirst off, the disclaimer. The name \"Django REST framework\" was decided back in early 2011 and was chosen simply to sure the project would be easily found by developers. Throughout the documentation we try to use the more simple and technically correct terminology of \"Web APIs\".\n\n\nIf you are serious about designing a Hypermedia API, you should look to resources outside of this documentation to help inform your design choices.\n\n\nThe following fall into the \"required reading\" category.\n\n\n\n\nRoy Fielding's dissertation - \nArchitectural Styles and\nthe Design of Network-based Software Architectures\n.\n\n\nRoy Fielding's \"\nREST APIs must be hypertext-driven\n\" blog post.\n\n\nLeonard Richardson \n Mike Amundsen's \nRESTful Web APIs\n.\n\n\nMike Amundsen's \nBuilding Hypermedia APIs with HTML5 and Node\n.\n\n\nSteve Klabnik's \nDesigning Hypermedia APIs\n.\n\n\nThe \nRichardson Maturity Model\n.\n\n\n\n\nFor a more thorough background, check out Klabnik's \nHypermedia API reading list\n.\n\n\nBuilding Hypermedia APIs with REST framework\n\n\nREST framework is an agnostic Web API toolkit. It does help guide you towards building well-connected APIs, and makes it easy to design appropriate media types, but it does not strictly enforce any particular design style.\n\n\nWhat REST framework provides.\n\n\nIt is self evident that REST framework makes it possible to build Hypermedia APIs. The browsable API that it offers is built on HTML - the hypermedia language of the web.\n\n\nREST framework also includes \nserialization\n and \nparser\n/\nrenderer\n components that make it easy to build appropriate media types, \nhyperlinked relations\n for building well-connected systems, and great support for \ncontent negotiation\n.\n\n\nWhat REST framework doesn't provide.\n\n\nWhat REST framework doesn't do is give you machine readable hypermedia formats such as \nHAL\n, \nCollection+JSON\n, \nJSON API\n or HTML \nmicroformats\n by default, or the ability to auto-magically create fully HATEOAS style APIs that include hypermedia-based form descriptions and semantically labelled hyperlinks. Doing so would involve making opinionated choices about API design that should really remain outside of the framework's scope.",
"text":"You keep using that word \"REST\". I do not think it means what you think it means. Mike Amundsen, REST fest 2012 keynote . First off, the disclaimer. The name \"Django REST framework\" was decided back in early 2011 and was chosen simply to sure the project would be easily found by developers. Throughout the documentation we try to use the more simple and technically correct terminology of \"Web APIs\". If you are serious about designing a Hypermedia API, you should look to resources outside of this documentation to help inform your design choices. The following fall into the \"required reading\" category. Roy Fielding's dissertation - Architectural Styles and\nthe Design of Network-based Software Architectures . Roy Fielding's \" REST APIs must be hypertext-driven \" blog post. Leonard Richardson Mike Amundsen's RESTful Web APIs . Mike Amundsen's Building Hypermedia APIs with HTML5 and Node . Steve Klabnik's Designing Hypermedia APIs . The Richardson Maturity Model . For a more thorough background, check out Klabnik's Hypermedia API reading list .",
"text":"REST framework is an agnostic Web API toolkit. It does help guide you towards building well-connected APIs, and makes it easy to design appropriate media types, but it does not strictly enforce any particular design style.",
"title":"Building Hypermedia APIs with REST framework"
"text":"It is self evident that REST framework makes it possible to build Hypermedia APIs. The browsable API that it offers is built on HTML - the hypermedia language of the web. REST framework also includes serialization and parser / renderer components that make it easy to build appropriate media types, hyperlinked relations for building well-connected systems, and great support for content negotiation .",
"text":"What REST framework doesn't do is give you machine readable hypermedia formats such as HAL , Collection+JSON , JSON API or HTML microformats by default, or the ability to auto-magically create fully HATEOAS style APIs that include hypermedia-based form descriptions and semantically labelled hyperlinks. Doing so would involve making opinionated choices about API design that should really remain outside of the framework's scope.",
"text":"Third Party Resources\n\n\n\n\nSoftware ecosystems [\u2026] establish a community that further accelerates the sharing of knowledge, content, issues, expertise and skills.\n\n\n \nJan Bosch\n.\n\n\n\n\nAbout Third Party Packages\n\n\nThird Party Packages allow developers to share code that extends the functionality of Django REST framework, in order to support additional use-cases.\n\n\nWe \nsupport\n, \nencourage\n and \nstrongly favor\n the creation of Third Party Packages to encapsulate new behavior rather than adding additional functionality directly to Django REST Framework.\n\n\nWe aim to make creating third party packages as easy as possible, whilst keeping a \nsimple\n and \nwell maintained\n core API. By promoting third party packages we ensure that the responsibility for a package remains with its author. If a package proves suitably popular it can always be considered for inclusion into the core REST framework.\n\n\nIf you have an idea for a new feature please consider how it may be packaged as a Third Party Package. We're always happy to discuss ideas on the \nMailing List\n.\n\n\nHow to create a Third Party Package\n\n\nCreating your package\n\n\nYou can use \nthis cookiecutter template\n for creating reusable Django REST Framework packages quickly. Cookiecutter creates projects from project templates. While optional, this cookiecutter template includes best practices from Django REST framework and other packages, as well as a Travis CI configuration, Tox configuration, and a sane setup.py for easy PyPI registration/distribution.\n\n\nNote: Let us know if you have an alternate cookiecuter package so we can also link to it.\n\n\nRunning the initial cookiecutter command\n\n\nTo run the initial cookiecutter command, you'll first need to install the Python \ncookiecutter\n package.\n\n\n$ pip install cookiecutter\n\n\n\nOnce \ncookiecutter\n is installed just run the following to create a new project.\n\n\n$ cookiecutter gh:jpadilla/cookiecutter-django-rest-framework\n\n\n\nYou'll be prompted for some questions, answer them, then it'll create your Python package in the current working directory based on those values.\n\n\nfull_name (default is \"Your full name here\")? Johnny Appleseed\nemail (default is \"you@example.com\")? jappleseed@example.com\ngithub_username (default is \"yourname\")? jappleseed\npypi_project_name (default is \"dj-package\")? djangorestframework-custom-auth\nrepo_name (default is \"dj-package\")? django-rest-framework-custom-auth\napp_name (default is \"djpackage\")? custom_auth\nproject_short_description (default is \"Your project description goes here\")?\nyear (default is \"2014\")?\nversion (default is \"0.1.0\")?\n\n\n\nGettingitontoGitHub\n\n\nToputyourprojectuponGitHub,you'llneedarepositoryforittolivein.Youcancreateanewrepository\nhere\n.Ifyouneedhelp,checkoutthe\nCreateARepo\narticleonGitHub.\n\n\nAddingtoTravisCI\n\n\nWerecommendusing\nTravisCI\n,ahostedcontinuousintegrationservicewhichintegrateswellwithGitHubandisfreeforpublicrepositories.\n\n\nTogetstartedwithTravisCI,\nsignin\nwithyourGitHubaccount.Onceyou'resignedin,gotoyour\nprofilepage\nandenabletheservicehookfortherepositoryyouwant.\n\n\nIfyouusethecookiecuttertemplate,yourprojectwillalreadycontaina\n.travis.yml\nfilewhichTravisCIwillusetobuildyourprojectandruntests.Bydefault,buildsaretriggeredeverytimeyoupushtoyourrepositoryorcreatePullRequest.\n\n\nUploadingtoPyPI\n\n\nOnceyou'vegotatleastaprototypeworkingandtestsrunning,youshouldpublishitonPyPItoallowotherstoinstallitvia\npip\n.\n\n\nYoumust\nregister\nanaccountbeforepublishingtoPyPI.\n\n\nToregisteryourpackageonPyPIrunthefollowingcommand.\n\n\n$pythonsetup.pyregister\n\n\n\nIfthisisthefirsttimepublishingtoPyPI,you'llbepromptedtologin.\n\n\nNote:Beforepublishingyou'llneedtomakesureyouhavethelatestpipthatsupports\nwheel\naswellasinstallthe\n
"text":"Software ecosystems [\u2026] establish a community that further accelerates the sharing of knowledge, content, issues, expertise and skills. Jan Bosch .",
"text":"Third Party Packages allow developers to share code that extends the functionality of Django REST framework, in order to support additional use-cases. We support , encourage and strongly favor the creation of Third Party Packages to encapsulate new behavior rather than adding additional functionality directly to Django REST Framework. We aim to make creating third party packages as easy as possible, whilst keeping a simple and well maintained core API. By promoting third party packages we ensure that the responsibility for a package remains with its author. If a package proves suitably popular it can always be considered for inclusion into the core REST framework. If you have an idea for a new feature please consider how it may be packaged as a Third Party Package. We're always happy to discuss ideas on the Mailing List .",
"text":"Creating your package You can use this cookiecutter template for creating reusable Django REST Framework packages quickly. Cookiecutter creates projects from project templates. While optional, this cookiecutter template includes best practices from Django REST framework and other packages, as well as a Travis CI configuration, Tox configuration, and a sane setup.py for easy PyPI registration/distribution. Note: Let us know if you have an alternate cookiecuter package so we can also link to it. Running the initial cookiecutter command To run the initial cookiecutter command, you'll first need to install the Python cookiecutter package. $ pip install cookiecutter Once cookiecutter is installed just run the following to create a new project. $ cookiecutter gh:jpadilla/cookiecutter-django-rest-framework You'll be prompted for some questions, answer them, then it'll create your Python package in the current working directory based on those values. full_name (default is \"Your full name here\")? Johnny Appleseed\nemail (default is \"you@example.com\")? jappleseed@example.com\ngithub_username (default is \"yourname\")? jappleseed\npypi_project_name (default is \"dj-package\")? djangorestframework-custom-auth\nrepo_name (default is \"dj-package\")? django-rest-framework-custom-auth\napp_name (default is \"djpackage\")? custom_auth\nproject_short_description (default is \"Your project description goes here\")?\nyear (default is \"2014\")?\nversion (default is \"0.1.0\")?GettingitontoGitHubToputyourprojectuponGitHub,you'llneedarepositoryforittolivein.Youcancreateanewrepositoryhere.Ifyouneedhelp,checkouttheCreateARepoarticleonGitHub.AddingtoTravisCIWerecommendusingTravisCI,ahostedcontinuousintegrationservicewhichintegrateswellwithGitHubandisfreeforpublicrepositories.TogetstartedwithTravisCI,signinwithyourGitHubaccount.Onceyou'resignedin,gotoyourprofilepageandenabletheservicehookfortherepositoryyouwant.Ifyouusethecookiecuttertemplate,yourprojectwillalreadycontaina.travis.ymlfilewhichTravisCIwillusetobuildyourprojectandruntests.Bydefault,buildsaretriggeredeverytimeyoupushtoyourrepositoryorcreatePullRequest.UploadingtoPyPIOnceyou'vegotatleastaprototypeworkingandtestsrunning,youshouldpublishitonPyPItoallowotherstoinstallitviapip.YoumustregisteranaccountbeforepublishingtoPyPI.ToregisteryourpackageonPyPIrunthefollowingcommand.$pythonsetup.pyregisterIfthisisthefirsttimepublishingtoPyPI,you'llbepromptedtologin.Note:Beforepublishingyou'llneedtomakesureyouhavethelatestpipthatsupportswheelaswellasinstallthewheelpackage.$pipinstall--upgradepip\n$pipinstallwheelAfterthis,everytimeyouwanttoreleaseanewversiononPyPIjustrunthefollowingcommand.$pythonsetup.pypublish\nYouprobablywanttoalsotagtheversionnow:\ngittag-a{0}-m'version0.1.0'\ngitpush--tagsAfterreleasinganewversiontoPyPI,it'salwaysagoodideatotagtheversionandmakeavailableasaGitHubRelease.WerecommendtofollowSemanticVersioningforyourpackage'sversions.DevelopmentVersionrequirementsThecookiecuttertemplateassumesasetofsupportedversionswillbeprovidedforPythonandDjango.Makesureyoucorrectlyupdateyourrequirements,docs,tox.ini,.travis.yml,andsetup.pytomatchthesetofversionsyouwishtosupport.TestsThecookiecuttertemplateincludesaruntests.pywhichusesthepytestpackageasatestrunner.Beforerunning,you'llneedtoinstallacoupletestrequirements.$pipinstall-rrequirements.txtOncerequirementsinstalled,youcanrunruntests.py.$./runtests.pyRunusingamoreconciseoutputstyle.$./runtests.py-qRunthetestsusingamoreconciseoutputstyle,nocoverage,noflake8.$./runtests.py--fastDon'truntheflake8codelinting.$./runte
"text":"Django REST Framework has a growing community of developers, packages, and resources. Check out a grid detailing all the packages and ecosystem around Django REST Framework at Django Packages . To submit new content, open an issue or create a pull request . Authentication djangorestframework-digestauth - Provides Digest Access Authentication support. django-oauth-toolkit - Provides OAuth 2.0 support. doac - Provides OAuth 2.0 support. djangorestframework-jwt - Provides JSON Web Token Authentication support. hawkrest - Provides Hawk HTTP Authorization. djangorestframework-httpsignature - Provides an easy to use HTTP Signature Authentication mechanism. djoser - Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. django-rest-auth - Provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. Permissions drf-any-permissions - Provides alternative permission handling. djangorestframework-composed-permissions - Provides a simple way to define complex permissions. rest_condition - Another extension for building complex permissions in a simple and convenient way. dry-rest-permissions - Provides a simple way to define permissions for individual api actions. Serializers django-rest-framework-mongoengine - Serializer class that supports using MongoDB as the storage layer for Django REST framework. djangorestframework-gis - Geographic add-ons djangorestframework-hstore - Serializer class to support django-hstore DictionaryField model field and its schema-mode feature. djangorestframework-jsonapi - Provides a parser, renderer, serializers, and other tools to help build an API that is compliant with the jsonapi.org spec. html-json-forms : Provides an algorithm and serializer to process HTML JSON Form submissions per the (inactive) spec. Serializer fields drf-compound-fields - Provides \"compound\"serializerfields,suchaslistsofsimplevalues.django-extra-fields-Providesextraserializerfields.django-versatileimagefield-Providesadrop-inreplacementforDjango'sstockImageFieldthatmakesiteasytoserveimagesinmultiplesizes/renditionsfromasinglefield.ForDRF-specificimplementationdocs,clickhere.Viewsdjangorestframework-bulk-ImplementsgenericviewmixinsaswellassomecommonconcretegenericviewstoallowtoapplybulkoperationsviaAPIrequests.django-rest-multiple-models-Providesagenericview(andmixin)forsendingmultipleserializedmodelsand/orquerysetsviaasingleAPIrequest.Routersdrf-nested-routers-Providesroutersandrelationshipfieldsforworkingwithnestedresources.wq.db.rest-Providesanadmin-stylemodelregistrationAPIwithreasonabledefaultURLsandviewsets.Parsersdjangorestframework-msgpack-ProvidesMessagePackrendererandparsersupport.djangorestframework-jsonapi-Providesaparser,renderer,serializers,andothertoolstohelpbuildanAPIthatiscompliantwiththejsonapi.orgspec.djangorestframework-camel-case-ProvidescamelcaseJSONrenderersandparsers.Renderersdjangorestframework-csv-ProvidesCSVrenderersupport.djangorestframework-jsonapi-Providesaparser,renderer,serializers,andothertoolstohelpbuildanAPIthatiscompliantwiththejsonapi.orgspec.drf_ujson-ImplementsJSONrenderingusingtheUJSONpackage.rest-pandas-PandasDataFrame-poweredrenderersincludingExcel,CSV,andSVGformats.Filteringdjangorestframework-chain-Allowsarbitrarychainingofbothrelationsandlookupfilters.django-url-filter-Allowsasafewaytofilterdataviahuman-friendlyURLs.ItisagenericlibrarywhichisnottiedtoDRFbutitprovideseasyintegrationwithDRF.Misccookiecutter-django-rest-AcookiecuttertemplatethattakescareofthesetupandconfigurationsoyoucanfocusonmakingyourRESTapisawesome.djan
"text":"Tutorials Beginner's Guide to the Django Rest Framework Getting Started with Django Rest Framework and AngularJS End to end web app with Django-Rest-Framework AngularJS Start Your API - django-rest-framework part 1 Permissions Authentication - django-rest-framework part 2 ViewSets and Routers - django-rest-framework part 3 Django Rest Framework User Endpoint Check credentials using Django Rest Framework Videos Ember and Django Part 1 (Video) Django Rest Framework Part 1 (Video) Pyowa July 2013 - Django Rest Framework (Video) django-rest-framework and angularjs (Video) Articles Web API performance: profiling Django REST framework API Development with Django and Django REST Framework Blog posts about Django REST framework Documentations Classy Django REST Framework",
"text":"The world can only really be changed one piece at a time. The art is picking that piece. Tim Berners-Lee There are many ways you can contribute to Django REST framework. We'd like it to be a community-led project, so please get involved and help shape the future of the project.",
"title":"Contributing to REST framework"
},
{
"location":"/topics/contributing/#community",
"text":"The most important thing you can do to help push the REST framework project forward is to be actively involved wherever possible. Code contributions are often overvalued as being the primary way to get involved in a project, we don't believe that needs to be the case. If you use REST framework, we'd love you to be vocal about your experiences with it - you might consider writing a blog post about using REST framework, or publishing a tutorial about building a project with a particular JavaScript framework. Experiences from beginners can be particularly helpful because you'll be in the best position to assess which bits of REST framework are more difficult to understand and work with. Other really great ways you can help move the community forward include helping to answer questions on the discussion group , or setting up an email alert on StackOverflow so that you get notified of any new questions with the django-rest-framework tag. When answering questions make sure to help future contributors find their way around by hyperlinking wherever possible to related threads and tickets, and include backlinks from those items if relevant.",
"text":"Please keep the tone polite professional. For some users a discussion on the REST framework mailing list or ticket tracker may be their first engagement with the open source community. First impressions count, so let's try to make everyone feel welcome. Be mindful in the language you choose. As an example, in an environment that is heavily male-dominated, posts that start 'Hey guys,' can come across as unintentionally exclusive. It's just as easy, and more inclusive to use gender neutral language in those situations. The Django code of conduct gives a fuller set of guidelines for participating in community forums.",
"title":"Code of conduct"
},
{
"location":"/topics/contributing/#issues",
"text":"It's really helpful if you can make sure to address issues on the correct channel. Usage questions should be directed to the discussion group . Feature requests, bug reports and other issues should be raised on the GitHub issue tracker . Some tips on good issue reporting: When describing issues try to phrase your ticket in terms of the behavior you think needs changing rather than the code you think need changing. Search the issue list first for related items, and make sure you're running the latest version of REST framework before reporting an issue. If reporting a bug, then try to include a pull request with a failing test case. This will help us quickly identify if there is a valid issue, and make sure that it gets fixed more quickly if there is one. Feature requests will often be closed with a recommendation that they be implemented outside of the core REST framework library. Keeping new feature requests implemented as third party libraries allows us to keep down the maintenance overhead of REST framework, so that the focus can be on continued stability, bugfixes, and great documentation. Closing an issue doesn't necessarily mean the end of a discussion. If you believe your issue has been closed incorrectly, explain why and we'll consider if it needs to be reopened.",
"text":"Getting involved in triaging incoming issues is a good way to start contributing. Every single ticket that comes into the ticket tracker needs to be reviewed in order to determine what the next steps should be. Anyone can help out with this, you just need to be willing to Read through the ticket - does it make sense, is it missing any context that would help explain it better? Is the ticket reported in the correct place, would it be better suited as a discussion on the discussion group? If the ticket is a bug report, can you reproduce it? Are you able to write a failing test case that demonstrates the issue and that can be submitted as a pull request? If the ticket is a feature request, do you agree with it, and could the feature request instead be implemented as a third party package? If a ticket hasn't had much activity and it addresses something you need, then comment on the ticket and try to find out what's needed to get it moving again.",
"title":"Triaging issues"
},
{
"location":"/topics/contributing/#development",
"text":"To start developing on Django REST framework, clone the repo: git clone git@github.com:tomchristie/django-rest-framework.git Changes should broadly follow the PEP 8 style conventions, and we recommend you set up your editor to automatically indicate non-conforming styles.",
"title":"Development"
},
{
"location":"/topics/contributing/#testing",
"text":"To run the tests, clone the repository, and then: # Setup the virtual environment\nvirtualenv env\nsource env/bin/activate\npip install -r requirements.txt\n\n# Run the tests\n./runtests.py Test options Run using a more concise output style. ./runtests.py -q Run the tests using a more concise output style, no coverage, no flake8. ./runtests.py --fast Don't run the flake8 code linting. ./runtests.py --nolint Only run the flake8 code linting, don't run the tests. ./runtests.py --lintonly Run the tests for a given test case. ./runtests.py MyTestCase Run the tests for a given test method. ./runtests.py MyTestCase.test_this_method Shorter form to run the tests for a given test method. ./runtests.py test_this_method Note: The test case and test method matching is fuzzy and will sometimes run other tests that contain a partial string match to the given command line input. Running against multiple environments You can also use the excellent tox testing tool to run the tests against all supported versions of Python and Django. Install tox globally, and then simply run: tox",
"title":"Testing"
},
{
"location":"/topics/contributing/#pull-requests",
"text":"It's a good idea to make pull requests early on. A pull request represents the start of a discussion, and doesn't necessarily need to be the final, finished submission. It's also always best to make a new branch before starting work on a pull request. This means that you'll be able to later switch back to working on another separate issue without interfering with an ongoing pull requests. It's also useful to remember that if you have an outstanding pull request then pushing new commits to your GitHub repo will also automatically update the pull requests. GitHub's documentation for working on pull requests is available here . Always run the tests before submitting pull requests, and ideally run tox in order to check that your modifications are compatible with both Python 2 and Python 3, and that they run properly on all supported versions of Django. Once you've made a pull request take a look at the Travis build status in the GitHub interface and make sure the tests are running as you'd expect. Above: Travis build notifications",
"text":"Sometimes, in order to ensure your code works on various different versions of Django, Python or third party libraries, you'll need to run slightly different code depending on the environment. Any code that branches in this way should be isolated into the compat.py module, and should provide a single common interface that the rest of the codebase can use.",
"title":"Managing compatibility issues"
},
{
"location":"/topics/contributing/#documentation",
"text":"The documentation for REST framework is built from the Markdown source files in the docs directory . There are many great Markdown editors that make working with the documentation really easy. The Mou editor for Mac is one such editor that comes highly recommended.",
"text":"To build the documentation, install MkDocs with pip install mkdocs and then run the following command. mkdocs build This will build the documentation into the site directory. You can build the documentation and open a preview in a browser window by using the serve command. mkdocs serve",
"text":"Documentation should be in American English. The tone of the documentation is very important - try to stick to a simple, plain, objective and well-balanced style where possible. Some other tips: Keep paragraphs reasonably short. Don't use abbreviations such as 'e.g.' but instead use the long form, such as 'For example'.",
"text":"There are a couple of conventions you should follow when working on the documentation. 1. Headers Headers should use the hash style. For example: ### Some important topic The underline style should not be used. Don't do this: Some important topic\n==================== 2. Links Links should always use the reference style, with the referenced hyperlinks kept at the end of the document. Here is a link to [some other thing][other-thing].\n\nMore text...\n\n[other-thing]: http://example.com/other/thing This style helps keep the documentation source consistent and readable. If you are hyperlinking to another REST framework document, you should use a relative link, and link to the .md suffix. For example: [authentication]: ../api-guide/authentication.md Linking in this style means you'll be able to click the hyperlink in your Markdown editor to open the referenced document. When the documentation is built, these links will be converted into regular links to HTML pages. 3. Notes If you want to draw attention to a note or warning, use a pair of enclosing lines, like so: ---\n\n**Note:** A useful documentation note.\n\n---",
"text":"Project management\n\n\n\n\n\"No one can whistle a symphony; it takes a whole orchestra to play it\"\n\n\n Halford E. Luccock\n\n\n\n\nThis document outlines our project management processes for REST framework.\n\n\nThe aim is to ensure that the project has a high \n\n\"bus factor\"\n,andcancontinuetoremainwellsupportedfortheforeseeablefuture.Suggestionsforimprovementstoourprocessarewelcome.\n\n\n\n\nMaintenanceteam\n\n\nWehaveaquarterlymaintenancecyclewherenewmembersmayjointhemaintenanceteam.Wecurrentlycapthesizeoftheteamat5members,andmayencouragefolkstostepoutoftheteamforacycletoallownewmemberstoparticipate.\n\n\nCurrentteam\n\n\nThe\nmaintenanceteamforQ42015\n:\n\n\n\n\n@tomchristie\n\n\n@xordoquy\n(Releasemanager.)\n\n\n@carltongibson\n\n\n@kevin-brown\n\n\n@jpadilla\n\n\n\n\nMaintenancecycles\n\n\nEachmaintenancecycleisinitiatedbyanissuebeingopenedwiththe\nProcess\nlabel.\n\n\n\n\nTobeconsideredforamaintainerrolesimplycommentagainsttheissue.\n\n\nExistingmembersmustexplicitlyopt-intothenextcyclebycheck-markingtheirname.\n\n\nThefinaldecisionontheincomingteamwillbemadeby\n@tomchristie\n.\n\n\n\n\nMembersofthemaintenanceteamwillbeaddedascollaboratorstotherepository.\n\n\nThefollowingtemplateshouldbeusedforthedescriptionoftheissue,andservesastheformalprocessforselectingtheteam.\n\n\nThisissueisfordeterminingthemaintenanceteamforthe***period.\n\nPleaseseethe[Projectmanagement](http://www.django-rest-framework.org/topics/project-management/) section of our documentation for more details.\n\n---\n\n#### Renewing existing members.\n\nThe following people are the current maintenance team. Please checkmark your name if you wish to continue to have write permission on the repository for the *** period.\n\n- [ ] @***\n- [ ] @***\n- [ ] @***\n- [ ] @***\n- [ ] @***\n\n---\n\n#### New members.\n\nIf you wish to be considered for this or a future date, please comment against this or subsequent issues.\n\nTo modify this process for future maintenance cycles make a pull request to the [project management](http://www.django-rest-framework.org/topics/project-management/) documentation.\n\n\n\nResponsibilities of team members\n\n\nTeam members have the following responsibilities.\n\n\n\n\nClose invalid or resolved tickets.\n\n\nAdd triage labels and milestones to tickets.\n\n\nMerge finalized pull requests.\n\n\nBuild and deploy the documentation, using \nmkdocs gh-deploy\n.\n\n\nBuild and update the included translation packs.\n\n\n\n\nFurther notes for maintainers:\n\n\n\n\nCode changes should come in the form of a pull request - do not push directly to master.\n\n\nMaintainers should typically not merge their own pull requests.\n\n\nEach issue/pull request should have exactly one label once triaged.\n\n\nSearch for un-triaged issues with \nis:open no:label\n.\n\n\n\n\nIt should be noted that participating actively in the REST framework project clearly \ndoes not require being part of the maintenance team\n. Almost every import part of issue triage and project improvement can be actively worked on regardless of your collaborator status on the repository.\n\n\n\n\nRelease process\n\n\nThe release manager is selected on every quarterly maintenance cycle.\n\n\n\n\nThe manager should be selected by \n@tomchristie\n.\n\n\nThe manager will then have the maintainer role added to PyPI package.\n\n\nThe previous manager will then have the maintainer role removed from the PyPI package.\n\n\n\n\nOur PyPI releases will be handled by either the current release manager, or by \n@tomchristie\n. Every release should have an open issue tagged with the \nRelease\n label and marked against the appropriate milestone.\n\n\nThe following template should be used for the description of the issue, and serves as a release checklist.\n\n\nRelease manager is @***.\nPull request is #***.\n\nDuring development cycle:\n\n- [ ] Upload the new content to be translated to [transif
"text":"\"No one can whistle a symphony; it takes a whole orchestra to play it\" Halford E. Luccock This document outlines our project management processes for REST framework. The aim is to ensure that the project has a high \"bus factor\" , and can continue to remain well supported for the foreseeable future. Suggestions for improvements to our process are welcome.",
"text":"We have a quarterly maintenance cycle where new members may join the maintenance team. We currently cap the size of the team at 5 members, and may encourage folks to step out of the team for a cycle to allow new members to participate. Current team The maintenance team for Q4 2015 : @tomchristie @xordoquy (Release manager.) @carltongibson @kevin-brown @jpadilla Maintenance cycles Each maintenance cycle is initiated by an issue being opened with the Process label. To be considered for a maintainer role simply comment against the issue. Existing members must explicitly opt-in to the next cycle by check-marking their name. The final decision on the incoming team will be made by @tomchristie . Members of the maintenance team will be added as collaborators to the repository. The following template should be used for the description of the issue, and serves as the formal process for selecting the team. This issue is for determining the maintenance team for the *** period.\n\nPlease see the [Project management](http://www.django-rest-framework.org/topics/project-management/) section of our documentation for more details.\n\n---\n\n#### Renewing existing members.\n\nThe following people are the current maintenance team. Please checkmark your name if you wish to continue to have write permission on the repository for the *** period.\n\n- [ ] @***\n- [ ] @***\n- [ ] @***\n- [ ] @***\n- [ ] @***\n\n---\n\n#### New members.\n\nIf you wish to be considered for this or a future date, please comment against this or subsequent issues.\n\nTo modify this process for future maintenance cycles make a pull request to the [project management](http://www.django-rest-framework.org/topics/project-management/) documentation. Responsibilities of team members Team members have the following responsibilities. Close invalid or resolved tickets. Add triage labels and milestones to tickets. Merge finalized pull requests. Build and deploy the documentation, using mkdocs gh-deploy . Build and update the included translation packs. Further notes for maintainers: Code changes should come in the form of a pull request - do not push directly to master. Maintainers should typically not merge their own pull requests. Each issue/pull request should have exactly one label once triaged. Search for un-triaged issues with is:open no:label . It should be noted that participating actively in the REST framework project clearly does not require being part of the maintenance team . Almost every import part of issue triage and project improvement can be actively worked on regardless of your collaborator status on the repository.",
"text":"The release manager is selected on every quarterly maintenance cycle. The manager should be selected by @tomchristie . The manager will then have the maintainer role added to PyPI package. The previous manager will then have the maintainer role removed from the PyPI package. Our PyPI releases will be handled by either the current release manager, or by @tomchristie . Every release should have an open issue tagged with the Release label and marked against the appropriate milestone. The following template should be used for the description of the issue, and serves as a release checklist. Release manager is @***.\nPull request is #***.\n\nDuring development cycle:\n\n- [ ] Upload the new content to be translated to [transifex](http://www.django-rest-framework.org/topics/project-management/#translations).\n\n\nChecklist:\n\n- [ ] Create pull request for [release notes](https://github.com/tomchristie/django-rest-framework/blob/master/docs/topics/release-notes.md) based on the [*.*.* milestone](https://github.com/tomchristie/django-rest-framework/milestones/***).\n- [ ] Update the translations from [transifex](http://www.django-rest-framework.org/topics/project-management/#translations).\n- [ ] Ensure the pull request increments the version to `*.*.*` in [`restframework/__init__.py`](https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/__init__.py).\n- [ ] Confirm with @tomchristie that release is finalized and ready to go.\n- [ ] Ensure that release date is included in pull request.\n- [ ] Merge the release pull request.\n- [ ] Push the package to PyPI with `./setup.py publish`.\n- [ ] Tag the release, with `git tag -a *.*.* -m 'version *.*.*'; git push --tags`.\n- [ ] Deploy the documentation with `mkdocs gh-deploy`.\n- [ ] Make a release announcement on the [discussion group](https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework).\n- [ ] Make a release announcement on twitter.\n- [ ] Close the milestone on GitHub.\n\nTo modify this process for future releases make a pull request to the [project management](http://www.django-rest-framework.org/topics/project-management/) documentation. When pushing the release to PyPI ensure that your environment has been installed from our development requirement.txt , so that documentation and PyPI installs are consistently being built against a pinned set of packages.",
"text":"The maintenance team are responsible for managing the translation packs include in REST framework. Translating the source strings into multiple languages is managed through the transifex service . Managing Transifex The official Transifex client is used to upload and download translations to Transifex. The client is installed using pip: pip install transifex-client To use it you'll need a login to Transifex which has a password, and you'll need to have administrative access to the Transifex project. You'll need to create a ~/.transifexrc file which contains your credentials. [https://www.transifex.com]\nusername = ***\ntoken = ***\npassword = ***\nhostname = https://www.transifex.com Upload new source files When any user visible strings are changed, they should be uploaded to Transifex so that the translators can start to translate them. To do this, just run: # 1. Update the source django.po file, which is the US English version.\ncd rest_framework\ndjango-admin.py makemessages -l en_US\n# 2. Push the source django.po file to Transifex.\ncd ..\ntx push -s When pushing source files, Transifex will update the source strings of a resource to match those from the new source file. Here's how differences between the old and new source files will be handled: New strings will be added. Modified strings will be added as well. Strings which do not exist in the new source file will be removed from the database, along with their translations. If that source strings gets re-added later then Transifex Translation Memory will automatically include the translation string. Download translations When a translator has finished translating their work needs to be downloaded from Transifex into the REST framework repository. To do this, run: # 3. Pull the translated django.po files from Transifex.\ntx pull -a\ncd rest_framework\n# 4. Compile the binary .mo files for all supported languages.\ndjango-admin.py compilemessages",
"text":"All our test requirements are pinned to exact versions, in order to ensure that our test runs are reproducible. We maintain the requirements in the requirements directory. The requirements files are referenced from the tox.ini configuration file, ensuring we have a single source of truth for package versions used in testing. Package upgrades should generally be treated as isolated pull requests. You can check if there are any packages available at a newer version, by using the pip list --outdated .",
"text":"The PyPI package is owned by @tomchristie . As a backup @j4mie also has ownership of the package. If @tomchristie ceases to participate in the project then @j4mie has responsibility for handing over ownership duties. Outstanding management ownership issues The following issues still need to be addressed: Consider moving the repo into a proper GitHub organization . Ensure @jamie has back-up access to the django-rest-framework.org domain setup and admin. Document ownership of the live example API. Document ownership of the mailing list and IRC channel. Document ownership and management of the security mailing list.",
"text":"Django REST framework 3.0\n\n\nThe 3.0 release of Django REST framework is the result of almost four years of iteration and refinement. It comprehensively addresses some of the previous remaining design issues in serializers, fields and the generic views.\n\n\nThis release is incremental in nature. There \nare\n some breaking API changes, and upgrading \nwill\n require you to read the release notes carefully, but the migration path should otherwise be relatively straightforward.\n\n\nThe difference in quality of the REST framework API and implementation should make writing, maintaining and debugging your application far easier.\n\n\n3.0 is the first of three releases that have been funded by our recent \nKickstarter campaign\n.\n\n\nAs ever, a huge thank you to our many \nwonderful sponsors\n. If you're looking for a Django gig, and want to work with smart community-minded folks, you should probably check out that list and see who's hiring.\n\n\n\n\nNew features\n\n\nNotable features of this new release include:\n\n\n\n\nPrintable representations on serializers that allow you to inspect exactly what fields are present on the instance.\n\n\nSimple model serializers that are vastly easier to understand and debug, and that make it easy to switch between the implicit \nModelSerializer\n class and the explicit \nSerializer\n class.\n\n\nA new \nBaseSerializer\n class, making it easier to write serializers for alternative storage backends, or to completely customize your serialization and validation logic.\n\n\nA cleaner fields API including new classes such as \nListField\n and \nMultipleChoiceField\n.\n\n\nSuper simple default implementations\n for the generic views.\n\n\nSupport for overriding how validation errors are handled by your API.\n\n\nA metadata API that allows you to customize how \nOPTIONS\n requests are handled by your API.\n\n\nA more compact JSON output with unicode style encoding turned on by default.\n\n\nTemplated based HTML form rendering for serializers. This will be finalized as public API in the upcoming 3.1 release.\n\n\n\n\nSignificant new functionality continues to be planned for the 3.1 and 3.2 releases. These releases will correspond to the two \nKickstarter stretch goals\n - \"Feature improvements\" and \"Admin interface\".Further3.xreleaseswillpresentsimpleupgrades,withoutthesameleveloffundamentalAPIchangesnecessaryforthe3.0release.\n\n\n\n\nRESTframework:Underthehood.\n\n\nThistalkfromthe\nDjango:UndertheHood\neventinAmsterdam,Nov2014,givessomegoodbackgroundcontextonthedesigndecisionsbehind3.0.\n\n\n\n\n\n\n\nBelowisanin-depthguidetotheAPIchangesandmigrationnotesfor3.0.\n\n\nRequestobjects\n\n\nThe\n.data\nand\n.query_params\nproperties.\n\n\nTheusageof\nrequest.DATA\nand\nrequest.FILES\nisnowpendingdeprecationinfavorofasingle\nrequest.data\nattributethatcontains\nall\ntheparseddata.\n\n\nHavingseparateattributesisreasonableforwebapplicationsthatonlyeverparseurl-encodedormultipartrequests,butmakeslesssenseforthegeneral-purposerequestparsingthatRESTframeworksupports.\n\n\nYoumaynowpassalltherequestdatatoaserializerclassinasingleargument:\n\n\n#Dothis...\nExampleSerializer(data=request.data)\n\n\n\nInsteadofpassingthefilesargumentseparately:\n\n\n#Don'tdothis...\nExampleSerializer(data=request.DATA,files=request.FILES)\n\n\n\nTheusageof\nrequest.QUERY_PARAMS\nisnowpendingdeprecationinfavorofthelowercased\nrequest.query_params\n.\n\n\n\n\nSerializers\n\n\nSingle-stepobjectcreation.\n\n\nPreviouslytheserializersusedatwo-stepobjectcreation,asfollows:\n\n\n\n\nValidatingthedatawouldcreateanobjectinstance.Thisinstancewouldbeavailableas\nserializer.object\n.\n\n\nCalling\nserializer.save()\nwouldthensavetheobjectinstancetothedatabase.\n\n\n\n\nThisstyleisin-linewithhowthe\nModelForm\nclassworksinDjango,butisproblematicforanumberofreasons:\n\n\n\n\nSomedata,suchasmany-to-
"text":"The 3.0 release of Django REST framework is the result of almost four years of iteration and refinement. It comprehensively addresses some of the previous remaining design issues in serializers, fields and the generic views. This release is incremental in nature. There are some breaking API changes, and upgrading will require you to read the release notes carefully, but the migration path should otherwise be relatively straightforward. The difference in quality of the REST framework API and implementation should make writing, maintaining and debugging your application far easier. 3.0 is the first of three releases that have been funded by our recent Kickstarter campaign . As ever, a huge thank you to our many wonderful sponsors . If you're looking for a Django gig, and want to work with smart community-minded folks, you should probably check out that list and see who's hiring.",
"text":"Notable features of this new release include: Printable representations on serializers that allow you to inspect exactly what fields are present on the instance. Simple model serializers that are vastly easier to understand and debug, and that make it easy to switch between the implicit ModelSerializer class and the explicit Serializer class. A new BaseSerializer class, making it easier to write serializers for alternative storage backends, or to completely customize your serialization and validation logic. A cleaner fields API including new classes such as ListField and MultipleChoiceField . Super simple default implementations for the generic views. Support for overriding how validation errors are handled by your API. A metadata API that allows you to customize how OPTIONS requests are handled by your API. A more compact JSON output with unicode style encoding turned on by default. Templated based HTML form rendering for serializers. This will be finalized as public API in the upcoming 3.1 release. Significant new functionality continues to be planned for the 3.1 and 3.2 releases. These releases will correspond to the two Kickstarter stretch goals - \"Feature improvements\" and \"Admin interface\". Further 3.x releases will present simple upgrades, without the same level of fundamental API changes necessary for the 3.0 release. REST framework: Under the hood. This talk from the Django: Under the Hood event in Amsterdam, Nov 2014, gives some good background context on the design decisions behind 3.0. Below is an in-depth guide to the API changes and migration notes for 3.0.",
"text":"The .data and .query_params properties. The usage of request.DATA and request.FILES is now pending deprecation in favor of a single request.data attribute that contains all the parsed data. Having separate attributes is reasonable for web applications that only ever parse url-encoded or multipart requests, but makes less sense for the general-purpose request parsing that REST framework supports. You may now pass all the request data to a serializer class in a single argument: # Do this...\nExampleSerializer(data=request.data) Instead of passing the files argument separately: # Don't do this...\nExampleSerializer(data=request.DATA, files=request.FILES) The usage of request.QUERY_PARAMS is now pending deprecation in favor of the lowercased request.query_params .",
"text":"Single-step object creation. Previously the serializers used a two-step object creation, as follows: Validating the data would create an object instance. This instance would be available as serializer.object . Calling serializer.save() would then save the object instance to the database. This style is in-line with how the ModelForm class works in Django, but is problematic for a number of reasons: Some data, such as many-to-many relationships, cannot be added to the object instance until after it has been saved. This type of data needed to be hidden in some undocumented state on the object instance, or kept as state on the serializer instance so that it could be used when .save() is called. Instantiating model instances directly means that you cannot use model manager classes for instance creation, e.g. ExampleModel.objects.create(...) . Manager classes are an excellent layer at which to enforce business logic and application-level data constraints. The two step process makes it unclear where to put deserialization logic. For example, should extra attributes such as the current user get added to the instance during object creation or during object save? We now use single-step object creation, like so: Validating the data makes the cleaned data available as serializer.validated_data . Calling serializer.save() then saves and returns the new object instance. The resulting API changes are further detailed below. The .create() and .update() methods. The .restore_object() method is now removed, and we instead have two separate methods, .create() and .update() . These methods work slightly different to the previous .restore_object() . When using the .create() and .update() methods you should both create and save the object instance. This is in contrast to the previous .restore_object() behavior that would instantiate the object but not save it. These methods also replace the optional .save_object() method, which no longer exists. The following example from the tutorial previously used restore_object() to handle both creating and updating object instances. def restore_object(self, attrs, instance=None):\n if instance:\n # Update existing instance\n instance.title = attrs.get('title', instance.title)\n instance.code = attrs.get('code', instance.code)\n instance.linenos = attrs.get('linenos', instance.linenos)\n instance.language = attrs.get('language', instance.language)\n instance.style = attrs.get('style', instance.style)\n return instance\n\n # Create new instance\n return Snippet(**attrs) This would now be split out into two separate methods. def update(self, instance, validated_data):\n instance.title = validated_data.get('title', instance.title)\n instance.code = validated_data.get('code', instance.code)\n instance.linenos = validated_data.get('linenos', instance.linenos)\n instance.language = validated_data.get('language', instance.language)\n instance.style = validated_data.get('style', instance.style)\n instance.save()\n return instance\n\ndef create(self, validated_data):\n return Snippet.objects.create(**validated_data) Note that these methods should return the newly created object instance. Use .validated_data instead of .object . You must now use the .validated_data attribute if you need to inspect the data before saving, rather than using the .object attribute, which no longer exists. For example the following code is no longer valid : if serializer.is_valid():\n name = serializer.object.name # Inspect validated field data.\n logging.info('Creating ticket \"%s\"'%name)\nserializer.object.user=request.user#Includetheuserwhensaving.\nserializer.save()Insteadofusing.objecttoinspectapartiallyconstructedinstance,youwouldnowuse.validated_datatoinspectthecleanedincomingvalues.Alsoyoucan'tsetextraattributesontheinstancedirectly,butinsteadpassthemtothe.save()methodaskeywordargum
"text":"Simplification of view logic. The view logic for the default method handlers has been significantly simplified, due to the new serializers API. Changes to pre/post save hooks. The pre_save and post_save hooks no longer exist, but are replaced with perform_create(self, serializer) and perform_update(self, serializer) . These methods should save the object instance by calling serializer.save() , adding in any additional arguments as required. They may also perform any custom pre-save or post-save behavior. For example: def perform_create(self, serializer):\n # Include the owner attribute directly, rather than from request data.\n instance = serializer.save(owner=self.request.user)\n # Perform a custom post-save action.\n send_email(instance.to_email, instance.message) The pre_delete and post_delete hooks no longer exist, and are replaced with .perform_destroy(self, instance) , which should delete the instance and perform any custom actions. def perform_destroy(self, instance):\n # Perform a custom pre-delete action.\n send_deletion_alert(user=instance.created_by, deleted=instance)\n # Delete the object instance.\n instance.delete() Removal of view attributes. The .object and .object_list attributes are no longer set on the view instance. Treating views as mutable object instances that store state during the processing of the view tends to be poor design, and can lead to obscure flow logic. I would personally recommend that developers treat view instances as immutable objects in their application code. PUT as create. Allowing PUT as create operations is problematic, as it necessarily exposes information about the existence or non-existence of objects. It's also not obvious that transparently allowing re-creating of previously deleted instances is necessarily a better default behavior than simply returning 404 responses. Both styles \" PUT as 404\" and \" PUT as create\" can be valid in different circumstances, but we've now opted for the 404 behavior as the default, due to it being simpler and more obvious. If you need to restore the previous behavior you may want to include this AllowPUTAsCreateMixin class as a mixin to your views. Customizing error responses. The generic views now raise ValidationFailed exception for invalid data. This exception is then dealt with by the exception handler, rather than the view returning a 400 Bad Request response directly. This change means that you can now easily customize the style of error responses across your entire API, without having to modify any of the generic views.",
"text":"Behavior for dealing with OPTIONS requests was previously built directly into the class based views. This has now been properly separated out into a Metadata API that allows the same pluggable style as other API policies in REST framework. This makes it far easier to use a different style for OPTIONS responses throughout your API, and makes it possible to create third-party metadata policies.",
"text":"REST framework 3.0 includes templated HTML form rendering for serializers. This API should not yet be considered finalized, and will only be promoted to public API for the 3.1 release. Significant changes that you do need to be aware of include: Nested HTML forms are now supported, for example, a UserSerializer with a nested ProfileSerializer will now render a nested fieldset when used in the browsable API. Nested lists of HTML forms are not yet supported, but are planned for 3.1. Because we now use templated HTML form generation, the widget option is no longer available for serializer fields . You can instead control the template that is used for a given field, by using the style dictionary. The style keyword argument for serializer fields. The style keyword argument can be used to pass through additional information from a serializer field, to the renderer class. In particular, the HTMLFormRenderer uses the base_template key to determine which template to render the field with. For example, to use a textarea control instead of the default input control, you would use the following\u2026 additional_notes = serializers.CharField(\n style={'base_template': 'textarea.html'}\n) Similarly, to use a radio button control instead of the default select control, you would use the following\u2026 color_channel = serializers.ChoiceField(\n choices=['red', 'blue', 'green'],\n style={'base_template': 'radio.html'}\n) This API should be considered provisional, and there may be minor alterations with the incoming 3.1 release.",
"title":"Serializers as HTML forms"
},
{
"location":"/topics/3.0-announcement/#api-style",
"text":"There are some improvements in the default style we use in our API responses. Unicode JSON by default. Unicode JSON is now the default. The UnicodeJSONRenderer class no longer exists, and the UNICODE_JSON setting has been added. To revert this behavior use the new setting: REST_FRAMEWORK = {\n 'UNICODE_JSON': False\n} Compact JSON by default. We now output compact JSON in responses by default. For example, we return: {\"email\":\"amy@example.com\",\"is_admin\":true} Instead of the following: {\"email\": \"amy@example.com\", \"is_admin\": true} The COMPACT_JSON setting has been added, and can be used to revert this behavior if needed: REST_FRAMEWORK = {\n 'COMPACT_JSON': False\n} File fields as URLs The FileField and ImageField classes are now represented as URLs by default. You should ensure you set Django's standard MEDIA_URL setting appropriately, and ensure your application serves the uploaded files . You can revert this behavior, and display filenames in the representation by using the UPLOADED_FILES_USE_URL settings key: REST_FRAMEWORK = {\n 'UPLOADED_FILES_USE_URL': False\n} You can also modify serializer fields individually, using the use_url argument: uploaded_file = serializers.FileField(use_url=False) Also note that you should pass the request object to the serializer as context when instantiating it, so that a fully qualified URL can be returned. Returned URLs will then be of the form https://example.com/url_path/filename.txt . For example: context = {'request': request}\nserializer = ExampleSerializer(instance, context=context)\nreturn Response(serializer.data) If the request is omitted from the context, the returned URLs will be of the form /url_path/filename.txt . Throttle headers using Retry-After . The custom X-Throttle-Wait-Second header has now been dropped in favor of the standard Retry-After header. You can revert this behavior if needed by writing a custom exception handler for your application. Date and time objects as ISO-8859-1 strings in serializer data. Date and Time objects are now coerced to strings by default in the serializer output. Previously they were returned as Date , Time and DateTime objects, and later coerced to strings by the renderer. You can modify this behavior globally by settings the existing DATE_FORMAT , DATETIME_FORMAT and TIME_FORMAT settings keys. Setting these values to None instead of their default value of 'iso-8859-1' will result in native objects being returned in serializer data. REST_FRAMEWORK = {\n # Return native `Date` and `Time` objects in `serializer.data`\n 'DATETIME_FORMAT': None\n 'DATE_FORMAT': None\n 'TIME_FORMAT': None\n} You can also modify serializer fields individually, using the date_format , time_format and datetime_format arguments: # Return `DateTime` instances in `serializer.data`, not strings.\ncreated = serializers.DateTimeField(format=None) Decimals as strings in serializer data. Decimals are now coerced to strings by default in the serializer output. Previously they were returned as Decimal objects, and later coerced to strings by the renderer. You can modify this behavior globally by using the COERCE_DECIMAL_TO_STRING settings key. REST_FRAMEWORK = {\n 'COERCE_DECIMAL_TO_STRING': False\n} Or modify it on an individual serializer field, using the coerce_to_string keyword argument. # Return `Decimal` instances in `serializer.data`, not strings.\namount = serializers.DecimalField(\n max_digits=10,\n decimal_places=2,\n coerce_to_string=False\n) The default JSON renderer will return float objects for un-coerced Decimal instances. This allows you to easily switch between string or float representations for decimals depending on your API design needs.",
"text":"The serializer ChoiceField does not currently display nested choices, as was the case in 2.4. This will be address as part of 3.1. Due to the new templated form rendering, the 'widget' option is no longer valid. This means there's no easy way of using third party \"autocomplete\" widgets for rendering select inputs that contain a large number of choices. You'll either need to use a regular select or a plain text input. We may consider addressing this in 3.1 or 3.2 if there's sufficient demand. Some of the default validation error messages were rewritten and might no longer be pre-translated. You can still create language files with Django if you wish to localize them. APIException subclasses could previously take any arbitrary type in the detail argument. These exceptions now use translatable text strings, and as a result call force_text on the detail argument, which must be a string . If you need complex arguments to an APIException class, you should subclass it and override the __init__() method. Typically you'll instead want to use a custom exception handler to provide for non-standard error responses.",
"text":"3.0 is an incremental release, and there are several upcoming features that will build on the baseline improvements that it makes. The 3.1 release is planned to address improvements in the following components: Public API for using serializers as HTML forms. Request parsing, mediatypes the implementation of the browsable API. Introduction of a new pagination API. Better support for API versioning. The 3.2 release is planned to introduce an alternative admin-style interface to the browsable API. You can follow development on the GitHub site, where we use milestones to indicate planning timescales .",
"text":"Django REST framework 3.1\n\n\nThe 3.1 release is an intermediate step in the Kickstarter project releases, and includes a range of new functionality.\n\n\nSome highlights include:\n\n\n\n\nA super-smart cursor pagination scheme.\n\n\nAn improved pagination API, supporting header or in-body pagination styles.\n\n\nPagination controls rendering in the browsable API.\n\n\nBetter support for API versioning.\n\n\nBuilt-in internationalization support.\n\n\nSupport for Django 1.8's \nHStoreField\n and \nArrayField\n.\n\n\n\n\n\n\nPagination\n\n\nThe pagination API has been improved, making it both easier to use, and more powerful.\n\n\nA guide to the headline features follows. For full details, see \nthe pagination documentation\n.\n\n\nNote that as a result of this work a number of settings keys and generic view attributes are now moved to pending deprecation. Controlling pagination styles is now largely handled by overriding a pagination class and modifying its configuration attributes.\n\n\n\n\nThe \nPAGINATE_BY\n settings key will continue to work but is now pending deprecation. The more obviously named \nPAGE_SIZE\n settings key should now be used instead.\n\n\nThe \nPAGINATE_BY_PARAM\n, \nMAX_PAGINATE_BY\n settings keys will continue to work but are now pending deprecation, in favor of setting configuration attributes on the configured pagination class.\n\n\nThe \npaginate_by\n, \npage_query_param\n, \npaginate_by_param\n and \nmax_paginate_by\n generic view attributes will continue to work but are now pending deprecation, in favor of setting configuration attributes on the configured pagination class.\n\n\nThe \npagination_serializer_class\n view attribute and \nDEFAULT_PAGINATION_SERIALIZER_CLASS\n settings key \nare no longer valid\n. The pagination API does not use serializers to determine the output format, and you'll need to instead override the \nget_paginated_response\n method on a pagination class in order to specify how the output format is controlled.\n\n\n\n\nNew pagination schemes.\n\n\nUntil now, there has only been a single built-in pagination style in REST framework. We now have page, limit/offset and cursor based schemes included by default.\n\n\nThe cursor based pagination scheme is particularly smart, and is a better approach for clients iterating through large or frequently changing result sets. The scheme supports paging against non-unique indexes, by using both cursor and limit/offset information. It also allows for both forward and reverse cursor pagination. Much credit goes to David Cramer for \nthis blog post\n on the subject.\n\n\nPagination controls in the browsable API.\n\n\nPaginated results now include controls that render directly in the browsable API. If you're using the page or limit/offset style, then you'll see a page based control displayed in the browsable API:\n\n\n\n\nThe cursor based pagination renders a more simple style of control:\n\n\n\n\nSupport for header-based pagination.\n\n\nThe pagination API was previously only able to alter the pagination style in the body of the response. The API now supports being able to write pagination information in response headers, making it possible to use pagination schemes that use the \nLink\n or \nContent-Range\n headers.\n\n\nFor more information, see the \ncustom pagination styles\n documentation.\n\n\n\n\nVersioning\n\n\nWe've made it \neasier to build versioned APIs\n. Built-in schemes for versioning include both URL based and Accept header based variations.\n\n\nWhen using a URL based scheme, hyperlinked serializers will resolve relationships to the same API version as used on the incoming request.\n\n\nFor example, when using \nNamespaceVersioning\n, and the following hyperlinked serializer:\n\n\nclass AccountsSerializer(serializer.HyperlinkedModelSerializer):\n class Meta:\n model = Accounts\n fields = ('account_name', 'users')\n\n\n\nThe output representation would match the version used on the incoming request. Like so:\n\n\nGET http://example.org/v2/accounts/10 # Version 'v2'\n\n{\n \"ac
"text":"The 3.1 release is an intermediate step in the Kickstarter project releases, and includes a range of new functionality. Some highlights include: A super-smart cursor pagination scheme. An improved pagination API, supporting header or in-body pagination styles. Pagination controls rendering in the browsable API. Better support for API versioning. Built-in internationalization support. Support for Django 1.8's HStoreField and ArrayField .",
"text":"The pagination API has been improved, making it both easier to use, and more powerful. A guide to the headline features follows. For full details, see the pagination documentation . Note that as a result of this work a number of settings keys and generic view attributes are now moved to pending deprecation. Controlling pagination styles is now largely handled by overriding a pagination class and modifying its configuration attributes. The PAGINATE_BY settings key will continue to work but is now pending deprecation. The more obviously named PAGE_SIZE settings key should now be used instead. The PAGINATE_BY_PARAM , MAX_PAGINATE_BY settings keys will continue to work but are now pending deprecation, in favor of setting configuration attributes on the configured pagination class. The paginate_by , page_query_param , paginate_by_param and max_paginate_by generic view attributes will continue to work but are now pending deprecation, in favor of setting configuration attributes on the configured pagination class. The pagination_serializer_class view attribute and DEFAULT_PAGINATION_SERIALIZER_CLASS settings key are no longer valid . The pagination API does not use serializers to determine the output format, and you'll need to instead override the get_paginated_response method on a pagination class in order to specify how the output format is controlled. New pagination schemes. Until now, there has only been a single built-in pagination style in REST framework. We now have page, limit/offset and cursor based schemes included by default. The cursor based pagination scheme is particularly smart, and is a better approach for clients iterating through large or frequently changing result sets. The scheme supports paging against non-unique indexes, by using both cursor and limit/offset information. It also allows for both forward and reverse cursor pagination. Much credit goes to David Cramer for this blog post on the subject. Pagination controls in the browsable API. Paginated results now include controls that render directly in the browsable API. If you're using the page or limit/offset style, then you'll see a page based control displayed in the browsable API: The cursor based pagination renders a more simple style of control: Support for header-based pagination. The pagination API was previously only able to alter the pagination style in the body of the response. The API now supports being able to write pagination information in response headers, making it possible to use pagination schemes that use the Link or Content-Range headers. For more information, see the custom pagination styles documentation.",
"text":"We've made it easier to build versioned APIs . Built-in schemes for versioning include both URL based and Accept header based variations. When using a URL based scheme, hyperlinked serializers will resolve relationships to the same API version as used on the incoming request. For example, when using NamespaceVersioning , and the following hyperlinked serializer: class AccountsSerializer(serializer.HyperlinkedModelSerializer):\n class Meta:\n model = Accounts\n fields = ('account_name', 'users') The output representation would match the version used on the incoming request. Like so: GET http://example.org/v2/accounts/10 # Version 'v2'\n\n{\n \"account_name\": \"europa\",\n \"users\": [\n \"http://example.org/v2/users/12\", # Version 'v2'\n \"http://example.org/v2/users/54\",\n \"http://example.org/v2/users/87\"\n ]\n}",
"text":"REST framework now includes a built-in set of translations, and supports internationalized error responses . This allows you to either change the default language, or to allow clients to specify the language via the Accept-Language header. You can change the default language by using the standard Django LANGUAGE_CODE setting: LANGUAGE_CODE = \"es-es\" You can turn on per-request language requests by adding LocalMiddleware to your MIDDLEWARE_CLASSES setting: MIDDLEWARE_CLASSES = [\n ...\n 'django.middleware.locale.LocaleMiddleware'\n] When per-request internationalization is enabled, client requests will respect the Accept-Language header where possible. For example, let's make a request for an unsupported media type: Request GET /api/users HTTP/1.1\nAccept: application/xml\nAccept-Language: es-es\nHost: example.org Response HTTP/1.0 406 NOT ACCEPTABLE\n\n{\n \"detail\": \"No se ha podido satisfacer la solicitud de cabecera de Accept.\"\n} Note that the structure of the error responses is still the same. We still have a detail key in the response. If needed you can modify this behavior too, by using a custom exception handler . We include built-in translations both for standard exception cases, and for serializer validation errors. The full list of supported languages can be found on our Transifex project page . If you only wish to support a subset of the supported languages, use Django's standard LANGUAGES setting: LANGUAGES = [\n ('de', _('German')),\n ('en', _('English')),\n] For more details, see the internationalization documentation . Many thanks to Craig Blaszczyk for helping push this through.",
"text":"Django 1.8's new ArrayField , HStoreField and UUIDField are now all fully supported. This work also means that we now have both serializers.DictField() , and serializers.ListField() types, allowing you to express and validate a wider set of representations. If you're building a new 1.8 project, then you should probably consider using UUIDField as the primary keys for all your models. This style will work automatically with hyperlinked serializers, returning URLs in the following style: http://example.org/api/purchases/9b1a433f-e90d-4948-848b-300fdc26365d",
"text":"The serializer redesign in 3.0 did not include any public API for modifying how ModelSerializer classes automatically generate a set of fields from a given mode class. We've now re-introduced an API for this, allowing you to create new ModelSerializer base classes that behave differently, such as using a different default style for relationships. For more information, see the documentation on customizing field mappings for ModelSerializer classes.",
"text":"We've now moved a number of packages out of the core of REST framework, and into separately installable packages. If you're currently using these you don't need to worry, you simply need to pip install the new packages, and change any import paths. We're making this change in order to help distribute the maintainance workload, and keep better focus of the core essentials of the framework. The change also means we can be more flexible with which external packages we recommend. For example, the excellently maintained Django OAuth toolkit has now been promoted as our recommended option for integrating OAuth support. The following packages are now moved out of core and should be separately installed: OAuth - djangorestframework-oauth XML - djangorestframework-xml YAML - djangorestframework-yaml JSONP - djangorestframework-jsonp It's worth reiterating that this change in policy shouldn't mean any work in your codebase other than adding a new requirement and modifying some import paths. For example to install XML rendering, you would now do: pip install djangorestframework-xml And modify your settings, like so: REST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': [\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.BrowsableAPIRenderer',\n 'rest_framework_xml.renderers.XMLRenderer'\n ]\n} Thanks go to the latest member of our maintenance team, Jos\u00e9 Padilla , for handling this work and taking on ownership of these packages.",
"text":"The request.DATA , request.FILES and request.QUERY_PARAMS attributes move from pending deprecation, to deprecated. Use request.data and request.query_params instead, as discussed in the 3.0 release notes. The ModelSerializer Meta options for write_only_fields , view_name and lookup_field are also moved from pending deprecation, to deprecated. Use extra_kwargs instead, as discussed in the 3.0 release notes. All these attributes and options will still work in 3.1, but their usage will raise a warning. They will be fully removed in 3.2.",
"text":"The next focus will be on HTML renderings of API output and will include: HTML form rendering of serializers. Filtering controls built-in to the browsable API. An alternative admin-style interface. This will either be made as a single 3.2 release, or split across two separate releases, with the HTML forms and filter controls coming in 3.2, and the admin-style interface coming in a 3.3 release.",
"text":"The 3.2 release is the first version to include an admin interface for the browsable API. This interface is intended to act as a more user-friendly interface to the API. It can be used either as a replacement to the existing BrowsableAPIRenderer , or used together with it, allowing you to switch between the two styles as required. We've also fixed a huge number of issues, and made numerous cleanups and improvements. Over the course of the 3.1.x series we've resolved nearly 600 tickets on our GitHub issue tracker. This means we're currently running at a rate of closing around 100 issues or pull requests per month . None of this would have been possible without the support of our wonderful Kickstarter backers. If you're looking for a job in Django development we'd strongly recommend taking a look through our sponsors and finding out who's hiring.",
"text":"To include AdminRenderer simply add it to your settings: REST_FRAMEWORK = {\n 'DEFAULT_RENDERER_CLASSES': [\n 'rest_framework.renderers.JSONRenderer',\n 'rest_framework.renderers.AdminRenderer',\n 'rest_framework.renderers.BrowsableAPIRenderer'\n ],\n 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',\n 'PAGE_SIZE': 100\n} There are some limitations to the AdminRenderer , in particular it is not yet able to handle list or dictionary inputs, as we do not have any HTML form fields that support those. Also note that this is an initial release and we do not yet have a public API for modifying the behavior or documentation on overriding the templates. The idea is to get this released to users early, so we can start getting feedback and release a more fully featured version in 3.3.",
"text":"There are no new deprecations in 3.2, although a number of existing deprecations have now escalated in line with our deprecation policy. request.DATA was put on the deprecation path in 3.0. It has now been removed and its usage will result in an error. Use the more pythonic style of request.data instead. request.QUERY_PARAMS was put on the deprecation path in 3.0. It has now been removed and its usage will result in an error. Use the more pythonic style of request.query_params instead. The following ModelSerializer.Meta options have now been removed: write_only_fields , view_name , lookup_field . Use the more general extra_kwargs option instead. The following pagination view attributes and settings have been moved into attributes on the pagination class since 3.1. Their usage was formerly in 'pending deprecation', and has now escalated to 'deprecated'. They will continue to function but will raise errors. view.paginate_by - Use paginator.page_size instead. view.page_query_param - Use paginator.page_query_param instead. view.paginate_by_param - Use paginator.page_size_query_param instead. view.max_paginate_by - Use paginator.max_page_size instead. settings.PAGINATE_BY - Use paginator.page_size instead. settings.PAGINATE_BY_PARAM - Use paginator.page_size_query_param instead. settings.MAX_PAGINATE_BY - Use paginator.max_page_size instead.",
"text":"There are a couple of bug fixes that are worth calling out as they introduce differing behavior. These are a little subtle and probably won't affect most users, but are worth understanding before upgrading your project. ManyToMany fields and blank=True We've now added an allow_empty argument, which can be used with ListSerializer , or with many=True relationships. This is True by default, but can be set to False if you want to disallow empty lists as valid input. As a follow-up to this we are now able to properly mirror the behavior of Django's ModelForm with respect to how many-to-many fields are validated. Previously a many-to-many field on a model would map to a serializer field that would allow either empty or non-empty list inputs. Now, a many-to-many field will map to a serializer field that requires at least one input, unless the model field has blank=True set. Here's what the mapping looks like in practice: models.ManyToManyField() \u2192 serializers.PrimaryKeyRelatedField(many=True, allow_empty=False) models.ManyToManyField(blank=True) \u2192 serializers.PrimaryKeyRelatedField(many=True) The upshot is this: If you have many to many fields in your models, then make sure you've included the argument blank=True if you want to allow empty inputs in the equivalent ModelSerializer fields. List fields and allow_null When using allow_null with ListField or a nested many=True serializer the previous behavior was to allow null values as items in the list. The behavior is now to allow null values instead of the list. For example, take the following field: NestedSerializer(many=True, allow_null=True) Previously the validation behavior would be: [{\u2026}, null, {\u2026}] is valid . null is invalid . Our validation behavior as of 3.2.0 is now: [{\u2026}, null, {\u2026}] is invalid . null is valid . If you want to allow null child items, you'll need to instead specify allow_null on the child class, using an explicit ListField instead of many=True . For example: ListField(child=NestedSerializer(allow_null=True))",
"text":"The 3.3 release is currently planned for the start of October, and will be the last Kickstarter-funded release. This release is planned to include: Search and filtering controls in the browsable API and admin interface. Improvements and public API for the admin interface. Improvements and public API for our templated HTML forms and fields. Nested object and list support in HTML forms. Thanks once again to all our sponsors and supporters.",
"text":"Django REST framework 3.3\n\n\nThe 3.3 release marks the final work in the Kickstarter funded series. We'd like to offer a final resounding \nthank you\n to all our wonderful sponsors and supporters.\n\n\nThe amount of work that has been achieved as a direct result of the funding is immense. We've added a huge amounts of new functionality, resolved nearly 2,000 tickets, and redesigned \n refined large parts of the project.\n\n\nIn order to continue driving REST framework forward, we'll shortly be announcing a new set of funding plans. Follow \n@_tomchristie\n to keep up to date with these announcements, and be among the first set of sign ups.\n\n\nWe strongly believe that collaboratively funded software development yields outstanding results for a relatively low investment-per-head. If you or your company use REST framework commercially, then we would strongly urge you to participate in this latest funding drive, and help us continue to build an increasingly polished \n professional product.\n\n\n\n\nRelease notes\n\n\nSignificant new functionality in the 3.3 release includes:\n\n\n\n\nFilters presented as HTML controls in the browsable API.\n\n\nA \nforms API\n, allowing serializers to be rendered as HTML forms.\n\n\nDjango 1.9 support.\n\n\nA \nJSONField\n serializer field\n, corresponding to Django 1.9's Postgres \nJSONField\n model field.\n\n\nBrowsable API support \nvia AJAX\n, rather than server side request overloading.\n\n\n\n\n\n\nExample of the new filter controls\n\n\n\n\nSupported versions\n\n\nThis release drops support for Django 1.5 and 1.6. Django 1.7, 1.8 or 1.9 are now required.\n\n\nThis brings our supported versions into line with Django's \ncurrently supported versions\n\n\nDeprecations\n\n\nThe AJAX based support for the browsable API means that there are a number of internal cleanups in the \nrequest\n class. For the vast majority of developers this should largely remain transparent:\n\n\n\n\nTo support form based \nPUT\n and \nDELETE\n, or to support form content types such as JSON, you should now use the \nAJAX forms\n javascript library. This replaces the previous 'method and content type overloading' that required significant internal complexity to the request class.\n\n\nThe \naccept\n query parameter is no longer supported by the default content negotiation class. If you require it then you'll need to \nuse a custom content negotiation class\n.\n\n\nThe custom \nHTTP_X_HTTP_METHOD_OVERRIDE\n header is no longer supported by default. If you require it then you'll need to \nuse custom middleware\n.\n\n\n\n\nThe following pagination view attributes and settings have been moved into attributes on the pagination class since 3.1. Their usage was formerly deprecated, and has now been removed entirely, in line with the deprecation policy.\n\n\n\n\nview.paginate_by\n - Use \npaginator.page_size\n instead.\n\n\nview.page_query_param\n - Use \npaginator.page_query_param\n instead.\n\n\nview.paginate_by_param\n - Use \npaginator.page_size_query_param\n instead.\n\n\nview.max_paginate_by\n - Use \npaginator.max_page_size\n instead.\n\n\nsettings.PAGINATE_BY\n - Use \npaginator.page_size\n instead.\n\n\nsettings.PAGINATE_BY_PARAM\n - Use \npaginator.page_size_query_param\n instead.\n\n\nsettings.MAX_PAGINATE_BY\n - Use \npaginator.max_page_size\n instead.\n\n\n\n\nThe \nModelSerializer\n and \nHyperlinkedModelSerializer\n classes should now include either a \nfields\n or \nexclude\n option, although the \nfields = '__all__'\n shortcut may be used. Failing to include either of these two options is currently pending deprecation, and will be removed entirely in the 3.5 release. This behavior brings \nModelSerializer\n more closely in line with Django's \nModelForm\n behavior.",
"text":"The 3.3 release marks the final work in the Kickstarter funded series. We'd like to offer a final resounding thank you to all our wonderful sponsors and supporters. The amount of work that has been achieved as a direct result of the funding is immense. We've added a huge amounts of new functionality, resolved nearly 2,000 tickets, and redesigned refined large parts of the project. In order to continue driving REST framework forward, we'll shortly be announcing a new set of funding plans. Follow @_tomchristie to keep up to date with these announcements, and be among the first set of sign ups. We strongly believe that collaboratively funded software development yields outstanding results for a relatively low investment-per-head. If you or your company use REST framework commercially, then we would strongly urge you to participate in this latest funding drive, and help us continue to build an increasingly polished professional product.",
"text":"Significant new functionality in the 3.3 release includes: Filters presented as HTML controls in the browsable API. A forms API , allowing serializers to be rendered as HTML forms. Django 1.9 support. A JSONField serializer field , corresponding to Django 1.9's Postgres JSONField model field. Browsable API support via AJAX , rather than server side request overloading. Example of the new filter controls",
"text":"This release drops support for Django 1.5 and 1.6. Django 1.7, 1.8 or 1.9 are now required. This brings our supported versions into line with Django's currently supported versions",
"text":"The AJAX based support for the browsable API means that there are a number of internal cleanups in the request class. For the vast majority of developers this should largely remain transparent: To support form based PUT and DELETE , or to support form content types such as JSON, you should now use the AJAX forms javascript library. This replaces the previous 'method and content type overloading' that required significant internal complexity to the request class. The accept query parameter is no longer supported by the default content negotiation class. If you require it then you'll need to use a custom content negotiation class . The custom HTTP_X_HTTP_METHOD_OVERRIDE header is no longer supported by default. If you require it then you'll need to use custom middleware . The following pagination view attributes and settings have been moved into attributes on the pagination class since 3.1. Their usage was formerly deprecated, and has now been removed entirely, in line with the deprecation policy. view.paginate_by - Use paginator.page_size instead. view.page_query_param - Use paginator.page_query_param instead. view.paginate_by_param - Use paginator.page_size_query_param instead. view.max_paginate_by - Use paginator.max_page_size instead. settings.PAGINATE_BY - Use paginator.page_size instead. settings.PAGINATE_BY_PARAM - Use paginator.page_size_query_param instead. settings.MAX_PAGINATE_BY - Use paginator.max_page_size instead. The ModelSerializer and HyperlinkedModelSerializer classes should now include either a fields or exclude option, although the fields = '__all__' shortcut may be used. Failing to include either of these two options is currently pending deprecation, and will be removed entirely in the 3.5 release. This behavior brings ModelSerializer more closely in line with Django's ModelForm behavior.",
"text":"In order to continue to drive the project forward, I'm launching a Kickstarter campaign to help fund the development of a major new release - Django REST framework 3.",
"text":"This new release will allow us to comprehensively address some of the shortcomings of the framework, and will aim to include the following: Faster, simpler and easier-to-use serializers. An alternative admin-style interface for the browsable API. Search and filtering controls made accessible in the browsable API. Alternative API pagination styles. Documentation around API versioning. Triage of outstanding tickets. Improving the ongoing quality and maintainability of the project. Full details are available now on the project page . If you're interested in helping make sustainable open source development a reality please visit the Kickstarter page and consider funding the project. I can't wait to see where this takes us! Many thanks to everyone for your support so far, Tom Christie :)",
"text":"We've now blazed way past all our goals, with a staggering \u00a330,000 (~$50,000), meaning I'll be in a position to work on the project significantly beyond what we'd originally planned for. I owe a huge debt of gratitude to all the wonderful companies and individuals who have been backing the project so generously, and making this possible. Platinum sponsors Our platinum sponsors have each made a hugely substantial contribution to the future development of Django REST framework, and I simply can't thank them enough. Eventbrite Divio Lulu Potato Wiredrive Cyan Runscope Simple Energy VOKAL Interactive Purple Bit KuwaitNET Gold sponsors Our gold sponsors include companies large and small. Many thanks for their significant funding of the project and their commitment to sustainable open-source development. LaterPay Schuberg Philis ProReNata AB SGA Websites Sirono Vinta Software Studio Rapasso Mirus Research Hipo Byte Lightning Kite Opbeat Koordinates Pulsecode Inc. Singing Horse Studio Ltd. Heroku Rheinwerk Verlag Security Compass Django Software Foundation Hipflask Crate Cryptico Corp NextHub Compile WusaWork Envision Linux Silver sponsors The serious financial contribution that our silver sponsors have made is very much appreciated. I'd like to say a particular thank you to individuals who have choosen to privately support the project at this level. IMT Computer Services Wildfish Thermondo GmbH Providenz alwaysdata.com Triggered Messaging PushPull Technology Ltd Transcode Garfo Shippo Gizmag Tivix Safari Bright Loop ABA Systems beefarm.ru Vzzual.com Infinite Code Crossword Tracker PkgFarm Life. The Game. Blimp Pathwright Fluxility Teonite TrackMaven Phurba Nephila Aditium OpenEye Scientific Software Holvi Cantemo MakeSpace AX Semantics ISL Individual backers : Paul Hallett, Paul Whipp , Dylan Roy, Jannis Leidel, Xavier Ordoquy , Johannes Spielmann , Rob Spectre , Chris Heisel , Marwan Alsabbagh, Haris Ali, Tuomas Toivonen. Advocates The following individuals made a significant financial contribution to the development of Django REST framework 3, for which I can only offer a huge, warm and sincere thank you! Individual backers : Jure Cuhalev, Kevin Brolly, Ferenc Szalai, Dougal Matthews, Stefan Foulis, Carlos Hernando, Alen Mujezinovic, Ross Crawford-d'Heureuse, George Kappel, Alasdair Nicol, John Carr, Steve Winton, Trey, Manuel Miranda, David Horn, Vince Mi, Daniel Sears, Jamie Matthews, Ryan Currah, Marty Kemka, Scott Nixon, Moshin Elahi, Kevin Campbell, Jose Antonio Leiva Izquierdo, Kevin Stone, Andrew Godwin, Tijs Teulings, Roger Boardman, Xavier Antoviaque, Darian Moody, Lujeni, Jon Dugan, Wiley Kestner, Daniel C. Silverstein, Daniel Hahler, Subodh Nijsure, Philipp Weidenhiller, Yusuke Muraoka, Danny Roa, Reto Aebersold, Kyle Getrost, D\u00e9c\u00e9bal Hormuz, James Dacosta, Matt Long, Mauro Rocco, Tyrel Souza, Ryan Campbell, Ville Jyrkk\u00e4, Charalampos Papaloizou, Nikolai R\u00f8ed Kristiansen, Antoni Aloy L\u00f3pez, Celia Oakley, Micha\u0142 Krawczak, Ivan VenOsdel, Tim Watts, Martin Warne, Nicola Jordan, Ryan Kaskel. Corporate backers : Savannah Informatics, Prism Skylabs, Musical Operating Devices. Supporters There were also almost 300 further individuals choosing to help fund the project at other levels or choosing to give anonymously. Again, thank you, thank you, thank you!",
"text":"Mozilla Grant\n\n\nWe have recently been \nawarded a Mozilla grant\n, in order to fund the next major releases of REST framework. This work will focus on seamless client-side integration by introducing supporting client libraries that are able to dynamically interact with REST framework APIs. The framework will provide for either hypermedia or schema endpoints, which will expose the available interface for the client libraries to interact with.\n\n\nAdditionally, we will be building on the realtime support that Django Channels provides, supporting and documenting how to build realtime APIs with REST framework. Again, this will include supporting work in the associated client libraries, making it easier to build richly interactive applications.\n\n\nThe \nCore API\n project will provide the foundations for our client library support, and will allow us to support interaction using a wide range of schemas and hypermedia formats. It's worth noting that these client libraries won't be tightly coupled to solely REST framework APIs either, and will be able to interact with \nany\n API that exposes a supported schema or hypermedia format.\n\n\nSpecifically, the work includes:\n\n\nClient libraries\n\n\nThis work will include built-in schema and hypermedia support, allowing dynamic client libraries to interact with the API. I'll also be releasing both Python and Javascript client libraries, plus a command-line client, a new tutorial section, and further documentation.\n\n\n\n\nClient library support in REST framework.\n\n\nSchema \n hypermedia support for REST framework APIs.\n\n\nA test client, allowing you to write tests that emulate a client library interacting with your API.\n\n\nNew tutorial sections on using client libraries to interact with REST framework APIs.\n\n\nPython client library.\n\n\nJavaScript client library.\n\n\nCommand line client.\n\n\n\n\nRealtime APIs\n\n\nThe next goal is to build on the realtime support offered by Django Channels, adding support \n documentation for building realtime API endpoints.\n\n\n\n\nSupport for API subscription endpoints, using REST framework and Django Channels.\n\n\nNew tutorial section on building realtime API endpoints with REST framework.\n\n\nRealtime support in the Python \n Javascript client libraries.\n\n\n\n\nAccountability\n\n\nIn order to ensure that I can be fully focused on trying to secure a sustainable\n\n well-funded open source business I will be leaving my current role at \nDabApps\n\nat the end of May 2016.\n\n\nI have formed a UK limited company, \nEncode\n, which will\nact as the business entity behind REST framework. I will be issuing monthly reports\nfrom Encode on progress both towards the Mozilla grant, and for development time\nfunded via the \nREST framework paid plans\n.\n\n\n\n\n\n\n\n\n #mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; }\n /<em> Add your own MailChimp form style overrides in your site stylesheet or in this style block.\n We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. </em>/\n\n\n\n\n\n\n \n\n \nStay up to date, with our monthly progress reports...\n\n\n\n \nEmail Address \n\n \n\n\n\n \n\n \n\n \n\n \n \n\n \n\n \n\n \n\n\n\n\n\n\n(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='LNAME';ftypes[2]='text';}(jQuery));var $mcj = jQuery.noConflict(true);",
"text":"We have recently been awarded a Mozilla grant , in order to fund the next major releases of REST framework. This work will focus on seamless client-side integration by introducing supporting client libraries that are able to dynamically interact with REST framework APIs. The framework will provide for either hypermedia or schema endpoints, which will expose the available interface for the client libraries to interact with. Additionally, we will be building on the realtime support that Django Channels provides, supporting and documenting how to build realtime APIs with REST framework. Again, this will include supporting work in the associated client libraries, making it easier to build richly interactive applications. The Core API project will provide the foundations for our client library support, and will allow us to support interaction using a wide range of schemas and hypermedia formats. It's worth noting that these client libraries won't be tightly coupled to solely REST framework APIs either, and will be able to interact with any API that exposes a supported schema or hypermedia format. Specifically, the work includes:",
"text":"This work will include built-in schema and hypermedia support, allowing dynamic client libraries to interact with the API. I'll also be releasing both Python and Javascript client libraries, plus a command-line client, a new tutorial section, and further documentation. Client library support in REST framework. Schema hypermedia support for REST framework APIs. A test client, allowing you to write tests that emulate a client library interacting with your API. New tutorial sections on using client libraries to interact with REST framework APIs. Python client library. JavaScript client library. Command line client.",
"text":"The next goal is to build on the realtime support offered by Django Channels, adding support documentation for building realtime API endpoints. Support for API subscription endpoints, using REST framework and Django Channels. New tutorial section on building realtime API endpoints with REST framework. Realtime support in the Python Javascript client libraries.",
"text":"In order to ensure that I can be fully focused on trying to secure a sustainable well-funded open source business I will be leaving my current role at DabApps \nat the end of May 2016. I have formed a UK limited company, Encode , which will\nact as the business entity behind REST framework. I will be issuing monthly reports\nfrom Encode on progress both towards the Mozilla grant, and for development time\nfunded via the REST framework paid plans . \n #mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; }\n /<em> Add your own MailChimp form style overrides in your site stylesheet or in this style block.\n We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. </em>/",
"title":"Accountability"
},
{
"location":"/topics/funding/",
"text":"// Imperfect, but easier to fit in with the existing docs build.\n// Hyperlinks should point directly to the \"fund.\" subdomain, but this'll\n// handle the nav bar links without requiring any docs build changes for the moment.\nif (window.location.hostname == \"www.django-rest-framework.org\") {\n window.location.replace(\"https://fund.django-rest-framework.org/topics/funding/\");\n}\n\n\n\n\n\n.promolia{\nfloat:left;\nwidth:130px;\nheight:20px;\ntext-align:center;\nmargin:10px30px;\npadding:150px000;\nbackground-position:050%;\nbackground-size:130pxauto;\nbackground-repeat:no-repeat;\nfont-size:120%;\ncolor:black;\n}\n.promoli{\nlist-style:none;\n}\n.chart{\nbackground-color:#e3e3e3;\nbackground:-webkit-linear-gradient(top,#fff0,#e3e3e3100%);\nborder:1pxsolid#E6E6E6;\nborder-radius:5px;\nbox-shadow:0px0px2px0pxrgba(181,181,181,0.3);\npadding:40px0px5px;\nposition:relative;\ntext-align:center;\nwidth:97%;\nmin-height:255px;\nposition:relative;\ntop:37px;\nmargin-bottom:20px\n}\n.quantity{\ntext-align:center\n}\n.dollar{\nfont-size:19px;\nposition:relative;\ntop:-18px;\n}\n.price{\nfont-size:49px;\n}\n.period{\nfont-size:17px;\nposition:relative;\ntop:-8px;\nmargin-left:4px;\n}\n.plan-name{\ntext-align:center;\nfont-size:20px;\nfont-weight:400;\ncolor:#777;\nborder-bottom:1pxsolid#d5d5d5;\npadding-bottom:15px;\nwidth:90%;\nmargin:0auto;\nmargin-top:8px;\n}\n.specs{\nmargin-top:20px;\nmin-height:130px;\n}\n.specs.freelancer{\nmin-height:0px;\n}\n.spec{\nfont-size:15px;\ncolor:#474747;\ntext-align:center;\nfont-weight:300;\nmargin-bottom:13px;\n}\n.variable{\ncolor:#1FBEE7;\nfont-weight:400;\n}\nform.signup{\nmargin-top:35px\n}\n.clear-promo{\npadding-top:30px\n}\n#main-contenth1:first-of-type{\nmargin:0050px;\nfont-size:60px;\nfont-weight:200;\ntext-align:center\n}\n#main-content{\npadding-top:10px;line-height:23px\n}\n#main-contentli{\nline-height:23px\n}\n\n\n\n\nFunding\n\n\n\n\nAsadirectresultof\nasuccessfulMozillagrantapplication\n,Iwillbeleavingmycurrentroleat\nDabApps\n,andattemptingtosecureasustainablebusinessmodelforRESTframeworkdevelopment.Ineedyourhelpinordertomakethiswork.\n\n\nTomChristie\n\n\n\n\nIfyouuseRESTframeworkcommerciallywestronglyencourageyoutoinvestinitscontinueddevelopmentbysigningupforapaidplan.\n\n\nWebelievethatcollaborativelyfundedsoftwarecanofferoutstandingreturnsoninvestment,byencouragingouruserstocollectivelysharethecostofdevelopment.\n\n\nSigningupforapaidplanwill:\n\n\n\n\nDirectlycontributetofasterreleases,morefeatures,andhigherqualitysoftware.\n\n\nAllowmoretimetobeinvestedindocumentation,issuetriage,andcommunitysupport.\n\n\nSafeguardthefuturedevelopmentofRESTframework.\n\n\n\n\nRESTframeworkcontinuestobeopen-sourceandpermissivelylicensed,butwefirmlybelieveitisinthecommercialbest-interestforusersoftheprojecttoinvestinitsongoingdevelopment.\n\n\n\n\nMakingthebusinesscase\n\n\nOur\nsuccessfulKickstartercampaign\ndemonstratestheimpressivecost-rewardratioofsharedfundingofopen-sourcesoftware.\n\n\nWith\ntypicalcorporatefundingsofjust\u00a3100-\u00a31000perorganization\nwesuccessfullydelivered:\n\n\n\n\nThecomprehensiveserializerredesign,and\nversion3.0release\n.\n\n\nOngoingtriageandcommunitysupport,\nclosingover1600tickets\n.\n\n\nSubstantialimprovementstotheBrowsableAPI.\n\n\nTheadmininterface.\n\n\nAnewpaginationAPIincludingoffset/limitandcursorpaginationimplementations,pluson-pagecontrols.\n\n\nAversioningAPI,includingURL-basedandheader-basedversioningschemes.\n\n\nSupportforcustomizableexception
"title":"Funding"
},
{
"location":"/topics/funding/#funding",
"text":"As a direct result of a successful Mozilla grant application , I will be leaving my current role at DabApps , and attempting to secure a sustainable business model for REST framework development. I need your help in order to make this work. Tom Christie If you use REST framework commercially we strongly encourage you to invest in its continued development by signing up for a paid plan. We believe that collaboratively funded software can offer outstanding returns on investment, by encouraging our users to collectively share the cost of development. Signing up for a paid plan will: Directly contribute to faster releases, more features, and higher quality software. Allow more time to be invested in documentation, issue triage, and community support. Safeguard the future development of REST framework. REST framework continues to be open-source and permissively licensed, but we firmly believe it is in the commercial best-interest for users of the project to invest in its ongoing development.",
"text":"Our successful Kickstarter campaign demonstrates the impressive cost-reward ratio of shared funding of open-source software. With typical corporate fundings of just \u00a3100-\u00a31000 per organization we successfully delivered: The comprehensive serializer redesign, and version 3.0 release . Ongoing triage and community support, closing over 1600 tickets . Substantial improvements to the Browsable API. The admin interface. A new pagination API including offset/limit and cursor pagination implementations, plus on-page controls. A versioning API, including URL-based and header-based versioning schemes. Support for customizable exception handling. Support for Django's PostgreSQL HStoreField, ArrayField and JSONField. Templated HTML form support, including HTML forms with nested list and objects. Internationalization support for API responses, currently with 27 languages. The metadata APIs for handling OPTIONS requests and schema endpoints. Numerous minor improvements and better quality throughout the codebase. This incredible level of return on investment is only possible through collaboratively funded models , which is why we believe that supporting our paid plans is in everyone's best interest. Sign up for a paid plan today, and help ensure that REST framework becomes a sustainable, full-time funded project.",
"title":"Making the business case"
},
{
"location":"/topics/funding/#freelancer-plan",
"text":"This subscription is recommended for freelancers and other individuals with an interest in seeing REST framework continue to improve. If you are using REST framework as an full-time employee, consider recommending that your company takes out a corporate plan . \n \n \n \n {{ symbol }} \n {{ rates.personal1 }} \n /month{% if vat %} +VAT{% endif %} \n \n Freelancer \n \n \n Support ongoing development\n \n \n Credited on the site\n \n \n \n \n \n \n \n Billing is monthly and you can cancel at any time.",
"title":"Freelancer plan"
},
{
"location":"/topics/funding/#corporate-plans",
"text":"These subscriptions are recommended for companies and organizations using REST framework either publicly or privately. In exchange for funding you'll also receive advertising space on our site, allowing you to promote your company or product to many tens of thousands of developers worldwide . Our professional and premium plans also include priority support . At any time your engineers can escalate an issue or discussion group thread, and we'll ensure it gets a guaranteed response within the next working day. \n \n \n \n {{ symbol }} \n {{ rates.corporate1 }} \n /month{% if vat %} +VAT{% endif %} \n \n Basic \n \n \n Support ongoing development\n \n \n Funding page ad placement\n \n \n \n \n \n \n \n \n \n \n {{ symbol }} \n {{ rates.corporate2 }} \n /month{% if vat %} +VAT{% endif %} \n \n Professional \n \n \n Support ongoing development\n \n \n Sidebar ad placement\n \n \n Priority support for your engineers\n \n \n \n \n \n \n \n \n \n \n {{ symbol }} \n {{ rates.corporate3 }} \n /month{% if vat %} +VAT{% endif %} \n \n Premium \n \n \n Support ongoing development\n \n \n Homepage ad placement\n \n \n Sidebar ad placement\n \n \n Priority support for your engineers\n \n \n \n \n \n \n \n Billing is monthly and you can cancel at any time. Once you've signed up I'll contact you via email and arrange your ad placements on the site. For further enquires please contact tom@tomchristie.com .",
"title":"Corporate plans"
},
{
"location":"/topics/funding/#accountability",
"text":"In order to ensure that I can be fully focused on trying to secure a sustainable well-funded open source business I will be leaving my current role at DabApps \nat the end of May 2016. I have formed a UK limited company, Encode , which will\nact as the business entity behind REST framework. I will be issuing monthly reports\nfrom Encode on progress both towards the Mozilla grant , and for development time\nfunded via the REST framework paid plans. \n #mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; }\n /<em> Add your own MailChimp form style overrides in your site stylesheet or in this style block.\n We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. </em>/",
"text":"Release Early, Release Often Eric S. Raymond, The Cathedral and the Bazaar .",
"title":"Release Notes"
},
{
"location":"/topics/release-notes/#versioning",
"text":"Minor version numbers (0.0.x) are used for changes that are API compatible. You should be able to upgrade between minor point releases without any other code changes. Medium version numbers (0.x.0) may include API changes, in line with the deprecation policy . You should read the release notes carefully before upgrading between medium point releases. Major version numbers (x.0.0) are reserved for substantial project milestones.",
"text":"REST framework releases follow a formal deprecation policy, which is in line with Django's deprecation policy . The timeline for deprecation of a feature present in version 1.0 would work as follows: Version 1.1 would remain fully backwards compatible with 1.0, but would raise PendingDeprecationWarning warnings if you use the feature that are due to be deprecated. These warnings are silent by default , but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests using python -Wd manage.py test , you'll be warned of any API changes you need to make. Version 1.2 would escalate these warnings to DeprecationWarning , which is loud by default. Version 1.3 would remove the deprecated bits of API entirely. Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change.",
"title":"Deprecation policy"
},
{
"location":"/topics/release-notes/#upgrading",
"text":"To upgrade Django REST framework to the latest version, use pip: pip install -U djangorestframework You can determine your currently installed version using pip freeze : pip freeze | grep djangorestframework",
"text":"3.2.5 Date : 27th October 2015 . Escape username in optional logout tag. ( #3550 ) 3.2.4 Date : 21th September 2015 . Don't error on missing ViewSet.search_fields attribute. ( #3324 , #3323 ) Fix allow_empty not working on serializers with many=True . ( #3361 , #3364 ) Let DurationField accepts integers. ( #3359 ) Multi-level dictionaries not supported in multipart requests. ( #3314 ) Fix ListField truncation on HTTP PATCH ( #3415 , #2761 ) 3.2.3 Date : 24th August 2015 . Added html_cutoff and html_cutoff_text for limiting select dropdowns. ( #3313 ) Added regex style to SearchFilter . ( #3316 ) Resolve issues with setting blank HTML fields. ( #3318 ) ( #3321 ) Correctly display existing 'select multiple' values in browsable API forms. ( #3290 ) Resolve duplicated validation message for IPAddressField . ([#3249[gh3249]) ( #3250 ) Fix to ensure admin renderer continues to work when pagination is disabled. ( #3275 ) Resolve error with LimitOffsetPagination when count=0, offset=0. ( #3303 ) 3.2.2 Date : 13th August 2015 . Add display_value() method for use when displaying relational field select inputs. ( #3254 ) Fix issue with BooleanField checkboxes incorrectly displaying as checked. ( #3258 ) Ensure empty checkboxes properly set BooleanField to False in all cases. ( #2776 ) Allow WSGIRequest.FILES property without raising incorrect deprecated error. ( #3261 ) Resolve issue with rendering nested serializers in forms. ( #3260 ) Raise an error if user accidentally pass a serializer instance to a response, rather than data. ( #3241 ) 3.2.1 Date : 7th August 2015 . Fix for relational select widgets rendering without any choices. ( #3237 ) Fix for 1 , 0 rendering as true , false in the admin interface. #3227 ) Fix for ListFields with single value in HTML form input. ( #3238 ) Allow request.FILES for compat with Django's HTTPRequest class. ( #3239 ) 3.2.0 Date : 6th August 2015 . Add AdminRenderer . ( #2926 ) Add FilePathField . ( #1854 ) Add allow_empty to ListField . ( #2250 ) Support django-guardian 1.3. ( #3165 ) Support grouped choices. ( #3225 ) Support error forms in browsable API. ( #3024 ) Allow permission classes to customize the error message. ( #2539 ) Support source= method on hyperlinked fields. ( #2690 ) ListField(allow_null=True) now allows null as the list value, not null items in the list. ( #2766 ) ManyToMany() maps to allow_empty=False , ManyToMany(blank=True) maps to allow_empty=True . ( #2804 ) Support custom serialization styles for primary key fields. ( #2789 ) OPTIONS requests support nested representations. ( #2915 ) Set view.action == \"metadata\" for viewsets with OPTIONS requests. ( #3115 ) Support allow_blank on UUIDField . ([#3130][gh#3130]) Do not display view docstrings with 401 or 403 response codes. ( #3216 ) Resolve Django 1.8 deprecation warnings. ( #2886 ) Fix for DecimalField validation. ( #3139 ) Fix behavior of allow_blank=False when used with trim_whitespace=True . ( #2712 ) Fix issue with some field combinations incorrectly mapping to an invalid allow_blank argument. ( #3011 ) Fix for output representations with prefetches and modified querysets. ( #2704 , #2727 ) Fix assertion error when CursorPagination is provided with certains invalid query parameters. (#2920) gh2920 . Fix UnicodeDecodeError when invalid characters included in header with TokenAuthentication . ( #2928 ) Fix transaction rollbacks with @non_atomic_requests decorator. ( #3016 ) Fix duplicate results issue with Oracle databases using SearchFilter . ( #2935 ) Fix checkbox alignment and rendering in browsable API forms. ( #2783 ) Fix for unsaved file objects which should use \"url\": null in the representation. ( #2759 ) Fix field value rendering in browsable API. ( #2416 ) Fix HStoreField to include allow_blank=True in DictField mapping. ( #2659 ) Numerous other cleanups, improvements to error messaging, private API minor fixes.",
"text":"3.1.3 Date : 4th June 2015 . Add DurationField . ( #2481 , #2989 ) Add format argument to UUIDField . ( #2788 , #3000 ) MultipleChoiceField empties incorrectly on a partial update using multipart/form-data ( #2993 , #2894 ) Fix a bug in options related to read-only RelatedField . ( #2981 , #2811 ) Fix nested serializers with unique_together relations. ( #2975 ) Allow unexpected values for ChoiceField / MultipleChoiceField representations. ( #2839 , #2940 ) Rollback the transaction on error if ATOMIC_REQUESTS is set. ( #2887 , #2034 ) Set the action on a view when override_method regardless of its None-ness. ( #2933 ) DecimalField accepts 2E+2 as 200 and validates decimal place correctly. ( #2948 , #2947 ) Support basic authentication with custom UserModel that change username . ( #2952 ) IPAddressField improvements. ( #2747 , #2618 , #3008 ) Improve DecimalField for easier subclassing. ( #2695 ) 3.1.2 Date : 13rd May 2015 . DateField.to_representation can handle str and empty values. ( #2656 , #2687 , #2869 ) Use default reason phrases from HTTP standard. ( #2764 , #2763 ) Raise error when ModelSerializer used with abstract model. ( #2757 , #2630 ) Handle reversal of non-API view_name in HyperLinkedRelatedField ( #2724 , #2711 ) Dont require pk strictly for related fields. ( #2745 , #2754 ) Metadata detects null boolean field type. ( #2762 ) Proper handling of depth in nested serializers. ( #2798 ) Display viewset without paginator. ( #2807 ) Don't check for deprecated .model attribute in permissions ( #2818 ) Restrict integer field to integers and strings. ( #2835 , #2836 ) Improve IntegerField to use compiled decimal regex. ( #2853 ) Prevent empty queryset to raise AssertionError. ( #2862 ) DjangoModelPermissions rely on get_queryset . ( #2863 ) Check AcceptHeaderVersioning with content negotiation in place. ( #2868 ) Allow DjangoObjectPermissions to use views that define get_queryset . ( #2905 ) 3.1.1 Date : 23rd March 2015 . Security fix : Escape tab switching cookie name in browsable API. Display input forms in browsable API if serializer_class is used, even when get_serializer method does not exist on the view. ( #2743 ) Use a password input for the AuthTokenSerializer. ( #2741 ) Fix missing anchor closing tag after next button. ( #2691 ) Fix lookup_url_kwarg handling in viewsets. ( #2685 , #2591 ) Fix problem with importing rest_framework.views in apps.py ( #2678 ) LimitOffsetPagination raises TypeError if PAGE_SIZE not set ( #2667 , #2700 ) German translation for min_value field error message references max_value . ( #2645 ) Remove MergeDict . ( #2640 ) Support serializing unsaved models with related fields. ( #2637 , #2641 ) Allow blank/null on radio.html choices. ( #2631 ) 3.1.0 Date : 5th March 2015 . For full details see the 3.1 release announcement .",
