<p>— Eric S. Raymond, <ahref="http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html">The Cathedral and the Bazaar</a>.</p>
</blockquote>
<h2id="versioning">Versioning</h2>
<p>Minor version numbers (0.0.x) are used for changes that are API compatible. You should be able to upgrade between minor point releases without any other code changes.</p>
<p>Medium version numbers (0.x.0) may include API changes, in line with the <ahref="#deprecation-policy">deprecation policy</a>. You should read the release notes carefully before upgrading between medium point releases.</p>
<p>REST framework releases follow a formal deprecation policy, which is in line with <ahref="https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy">Django's deprecation policy</a>.</p>
<p>The timeline for deprecation of a feature present in version 1.0 would work as follows:</p>
<ul>
<li>
<p>Version 1.1 would remain <strong>fully backwards compatible</strong> with 1.0, but would raise <code>PendingDeprecationWarning</code> warnings if you use the feature that are due to be deprecated. These warnings are <strong>silent by default</strong>, but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests using <code>python -Wd manage.py test</code>, you'll be warned of any API changes you need to make.</p>
</li>
<li>
<p>Version 1.2 would escalate these warnings to <code>DeprecationWarning</code>, which is loud by default.</p>
</li>
<li>
<p>Version 1.3 would remove the deprecated bits of API entirely.</p>
</li>
</ul>
<p>Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change.</p>
<h2id="upgrading">Upgrading</h2>
<p>To upgrade Django REST framework to the latest version, use pip:</p>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%223.0.2+Release%22">17th December 2014</a>.</p>
<li>Ensure <code>request.user</code> is made available to response middleware. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2155">#2155</a>)</li>
<li><code>Client.logout()</code> also cancels any existing <code>force_authenticate</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2218">#2218</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2259">#2259</a>)</li>
<li>Extra assertions and better checks to preventing incorrect serializer API use. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2228">#2228</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2234">#2234</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2262">#2262</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2263">#2263</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2266">#2266</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2267">#2267</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2289">#2289</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2291">#2291</a>)</li>
<li>Fixed <code>min_length</code> message for <code>CharField</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2255">#2255</a>)</li>
<li>Fix <code>UnicodeDecodeError</code>, which can occur on serializer <code>repr</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2270">#2270</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2279">#2279</a>)</li>
<li>Fix empty HTML values when a default is provided. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2280">#2280</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2294">#2294</a>)</li>
<li>Fix <code>SlugRelatedField</code> raising <code>UnicodeEncodeError</code> when used as a multiple choice input. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2290">#2290</a>)</li>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%223.0.1+Release%22">11th December 2014</a>.</p>
<li>More helpful error message when the default Serializer <code>create()</code> fails. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2013">#2013</a>)</li>
<li>Raise error when attempting to save serializer if data is not valid. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2098">#2098</a>)</li>
<li>Fix <code>FileUploadParser</code> breaks with empty file names and multiple upload handlers. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2109">#2109</a>)</li>
<li>Improve <code>BindingDict</code> to support standard dict-functions. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2135">#2135</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2163">#2163</a>)</li>
<li>Add <code>validate()</code> to <code>ListSerializer</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2168">#2168</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2225">#2225</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2232">#2232</a>)</li>
<li>Fix JSONP renderer failing to escape some characters. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2169">#2169</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2195">#2195</a>)</li>
<li>Add missing default style for <code>FileField</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2172">#2172</a>)</li>
<li>Actions are required when calling <code>ViewSet.as_view()</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2175">#2175</a>)</li>
<li>Add <code>allow_blank</code> to <code>ChoiceField</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2184">#2184</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2239">#2239</a>)</li>
<li>Cosmetic fixes in the HTML renderer. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2187">#2187</a>)</li>
<li>Raise error if <code>fields</code> on serializer is not a list of strings. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2193">#2193</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2213">#2213</a>)</li>
<li>Improve checks for nested creates and updates. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2194">#2194</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2196">#2196</a>)</li>
<li><code>validated_attrs</code> argument renamed to <code>validated_data</code> in <code>Serializer</code><code>create()</code>/<code>update()</code>. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2197">#2197</a>)</li>
<li>Remove deprecated code to reflect the dropped Django versions. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2200">#2200</a>)</li>
<li>Better serializer errors for nested writes. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2202">#2202</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2215">#2215</a>)</li>
<li>Fix pagination and custom permissions incompatibility. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2205">#2205</a>)</li>
<li>Raise error if <code>fields</code> on serializer is not a list of strings. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2213">#2213</a>)</li>
<li>Add missing translation markers for relational fields. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2231">#2231</a>)</li>
<li>Improve field lookup behavior for dicts/mappings. (<ahref="https://github.com/tomchristie/django-rest-framework/issues/2244">#2244</a>, <ahref="https://github.com/tomchristie/django-rest-framework/issues/2243">#2243</a>)</li>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.4+Release%22+">3rd November 2014</a>.</p>
<ul>
<li><strong>Security fix</strong>: Escape URLs when replacing <code>format=</code> query parameter, as used in dropdown on <code>GET</code> button in browsable API to allow explicit selection of JSON vs HTML output.</li>
<li>Maintain ordering of URLs in API root view for <code>DefaultRouter</code>.</li>
<li>Fix <code>follow=True</code> in <code>APIRequestFactory</code></li>
<li>Resolve issue with invalid <code>read_only=True</code>, <code>required=True</code> fields being automatically generated by <code>ModelSerializer</code> in some cases.</li>
<li>Resolve issue with <code>OPTIONS</code> requests returning incorrect information for views using <code>get_serializer_class</code> to dynamically determine serializer based on request method. </li>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.3+Release%22+">19th September 2014</a>.</p>
<ul>
<li>Support translatable view docstrings being displayed in the browsable API.</li>
<li>Support <ahref="http://tools.ietf.org/html/rfc6266#section-4.3">encoded <code>filename*</code></a> in raw file uploads with <code>FileUploadParser</code>.</li>
<li>Allow routers to support viewsets that don't include any list routes or that don't include any detail routes.</li>
<li>Don't render an empty login control in browsable API if <code>login</code> view is not included.</li>
<li>CSRF exemption performed in <code>.as_view()</code> to prevent accidental omission if overriding <code>.dispatch()</code>.</li>
<li>Login on browsable API now displays validation errors.</li>
<li>Bugfix: Fix migration in <code>authtoken</code> application.</li>
<li>Bugfix: Allow selection of integer keys in nested choices.</li>
<li>Bugfix: Return <code>None</code> instead of <code>'None'</code> in <code>CharField</code> with <code>allow_none=True</code>.</li>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.2+Release%22+">3rd September 2014</a>.</p>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.1+Release%22+">1st September 2014</a>.</p>
<p><strong>Date</strong>: <ahref="https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.0+Release%22+">29th August 2014</a>.</p>
<p><strong>Django version requirements</strong>: The lowest supported version of Django is now 1.4.2.</p>
<p><strong>South version requirements</strong>: This note applies to any users using the optional <code>authtoken</code> application, which includes an associated database migration. You must now <em>either</em> upgrade your <code>south</code> package to version 1.0, <em>or</em> instead use the built-in migration support available with Django 1.7.</p>
<ul>
<li>Added compatibility with Django 1.7's database migration support.</li>
<li>New test runner, using <code>py.test</code>.</li>
<li>Deprecated <code>.model</code> view attribute in favor of explicit <code>.queryset</code> and <code>.serializer_class</code> attributes. The <code>DEFAULT_MODEL_SERIALIZER_CLASS</code> setting is also deprecated.</li>
<li><code>@detail_route</code> and <code>@list_route</code> decorators replace <code>@action</code> and <code>@link</code>.</li>
<li>Support customizable view name and description functions, using the <code>VIEW_NAME_FUNCTION</code> and <code>VIEW_DESCRIPTION_FUNCTION</code> settings.</li>
<li>Added <code>NUM_PROXIES</code> setting for smarter client IP identification.</li>
<li>Added <code>MAX_PAGINATE_BY</code> setting and <code>max_paginate_by</code> generic view attribute.</li>
<li>Added <code>Retry-After</code> header to throttled responses, as per <ahref="http://tools.ietf.org/html/rfc6585">RFC 6585</a>. This should now be used in preference to the custom <code>X-Trottle-Wait-Seconds</code> header which will be fully deprecated in 3.0.</li>
<li>Added <code>cache</code> attribute to throttles to allow overriding of default cache.</li>
<li>Added <code>lookup_value_regex</code> attribute to routers, to allow the URL argument matching to be constrainted by the user.</li>
<li>Added <code>allow_none</code> option to <code>CharField</code>.</li>
<li>Support Django's standard <code>status_code</code> class attribute on responses.</li>
<li>More intuitive behavior on the test client, as <code>client.logout()</code> now also removes any credentials that have been set.</li>
<li>Bugfix: <code>?page_size=0</code> query parameter now falls back to default page size for view, instead of always turning pagination off.</li>
<li>Bugfix: Copy <code>filter_backends</code> list before returning it, in order to prevent view code from mutating the class attribute itself.</li>
<li>Bugfix: Set the <code>.action</code> attribute on viewsets when introspected by <code>OPTIONS</code> for testing permissions on the view.</li>
<li>Bugfix: Ensure <code>ValueError</code> raised during deserialization results in a error list rather than a single error. This is now consistent with other validation errors.</li>
<li>Bugfix: Fix <code>cache_format</code> typo on throttle classes, was <code>"throtte_%(scope)s_%(ident)s"</code>. Note that this will invalidate existing throttle caches.</li>
<li><strong>Security fix</strong>: <code>OrderingField</code> now only allows ordering on readable serializer fields, or on fields explicitly specified using <code>ordering_fields</code>. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.</li>
<li>Bugfix: <code>write_only = True</code> fields now display in the browsable API.</li>
<li>Bugfix: Refine behavior that calls model manager <code>all()</code> across nested serializer relationships, preventing erronous behavior with some non-ORM objects, and preventing unnecessary queryset re-evaluations.</li>
<li>Added status code category helper functions.</li>
<li>Bugfix: Partial updates which erronously set a related field to <code>None</code> now correctly fail validation instead of raising an exception.</li>
<li>Added queryset aggregates to allowed fields in <code>OrderingFilter</code>.</li>
<li>Bugfix: Fix decimal suppoprt with <code>YAMLRenderer</code>.</li>
<li>Bugfix: Fix submission of unicode in browsable API through raw data form.</li>
</ul>
<h3id="238">2.3.8</h3>
<p><strong>Date</strong>: 11th September 2013</p>
<ul>
<li>Added <code>DjangoObjectPermissions</code>, and <code>DjangoObjectPermissionsFilter</code>.</li>
<li>Support customizable exception handling, using the <code>EXCEPTION_HANDLER</code> setting.</li>
<li>Support customizable view name and description functions, using the <code>VIEW_NAME_FUNCTION</code> and <code>VIEW_DESCRIPTION_FUNCTION</code> settings.</li>
<li>Added <code>MAX_PAGINATE_BY</code> setting and <code>max_paginate_by</code> generic view attribute.</li>
<li>Added <code>cache</code> attribute to throttles to allow overriding of default cache.</li>
<li>'Raw data' tab in browsable API now contains pre-populated data.</li>
<p>[*] Note that the change in <code>page_size=0</code> behaviour fixes what is considered to be a bug in how clients can effect the pagination size. However if you were relying on this behavior you will need to add the following mixin to your list views in order to preserve the existing behavior.</p>
<li>Added <code>get_url</code> hook to <code>HyperlinkedIdentityField</code>.</li>
<li>Serializer field <code>default</code> argument may be a callable.</li>
<li><code>@action</code> decorator now accepts a <code>methods</code> argument.</li>
<li>Bugfix: <code>request.user</code> should be still be accessible in renderer context if authentication fails.</li>
<li>Bugfix: The <code>lookup_field</code> option on <code>HyperlinkedIdentityField</code> should apply by default to the url field on the serializer.</li>
<li>Bugfix: <code>HyperlinkedIdentityField</code> should continue to support <code>pk_url_kwarg</code>, <code>slug_url_kwarg</code>, <code>slug_field</code>, in a pending deprecation state.</li>
<li>Bugfix: Ensure we always return 404 instead of 500 if a lookup field cannot be converted to the correct lookup type. (Eg non-numeric <code>AutoInteger</code> pk lookup)</li>
</ul>
<h3id="234">2.3.4</h3>
<p><strong>Date</strong>: 24th May 2013</p>
<ul>
<li>Serializer fields now support <code>label</code> and <code>help_text</code>.</li>
<li>Added <code>UnicodeJSONRenderer</code>.</li>
<li><code>OPTIONS</code> requests now return metadata about fields for <code>POST</code> and <code>PUT</code> requests.</li>
<li>Bugfix: <code>charset</code> now properly included in <code>Content-Type</code> of responses.</li>
<li>Bugfix: Blank choice now added in browsable API on nullable relationships.</li>
<li>Bugfix: Many to many relationships with <code>through</code> tables are now read-only.</li>
<li>Bugfix: Serializer fields now respect model field args such as <code>max_length</code>.</li>
<li>Bugfix: SlugField now performs slug validation.</li>
<li>Bugfix: Lazy-translatable strings now properly serialized.</li>
<li>Bugfix: Browsable API now supports bootswatch styles properly.</li>
<li>Bugfix: HyperlinkedIdentityField now uses <code>lookup_field</code> kwarg.</li>
</ul>
<p><strong>Note</strong>: Responses now correctly include an appropriate charset on the <code>Content-Type</code> header. For example: <code>application/json; charset=utf-8</code>. If you have tests that check the content type of responses, you may need to update these accordingly.</p>
<li>Serializer support for bulk create and bulk update operations.</li>
<li>Regression fix: Date and time fields return date/time objects by default. Fixes regressions caused by 2.2.2. See <ahref="https://github.com/tomchristie/django-rest-framework/pull/743">#743</a> for more details.</li>
<li>Bugfix: Fix 500 error is OAuth not attempted with OAuthAuthentication class installed.</li>
<li><code>Serializer.save()</code> now supports arbitrary keyword args which are passed through to the object <code>.save()</code> method. Mixins use <code>force_insert</code> and <code>force_update</code> where appropriate, resulting in one less database query.</li>
</ul>
<h3id="224">2.2.4</h3>
<p><strong>Date</strong>: 13th March 2013</p>
<ul>
<li>OAuth 2 support.</li>
<li>OAuth 1.0a support.</li>
<li>Support X-HTTP-Method-Override header.</li>
<li>Filtering backends are now applied to the querysets for object lookups as well as lists. (Eg you can use a filtering backend to control which objects should 404)</li>
<li>Deal with error data nicely when deserializing lists of objects.</li>
<li>Extra override hook to configure <code>DjangoModelPermissions</code> for unauthenticated users.</li>
<li>Bugfix: Fix regression which caused extra database query on paginated list views.</li>
<li>Bugfix: Fix pk relationship bug for some types of 1-to-1 relations.</li>
<li>Bugfix: Workaround for Django bug causing case where <code>Authtoken</code> could be registered for cascade delete from <code>User</code> even if not installed.</li>
</ul>
<h3id="223">2.2.3</h3>
<p><strong>Date</strong>: 7th March 2013</p>
<ul>
<li>Bugfix: Fix None values for for <code>DateField</code>, <code>DateTimeField</code> and <code>TimeField</code>.</li>
</ul>
<h3id="222">2.2.2</h3>
<p><strong>Date</strong>: 6th March 2013</p>
<ul>
<li>Support for custom input and output formats for <code>DateField</code>, <code>DateTimeField</code> and <code>TimeField</code>.</li>
<li>Cleanup: Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior. Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view.</li>
<li>Bugfix for serializer data being uncacheable with pickle protocol 0.</li>
<li>Bugfixes for model field validation edge-cases.</li>
<li>Bugfix for authtoken migration while using a custom user model and south.</li>
</ul>
<h3id="221">2.2.1</h3>
<p><strong>Date</strong>: 22nd Feb 2013</p>
<ul>
<li>Security fix: Use <code>defusedxml</code> package to address XML parsing vulnerabilities.</li>
<li>Raw data tab added to browsable API. (Eg. Allow for JSON input.)</li>
<li>Added TimeField.</li>
<li>Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults.</li>
<li>Unicode support for view names/descriptions in browsable API.</li>
<li>Bugfix: request.DATA should return an empty <code>QueryDict</code> with no data, not <code>None</code>.</li>
<li>Bugfix: Remove unneeded field validation, which caused extra queries.</li>
</ul>
<p><strong>Security note</strong>: Following the <ahref="http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html">disclosure of security vulnerabilities</a> in Python's XML parsing libraries, use of the <code>XMLParser</code> class now requires the <code>defusedxml</code> package to be installed.</p>
<p>The security vulnerabilities only affect APIs which use the <code>XMLParser</code> class, by enabling it in any views, or by having it set in the <code>DEFAULT_PARSER_CLASSES</code> setting. Note that the <code>XMLParser</code> class is not enabled by default, so this change should affect a minority of users.</p>
<h3id="220">2.2.0</h3>
<p><strong>Date</strong>: 13th Feb 2013</p>
<ul>
<li>Python 3 support.</li>
<li>Added a <code>post_save()</code> hook to the generic views.</li>
<li>Allow serializers to handle dicts as well as objects.</li>
<li>Deprecate <code>ManyRelatedField()</code> syntax in favor of <code>RelatedField(many=True)</code></li>
<li>Deprecate <code>null=True</code> on relations in favor of <code>required=False</code>.</li>
<li>Deprecate <code>blank=True</code> on CharFields, just use <code>required=False</code>.</li>
<li>Deprecate optional <code>obj</code> argument in permissions checks in favor of <code>has_object_permission</code>.</li>
<li>Support proper 401 Unauthorized responses where appropriate, instead of always using 403 Forbidden.</li>
<li>Support json encoding of timedelta objects.</li>
<li><code>format_suffix_patterns()</code> now supports <code>include</code> style URL patterns.</li>
<li>Bugfix: Fix issues with custom pagination serializers.</li>
<li>Bugfix: Nested serializers now accept <code>source='*'</code> argument.</li>
<li>Bugfix: Return proper validation errors when incorrect types supplied for relational fields.</li>
<li>Bugfix: Support nullable FKs with <code>SlugRelatedField</code>.</li>
<li>Bugfix: Don't call custom validation methods if the field has an error.</li>
</ul>
<p><strong>Note</strong>: If the primary authentication class is <code>TokenAuthentication</code> or <code>BasicAuthentication</code>, a view will now correctly return 401 responses to unauthenticated access, with an appropriate <code>WWW-Authenticate</code> header, instead of 403 responses.</p>
<h3id="2116">2.1.16</h3>
<p><strong>Date</strong>: 14th Jan 2013</p>
<ul>
<li>Deprecate <code>django.utils.simplejson</code> in favor of Python 2.6's built-in json module.</li>
<li>Bugfix: <code>auto_now</code>, <code>auto_now_add</code> and other <code>editable=False</code> fields now default to read-only.</li>
<li>Bugfix: PK fields now only default to read-only if they are an AutoField or if <code>editable=False</code>.</li>
<li>Bugfix: Validation errors instead of exceptions when serializers receive incorrect types.</li>
<li>Bugfix: Validation errors instead of exceptions when related fields receive incorrect types.</li>
<li>Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one</li>
<p><strong>Note</strong>: Prior to 2.1.16, The Decimals would render in JSON using floating point if <code>simplejson</code> was installed, but otherwise render using string notation. Now that use of <code>simplejson</code> has been deprecated, Decimals will consistently render using string notation. See <ahref="../../ticket-582">ticket 582</a> for more details.</p>
<li>Remove unused internal <code>save_m2m</code> flag on <code>ModelSerializer.save()</code>.</li>
<li>Tweak behavior of hyperlinked fields with an explicit format suffix.</li>
<li>Relation changes are now persisted in <code>.save()</code> instead of in <code>.restore_object()</code>.</li>
<li>Bugfix: Fix issue with FileField raising exception instead of validation error when files=None.</li>
<li>Bugfix: Partial updates should not set default values if field is not included.</li>
</ul>
<h3id="2114">2.1.14</h3>
<p><strong>Date</strong>: 31st Dec 2012</p>
<ul>
<li>Bugfix: ModelSerializers now include reverse FK fields on creation.</li>
<li>Bugfix: Model fields with <code>blank=True</code> are now <code>required=False</code> by default.</li>
<li>Bugfix: Nested serializers now support nullable relationships.</li>
</ul>
<p><strong>Note</strong>: From 2.1.14 onwards, relational fields move out of the <code>fields.py</code> module and into the new <code>relations.py</code> module, in order to separate them from regular data type fields, such as <code>CharField</code> and <code>IntegerField</code>.</p>
<p>This change will not affect user code, so long as it's following the recommended import style of <code>from rest_framework import serializers</code> and referring to fields using the style <code>serializers.PrimaryKeyRelatedField</code>.</p>
<li>Added <code>obtain_token_view</code> to get tokens when using <code>TokenAuthentication</code>.</li>
<li>Bugfix: Django 1.5 configurable user support for <code>TokenAuthentication</code>.</li>
</ul>
<h3id="213">2.1.3</h3>
<p><strong>Date</strong>: 16th Nov 2012</p>
<ul>
<li>Added <code>FileField</code> and <code>ImageField</code>. For use with <code>MultiPartParser</code>.</li>
<li>Added <code>URLField</code> and <code>SlugField</code>.</li>
<li>Support for <code>read_only_fields</code> on <code>ModelSerializer</code> classes.</li>
<li>Support for clients overriding the pagination page sizes. Use the <code>PAGINATE_BY_PARAM</code> setting or set the <code>paginate_by_param</code> attribute on a generic view.</li>
<li>201 Responses now return a 'Location' header.</li>
<li>Bugfix: Serializer fields now respect <code>max_length</code>.</li>
</ul>
<h3id="212">2.1.2</h3>
<p><strong>Date</strong>: 9th Nov 2012</p>
<ul>
<li><strong>Filtering support.</strong></li>
<li>Bugfix: Support creation of objects with reverse M2M relations.</li>
</ul>
<h3id="211">2.1.1</h3>
<p><strong>Date</strong>: 7th Nov 2012</p>
<ul>
<li>Support use of HTML exception templates. Eg. <code>403.html</code></li>
<li>Hyperlinked fields take optional <code>slug_field</code>, <code>slug_url_kwarg</code> and <code>pk_url_kwarg</code> arguments.</li>
<li>Bugfix: Deal with optional trailing slashes properly when generating breadcrumbs.</li>
<li>Bugfix: Make textareas same width as other fields in browsable API.</li>
<li>Private API change: <code>.get_serializer</code> now uses same <code>instance</code> and <code>data</code> ordering as serializer initialization.</li>
</ul>
<h3id="210">2.1.0</h3>
<p><strong>Date</strong>: 5th Nov 2012</p>
<ul>
<li><strong>Serializer <code>instance</code> and <code>data</code> keyword args have their position swapped.</strong></li>
<li><code>queryset</code> argument is now optional on writable model fields.</li>
<li>Hyperlinked related fields optionally take <code>slug_field</code> and <code>slug_url_kwarg</code> arguments.</li>
<li>Support Django's cache framework.</li>
<li>Minor field improvements. (Don't stringify dicts, more robust many-pk fields.)</li>
<li>Bugfix: Support choice field in Browsable API.</li>
<li>Bugfix: Related fields with <code>read_only=True</code> do not require a <code>queryset</code> argument.</li>
</ul>
<p><strong>API-incompatible changes</strong>: Please read <ahref="https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion">this thread</a> regarding the <code>instance</code> and <code>data</code> keyword args before updating to 2.1.0.</p>
<hr/>
<h2id="20x-series">2.0.x series</h2>
<h3id="202">2.0.2</h3>
<p><strong>Date</strong>: 2nd Nov 2012</p>
<ul>
<li>Fix issues with pk related fields in the browsable API.</li>
</ul>
<h3id="201">2.0.1</h3>
<p><strong>Date</strong>: 1st Nov 2012</p>
<ul>
<li>Add support for relational fields in the browsable API.</li>
<li>Added SlugRelatedField and ManySlugRelatedField.</li>
<li>If PUT creates an instance return '201 Created', instead of '200 OK'.</li>
</ul>
<h3id="200">2.0.0</h3>
<p><strong>Date</strong>: 30th Oct 2012</p>
<ul>
<li><strong>Fix all of the things.</strong> (Well, almost.)</li>
