diff --git a/.travis.yml b/.travis.yml index 0dc878373..205feef92 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,16 +3,34 @@ language: python python: - "2.6" - "2.7" + - "3.2" + - "3.3" env: - - DJANGO=https://github.com/django/django/zipball/master - - DJANGO=django==1.4.3 --use-mirrors - - DJANGO=django==1.3.5 --use-mirrors + - DJANGO="django==1.5 --use-mirrors" + - DJANGO="django==1.4.3 --use-mirrors" + - DJANGO="django==1.3.5 --use-mirrors" install: - pip install $DJANGO - - pip install django-filter==0.5.4 --use-mirrors + - pip install defusedxml==0.3 + - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install oauth2==1.5.211 --use-mirrors; fi" + - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth-plus==2.0 --use-mirrors; fi" + - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth2-provider==0.2.3 --use-mirrors; fi" + - "if [[ ${DJANGO::11} == 'django==1.3' ]]; then pip install django-filter==0.5.4 --use-mirrors; fi" + - "if [[ ${DJANGO::11} != 'django==1.3' ]]; then pip install django-filter==0.6a1 --use-mirrors; fi" - export PYTHONPATH=. script: - python rest_framework/runtests/runtests.py + +matrix: + exclude: + - python: "3.2" + env: DJANGO="django==1.4.3 --use-mirrors" + - python: "3.2" + env: DJANGO="django==1.3.5 --use-mirrors" + - python: "3.3" + env: DJANGO="django==1.4.3 --use-mirrors" + - python: "3.3" + env: DJANGO="django==1.3.5 --use-mirrors" diff --git a/MANIFEST.in b/MANIFEST.in index 00e450866..15c4d0b08 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,2 +1,2 @@ recursive-include rest_framework/static *.js *.css *.png -recursive-include rest_framework/templates *.txt *.html +recursive-include rest_framework/templates *.html diff --git a/README.md b/README.md index a70201661..c76db7ecc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ **Author:** Tom Christie. [Follow me on Twitter][twitter]. -**Support:** [REST framework discussion group][group]. +**Support:** [REST framework group][group], or `#restframework` on freenode IRC. [![build-status-image]][travis] @@ -12,8 +12,6 @@ **Full documentation for REST framework is available on [http://django-rest-framework.org][docs].** -Note that this is the 2.0 version of REST framework. If you are looking for earlier versions please see the [0.4.x branch][0.4] on GitHub. - --- # Overview @@ -28,14 +26,15 @@ There is also a sandbox API you can use for testing purposes, [available here][s # Requirements -* Python (2.6, 2.7) +* Python (2.6.5+, 2.7, 3.2, 3.3) * Django (1.3, 1.4, 1.5) **Optional:** -* [Markdown] - Markdown support for the self describing API. -* [PyYAML] - YAML content type support. -* [django-filter] - Filtering support. +* [Markdown][markdown] - Markdown support for the self describing API. +* [PyYAML][pyyaml] - YAML content type support. +* [defusedxml][defusedxml] - XML content-type support. +* [django-filter][django-filter] - Filtering support. # Installation @@ -44,6 +43,7 @@ Install using `pip`, including any optional packages you want... pip install djangorestframework pip install markdown # Markdown support for the browseable API. pip install pyyaml # YAML content-type support. + pip install defusedxml # XML content-type support. pip install django-filter # Filtering support ...or clone the project from github. @@ -79,182 +79,9 @@ To run the tests. ./rest_framework/runtests/runtests.py -# Changelog +To run the tests against all supported configurations, first install [the tox testing tool][tox] globally, using `pip install tox`, then simply run `tox`: -### 2.1.16 - -**Date**: 14th Jan 2013 - -* Deprecate django.utils.simplejson in favor of Python 2.6's built-in json module. -* Bugfix: `auto_now`, `auto_now_add` and other `editable=False` fields now default to read-only. -* Bugfix: PK fields now only default to read-only if they are an AutoField or if `editable=False`. -* Bugfix: Validation errors instead of exceptions when serializers receive incorrect types. -* Bugfix: Validation errors instead of exceptions when related fields receive incorrect types. -* Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one - -### 2.1.15 - -**Date**: 3rd Jan 2013 - -* Added `PATCH` support. -* Added `RetrieveUpdateAPIView`. -* Relation changes are now persisted in `.save` instead of in `.restore_object`. -* Remove unused internal `save_m2m` flag on `ModelSerializer.save()`. -* Tweak behavior of hyperlinked fields with an explicit format suffix. -* Bugfix: Fix issue with FileField raising exception instead of validation error when files=None. -* Bugfix: Partial updates should not set default values if field is not included. - -### 2.1.14 - -**Date**: 31st Dec 2012 - -* Bugfix: ModelSerializers now include reverse FK fields on creation. -* Bugfix: Model fields with `blank=True` are now `required=False` by default. -* Bugfix: Nested serializers now support nullable relationships. - -**Note**: From 2.1.14 onwards, relational fields move out of the `fields.py` module and into the new `relations.py` module, in order to seperate them from regular data type fields, such as `CharField` and `IntegerField`. - -This change will not affect user code, so long as it's following the recommended import style of `from rest_framework import serializers` and refering to fields using the style `serializers.PrimaryKeyRelatedField`. - -### 2.1.13 - -**Date**: 28th Dec 2012 - -* Support configurable `STATICFILES_STORAGE` storage. -* Bugfix: Related fields now respect the required flag, and may be required=False. - -### 2.1.12 - -**Date**: 21st Dec 2012 - -* Bugfix: Fix bug that could occur using ChoiceField. -* Bugfix: Fix exception in browseable API on DELETE. -* Bugfix: Fix issue where pk was was being set to a string if set by URL kwarg. - -## 2.1.11 - -**Date**: 17th Dec 2012 - -* Bugfix: Fix issue with M2M fields in browseable API. - -## 2.1.10 - -**Date**: 17th Dec 2012 - -* Bugfix: Ensure read-only fields don't have model validation applied. -* Bugfix: Fix hyperlinked fields in paginated results. - -## 2.1.9 - -**Date**: 11th Dec 2012 - -* Bugfix: Fix broken nested serialization. -* Bugfix: Fix `Meta.fields` only working as tuple not as list. -* Bugfix: Edge case if unnecessarily specifying `required=False` on read only field. - -## 2.1.8 - -**Date**: 8th Dec 2012 - -* Fix for creating nullable Foreign Keys with `''` as well as `None`. -* Added `null=` related field option. - -## 2.1.7 - -**Date**: 7th Dec 2012 - -* Serializers now properly support nullable Foreign Keys. -* Serializer validation now includes model field validation, such as uniqueness constraints. -* Support 'true' and 'false' string values for BooleanField. -* Added pickle support for serialized data. -* Support `source='dotted.notation'` style for nested serializers. -* Make `Request.user` settable. -* Bugfix: Fix `RegexField` to work with `BrowsableAPIRenderer` - -## 2.1.6 - -**Date**: 23rd Nov 2012 - -* Bugfix: Unfix DjangoModelPermissions. (I am a doofus.) - -## 2.1.5 - -**Date**: 23rd Nov 2012 - -* Bugfix: Fix DjangoModelPermissions. - -## 2.1.4 - -**Date**: 22nd Nov 2012 - -* Support for partial updates with serializers. -* Added `RegexField`. -* Added `SerializerMethodField`. -* Serializer performance improvements. -* Added `obtain_token_view` to get tokens when using `TokenAuthentication`. -* Bugfix: Django 1.5 configurable user support for `TokenAuthentication`. - -## 2.1.3 - -**Date**: 16th Nov 2012 - -* Added `FileField` and `ImageField`. For use with `MultiPartParser`. -* Added `URLField` and `SlugField`. -* Support for `read_only_fields` on `ModelSerializer` classes. -* Support for clients overriding the pagination page sizes. Use the `PAGINATE_BY_PARAM` setting or set the `paginate_by_param` attribute on a generic view. -* 201 Responses now return a 'Location' header. -* Bugfix: Serializer fields now respect `max_length`. - -## 2.1.2 - -**Date**: 9th Nov 2012 - -* **Filtering support.** -* Bugfix: Support creation of objects with reverse M2M relations. - -## 2.1.1 - -**Date**: 7th Nov 2012 - -* Support use of HTML exception templates. Eg. `403.html` -* Hyperlinked fields take optional `slug_field`, `slug_url_kwarg` and `pk_url_kwarg` arguments. -* Bugfix: Deal with optional trailing slashs properly when generating breadcrumbs. -* Bugfix: Make textareas same width as other fields in browsable API. -* Private API change: `.get_serializer` now uses same `instance` and `data` ordering as serializer initialization. - -## 2.1.0 - -**Date**: 5th Nov 2012 - -**Warning**: Please read [this thread][2.1.0-notes] regarding the `instance` and `data` keyword args before updating to 2.1.0. - -* **Serializer `instance` and `data` keyword args have their position swapped.** -* `queryset` argument is now optional on writable model fields. -* Hyperlinked related fields optionally take `slug_field` and `slug_field_kwarg` arguments. -* Support Django's cache framework. -* Minor field improvements. (Don't stringify dicts, more robust many-pk fields.) -* Bugfixes (Support choice field in Browseable API) - -## 2.0.2 - -**Date**: 2nd Nov 2012 - -* Fix issues with pk related fields in the browsable API. - -## 2.0.1 - -**Date**: 1st Nov 2012 - -* Add support for relational fields in the browsable API. -* Added SlugRelatedField and ManySlugRelatedField. -* If PUT creates an instance return '201 Created', instead of '200 OK'. - -## 2.0.0 - -**Date**: 30th Oct 2012 - -* Redesign of core components. -* Fix **all of the things**. + tox # License @@ -290,9 +117,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [rest-framework-2-announcement]: http://django-rest-framework.org/topics/rest-framework-2-announcement.html [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion +[tox]: http://testrun.org/tox/latest/ + [docs]: http://django-rest-framework.org/ [urlobject]: https://github.com/zacharyvoase/urlobject [markdown]: http://pypi.python.org/pypi/Markdown/ [pyyaml]: http://pypi.python.org/pypi/PyYAML +[defusedxml]: https://pypi.python.org/pypi/defusedxml [django-filter]: http://pypi.python.org/pypi/django-filter - diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index afd9a2619..541c65756 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -8,25 +8,33 @@ Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The [permission] and [throttling] policies can then use those credentials to determine if the request should be permitted. -REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies. +REST framework provides a number of authentication schemes out of the box, and also allows you to implement custom schemes. -Authentication will run the first time either the `request.user` or `request.auth` properties are accessed, and determines how those properties are initialized. +Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed. The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class. The `request.auth` property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with. +--- + +**Note:** Don't forget that **authentication by itself won't allow or disallow an incoming request**, it simply identifies the credentials that the request was made with. + +For information on how to setup the permission polices for your API please see the [permissions documentation][permission]. + +--- + ## How authentication is determined -The authentication policy is always defined as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set `request.user` and `request.auth` using the return value of the first class that successfully authenticates. +The authentication schemes are always defined as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set `request.user` and `request.auth` using the return value of the first class that successfully authenticates. If no class authenticates, `request.user` will be set to an instance of `django.contrib.auth.models.AnonymousUser`, and `request.auth` will be set to `None`. The value of `request.user` and `request.auth` for unauthenticated requests can be modified using the `UNAUTHENTICATED_USER` and `UNAUTHENTICATED_TOKEN` settings. -## Setting the authentication policy +## Setting the authentication scheme -The default authentication policy may be set globally, using the `DEFAULT_AUTHENTICATION_CLASSES` setting. For example. +The default authentication schemes may be set globally, using the `DEFAULT_AUTHENTICATION` setting. For example. REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( @@ -35,7 +43,7 @@ The default authentication policy may be set globally, using the `DEFAULT_AUTHEN ) } -You can also set the authentication policy on a per-view basis, using the `APIView` class based views. +You can also set the authentication scheme on a per-view basis, using the `APIView` class based views. class ExampleView(APIView): authentication_classes = (SessionAuthentication, BasicAuthentication) @@ -60,24 +68,57 @@ Or, if you're using the `@api_view` decorator with function based views. } return Response(content) +## Unauthorized and Forbidden responses + +When an unauthenticated request is denied permission there are two different error codes that may be appropriate. + +* [HTTP 401 Unauthorized][http401] +* [HTTP 403 Permission Denied][http403] + +HTTP 401 responses must always include a `WWW-Authenticate` header, that instructs the client how to authenticate. HTTP 403 responses do not include the `WWW-Authenticate` header. + +The kind of response that will be used depends on the authentication scheme. Although multiple authentication schemes may be in use, only one scheme may be used to determine the type of response. **The first authentication class set on the view is used when determining the type of response**. + +Note that when a request may successfully authenticate, but still be denied permission to perform the request, in which case a `403 Permission Denied` response will always be used, regardless of the authentication scheme. + +## Apache mod_wsgi specific configuration + +Note that if deploying to [Apache using mod_wsgi][mod_wsgi_official], the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level. + +If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the `WSGIPassAuthorization` directive in the appropriate context and setting it to `'On'`. + + # this can go in either server config, virtual host, directory or .htaccess + WSGIPassAuthorization On + +--- + # API Reference ## BasicAuthentication -This policy uses [HTTP Basic Authentication][basicauth], signed against a user's username and password. Basic authentication is generally only appropriate for testing. +This authentication scheme uses [HTTP Basic Authentication][basicauth], signed against a user's username and password. Basic authentication is generally only appropriate for testing. If successfully authenticated, `BasicAuthentication` provides the following credentials. * `request.user` will be a Django `User` instance. * `request.auth` will be `None`. +Unauthenticated responses that are denied permission will result in an `HTTP 401 Unauthorized` response with an appropriate WWW-Authenticate header. For example: + + WWW-Authenticate: Basic realm="api" + **Note:** If you use `BasicAuthentication` in production you must ensure that your API is only available over `https` only. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage. ## TokenAuthentication -This policy uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. +This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. -To use the `TokenAuthentication` policy, include `rest_framework.authtoken` in your `INSTALLED_APPS` setting. +To use the `TokenAuthentication` scheme, include `rest_framework.authtoken` in your `INSTALLED_APPS` setting: + + INSTALLED_APPS = ( + ... + 'rest_framework.authtoken' + ) You'll also need to create tokens for your users. @@ -93,10 +134,20 @@ For clients to authenticate, the token key should be included in the `Authorizat If successfully authenticated, `TokenAuthentication` provides the following credentials. * `request.user` will be a Django `User` instance. -* `request.auth` will be a `rest_framework.tokenauth.models.BasicToken` instance. +* `request.auth` will be a `rest_framework.authtoken.models.BasicToken` instance. + +Unauthenticated responses that are denied permission will result in an `HTTP 401 Unauthorized` response with an appropriate WWW-Authenticate header. For example: + + WWW-Authenticate: Token + +--- **Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only. +--- + +#### Generating Tokens + If you want every user to have an automatically generated Token, you can simply catch the User's `post_save` signal. @receiver(post_save, sender=User) @@ -112,8 +163,7 @@ If you've already created some users, you can generate tokens for all existing u for user in User.objects.all(): Token.objects.get_or_create(user=user) -When using `TokenAuthentication`, you may want to provide a mechanism for clients to obtain a token given the username and password. -REST framework provides a built-in view to provide this behavior. To use it, add the `obtain_auth_token` view to your URLconf: +When using `TokenAuthentication`, you may want to provide a mechanism for clients to obtain a token given the username and password. REST framework provides a built-in view to provide this behavior. To use it, add the `obtain_auth_token` view to your URLconf: urlpatterns += patterns('', url(r'^api-token-auth/', 'rest_framework.authtoken.views.obtain_auth_token') @@ -125,24 +175,186 @@ The `obtain_auth_token` view will return a JSON response when valid `username` a { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } +Note that the default `obtain_auth_token` view explicitly uses JSON requests and responses, rather than using default renderer and parser classes in your settings. If you need a customized version of the `obtain_auth_token` view, you can do so by overriding the `ObtainAuthToken` view class, and using that in your url conf instead. + +#### Custom user models + +The `rest_framework.authtoken` app includes a south migration that will create the authtoken table. If you're using a [custom user model][custom-user-model] you'll need to make sure that any initial migration that creates the user table runs before the authtoken table is created. + +You can do so by inserting a `needed_by` attribute in your user migration: + + class Migration: + + needed_by = ( + ('authtoken', '0001_initial'), + ) + + def forwards(self): + ... + +For more details, see the [south documentation on dependencies][south-dependencies]. + ## SessionAuthentication -This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website. +This authentication scheme uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website. If successfully authenticated, `SessionAuthentication` provides the following credentials. * `request.user` will be a Django `User` instance. * `request.auth` will be `None`. -If you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `POST` or `DELETE` requests. See the [Django CSRF documentation][csrf-ajax] for more details. +Unauthenticated responses that are denied permission will result in an `HTTP 403 Forbidden` response. + +If you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `PATCH`, `POST` or `DELETE` requests. See the [Django CSRF documentation][csrf-ajax] for more details. + +## OAuthAuthentication + +This authentication uses [OAuth 1.0a][oauth-1.0a] authentication scheme. OAuth 1.0a provides signature validation which provides a reasonable level of security over plain non-HTTPS connections. However, it may also be considered more complicated than OAuth2, as it requires clients to sign their requests. + +This authentication class depends on the optional `django-oauth-plus` and `oauth2` packages. In order to make it work you must install these packages and add `oauth_provider` to your `INSTALLED_APPS`: + + INSTALLED_APPS = ( + ... + `oauth_provider`, + ) + +Don't forget to run `syncdb` once you've added the package. + + python manage.py syncdb + +#### Getting started with django-oauth-plus + +The OAuthAuthentication class only provides token verification and signature validation for requests. It doesn't provide authorization flow for your clients. You still need to implement your own views for accessing and authorizing tokens. + +The `django-oauth-plus` package provides simple foundation for classic 'three-legged' oauth flow. Please refer to [the documentation][django-oauth-plus] for more details. + +## OAuth2Authentication + +This authentication uses [OAuth 2.0][rfc6749] authentication scheme. OAuth2 is more simple to work with than OAuth1, and provides much better security than simple token authentication. It is an unauthenticated scheme, and requires you to use an HTTPS connection. + +This authentication class depends on the optional [django-oauth2-provider][django-oauth2-provider] project. In order to make it work you must install this package and add `provider` and `provider.oauth2` to your `INSTALLED_APPS`: + + INSTALLED_APPS = ( + ... + 'provider', + 'provider.oauth2', + ) + +You must also include the following in your root `urls.py` module: + + url(r'^oauth2/', include('provider.oauth2.urls', namespace='oauth2')), + +Note that the `namespace='oauth2'` argument is required. + +Finally, sync your database. + + python manage.py syncdb + python manage.py migrate + +--- + +**Note:** If you use `OAuth2Authentication` in production you must ensure that your API is only available over `https` only. + +--- + +#### Getting started with django-oauth2-provider + +The `OAuth2Authentication` class only provides token verification for requests. It doesn't provide authorization flow for your clients. + +The OAuth 2 authorization flow is taken care by the [django-oauth2-provider][django-oauth2-provider] dependency. A walkthrough is given here, but for more details you should refer to [the documentation][django-oauth2-provider-docs]. + +To get started: + +##### 1. Create a client + +You can create a client, either through the shell, or by using the Django admin. + +Go to the admin panel and create a new `Provider.Client` entry. It will create the `client_id` and `client_secret` properties for you. + +##### 2. Request an access token + +To request an access token, submit a `POST` request to the url `/oauth2/access_token` with the following fields: + +* `client_id` the client id you've just configured at the previous step. +* `client_secret` again configured at the previous step. +* `username` the username with which you want to log in. +* `password` well, that speaks for itself. + +You can use the command line to test that your local configuration is working: + + curl -X POST -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD" http://localhost:8000/oauth2/access_token/ + +You should get a response that looks something like this: + + {"access_token": "", "scope": "read", "expires_in": 86399, "refresh_token": ""} + +##### 3. Access the API + +The only thing needed to make the `OAuth2Authentication` class work is to insert the `access_token` you've received in the `Authorization` request header. + +The command line to test the authentication looks like: + + curl -H "Authorization: Bearer " http://localhost:8000/api/?client_id=YOUR_CLIENT_ID\&client_secret=YOUR_CLIENT_SECRET + +--- # Custom authentication -To implement a custom authentication policy, subclass `BaseAuthentication` and override the `.authenticate(self, request)` method. The method should return a two-tuple of `(user, auth)` if authentication succeeds, or `None` otherwise. +To implement a custom authentication scheme, subclass `BaseAuthentication` and override the `.authenticate(self, request)` method. The method should return a two-tuple of `(user, auth)` if authentication succeeds, or `None` otherwise. + +In some circumstances instead of returning `None`, you may want to raise an `AuthenticationFailed` exception from the `.authenticate()` method. + +Typically the approach you should take is: + +* If authentication is not attempted, return `None`. Any other authentication schemes also in use will still be checked. +* If authentication is attempted but fails, raise a `AuthenticationFailed` exception. An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes. + +You *may* also override the `.authenticate_header(self, request)` method. If implemented, it should return a string that will be used as the value of the `WWW-Authenticate` header in a `HTTP 401 Unauthorized` response. + +If the `.authenticate_header()` method is not overridden, the authentication scheme will return `HTTP 403 Forbidden` responses when an unauthenticated request is denied access. + +## Example + +The following example will authenticate any incoming request as the user given by the username in a custom request header named 'X_USERNAME'. + + class ExampleAuthentication(authentication.BaseAuthentication): + def authenticate(self, request): + username = request.META.get('X_USERNAME') + if not username: + return None + + try: + user = User.objects.get(username=username) + except User.DoesNotExist: + raise authenticate.AuthenticationFailed('No such user') + + return (user, None) + +--- + +# Third party packages + +The following third party packages are also available. + +## Digest Authentication + +HTTP digest authentication is a widely implemented scheme that was intended to replace HTTP basic authentication, and which provides a simple encrypted authentication mechanism. [Juan Riaza][juanriaza] maintains the [djangorestframework-digestauth][djangorestframework-digestauth] package which provides HTTP digest authentication support for REST framework. [cite]: http://jacobian.org/writing/rest-worst-practices/ +[http401]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 +[http403]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4 [basicauth]: http://tools.ietf.org/html/rfc2617 [oauth]: http://oauth.net/2/ [permission]: permissions.md [throttling]: throttling.md [csrf-ajax]: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax +[mod_wsgi_official]: http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization +[custom-user-model]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#specifying-a-custom-user-model +[south-dependencies]: http://south.readthedocs.org/en/latest/dependencies.html +[juanriaza]: https://github.com/juanriaza +[djangorestframework-digestauth]: https://github.com/juanriaza/django-rest-framework-digestauth +[oauth-1.0a]: http://oauth.net/core/1.0a +[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus +[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider +[django-oauth2-provider-docs]: https://django-oauth2-provider.readthedocs.org/en/latest/ +[rfc6749]: http://tools.ietf.org/html/rfc6749 diff --git a/docs/api-guide/exceptions.md b/docs/api-guide/exceptions.md index ba57fde87..8b3e50f1e 100644 --- a/docs/api-guide/exceptions.md +++ b/docs/api-guide/exceptions.md @@ -53,11 +53,27 @@ Raised if the request contains malformed data when accessing `request.DATA` or ` By default this exception results in a response with the HTTP status code "400 Bad Request". +## AuthenticationFailed + +**Signature:** `AuthenticationFailed(detail=None)` + +Raised when an incoming request includes incorrect authentication. + +By default this exception results in a response with the HTTP status code "401 Unauthenticated", but it may also result in a "403 Forbidden" response, depending on the authentication scheme in use. See the [authentication documentation][authentication] for more details. + +## NotAuthenticated + +**Signature:** `NotAuthenticated(detail=None)` + +Raised when an unauthenticated request fails the permission checks. + +By default this exception results in a response with the HTTP status code "401 Unauthenticated", but it may also result in a "403 Forbidden" response, depending on the authentication scheme in use. See the [authentication documentation][authentication] for more details. + ## PermissionDenied **Signature:** `PermissionDenied(detail=None)` -Raised when an incoming request fails the permission checks. +Raised when an authenticated request fails the permission checks. By default this exception results in a response with the HTTP status code "403 Forbidden". @@ -86,3 +102,4 @@ Raised when an incoming request fails the throttling checks. By default this exception results in a response with the HTTP status code "429 Too Many Requests". [cite]: http://www.doughellmann.com/articles/how-tos/python-exception-handling/index.html +[authentication]: authentication.md diff --git a/docs/api-guide/fields.md b/docs/api-guide/fields.md index 5bc8f7f7c..9a745cf19 100644 --- a/docs/api-guide/fields.md +++ b/docs/api-guide/fields.md @@ -2,7 +2,7 @@ # Serializer fields -> Each field in a Form class is responsible not only for validating data, but also for "cleaning" it -- normalizing it to a consistent format. +> Each field in a Form class is responsible not only for validating data, but also for "cleaning" it — normalizing it to a consistent format. > > — [Django documentation][cite] @@ -102,7 +102,7 @@ You can customize this behavior by overriding the `.to_native(self, value)` met ## WritableField -A field that supports both read and write operations. By itself `WriteableField` does not perform any translation of input values into a given type. You won't typically use this field directly, but you may want to override it and implement the `.to_native(self, value)` and `.from_native(self, value)` methods. +A field that supports both read and write operations. By itself `WritableField` does not perform any translation of input values into a given type. You won't typically use this field directly, but you may want to override it and implement the `.to_native(self, value)` and `.from_native(self, value)` methods. ## ModelField @@ -181,17 +181,56 @@ Corresponds to `django.forms.fields.RegexField` **Signature:** `RegexField(regex, max_length=None, min_length=None)` +## DateTimeField + +A date and time representation. + +Corresponds to `django.db.models.fields.DateTimeField` + +When using `ModelSerializer` or `HyperlinkedModelSerializer`, note that any model fields with `auto_now=True` or `auto_now_add=True` will use serializer fields that are `read_only=True` by default. + +If you want to override this behavior, you'll need to declare the `DateTimeField` explicitly on the serializer. For example: + + class CommentSerializer(serializers.ModelSerializer): + created = serializers.DateTimeField() + + class Meta: + model = Comment + +**Signature:** `DateTimeField(format=None, input_formats=None)` + +* `format` - A string representing the output format. If not specified, the `DATETIME_FORMAT` setting will be used, which defaults to `'iso-8601'`. +* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATETIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`. + +DateTime format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000'`) + ## DateField A date representation. Corresponds to `django.db.models.fields.DateField` -## DateTimeField +**Signature:** `DateField(format=None, input_formats=None)` -A date and time representation. +* `format` - A string representing the output format. If not specified, the `DATE_FORMAT` setting will be used, which defaults to `'iso-8601'`. +* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATE_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`. -Corresponds to `django.db.models.fields.DateTimeField` +Date format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style dates should be used. (eg `'2013-01-29'`) + +## TimeField + +A time representation. + +Optionally takes `format` as parameter to replace the matching pattern. + +Corresponds to `django.db.models.fields.TimeField` + +**Signature:** `TimeField(format=None, input_formats=None)` + +* `format` - A string representing the output format. If not specified, the `TIME_FORMAT` setting will be used, which defaults to `'iso-8601'`. +* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `TIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`. + +Time format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style times should be used. (eg `'12:34:56.000000'`) ## IntegerField @@ -230,7 +269,11 @@ Signature and validation is the same as with `FileField`. --- **Note:** `FileFields` and `ImageFields` are only suitable for use with MultiPartParser, since e.g. json doesn't support file uploads. -Django's regular [FILE_UPLOAD_HANDLERS] are used for handling uploaded files. +Django's regular [FILE_UPLOAD_HANDLERS] are used for handling uploaded files. + +--- [cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data [FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS +[strftime]: http://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior +[iso8601]: http://www.w3.org/TR/NOTE-datetime diff --git a/docs/api-guide/filtering.md b/docs/api-guide/filtering.md index 53ea7cbcc..ed9463681 100644 --- a/docs/api-guide/filtering.md +++ b/docs/api-guide/filtering.md @@ -140,6 +140,14 @@ For more details on using filter sets see the [django-filter documentation][djan --- +### Filtering and object lookups + +Note that if a filter backend is configured for a view, then as well as being used to filter list views, it will also be used to filter the querysets used for returning a single object. + +For instance, given the previous example, and a product with an id of `4675`, the following URL would either return the corresponding object, or return a 404 response, depending on if the filtering conditions were met by the given product instance: + + http://example.com/api/products/4675/?category=clothing&max_price=10.00 + ## Overriding the initial queryset Note that you can use both an overridden `.get_queryset()` and generic filtering together, and everything will work as expected. For example, if `Product` had a many-to-many relationship with `User`, named `purchase`, you might want to write a view like this: diff --git a/docs/api-guide/format-suffixes.md b/docs/api-guide/format-suffixes.md index 6d5feba42..dae3dea37 100644 --- a/docs/api-guide/format-suffixes.md +++ b/docs/api-guide/format-suffixes.md @@ -29,18 +29,27 @@ Example: urlpatterns = patterns('blog.views', url(r'^/$', 'api_root'), - url(r'^comment/$', 'comment_root'), - url(r'^comment/(?P[0-9]+)/$', 'comment_instance') + url(r'^comments/$', 'comment_list'), + url(r'^comments/(?P[0-9]+)/$', 'comment_detail') ) urlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html']) -When using `format_suffix_patterns`, you must make sure to add the `'format'` keyword argument to the corresponding views. For example. +When using `format_suffix_patterns`, you must make sure to add the `'format'` keyword argument to the corresponding views. For example: - @api_view(('GET',)) - def api_root(request, format=None): + @api_view(('GET', 'POST')) + def comment_list(request, format=None): # do stuff... +Or with class based views: + + class CommentList(APIView): + def get(self, request, format=None): + # do stuff... + + def post(self, request, format=None): + # do stuff... + The name of the kwarg used may be modified by using the `FORMAT_SUFFIX_KWARG` setting. Also note that `format_suffix_patterns` does not support descending into `include` URL patterns. @@ -58,4 +67,4 @@ It is actually a misconception. For example, take the following quote from Roy The quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern. [cite]: http://tech.groups.yahoo.com/group/rest-discuss/message/5857 -[cite2]: http://tech.groups.yahoo.com/group/rest-discuss/message/14844 \ No newline at end of file +[cite2]: http://tech.groups.yahoo.com/group/rest-discuss/message/14844 diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md index 693e210d6..20f1be63a 100644 --- a/docs/api-guide/generic-views.md +++ b/docs/api-guide/generic-views.md @@ -131,6 +131,15 @@ Each of the generic views provided is built by combining one of the base views b Extends REST framework's `APIView` class, adding support for serialization of model instances and model querysets. +**Methods**: + +* `get_serializer_context(self)` - Returns a dictionary containing any extra context that should be supplied to the serializer. Defaults to including `'request'`, `'view'` and `'format'` keys. +* `get_serializer_class(self)` - Returns the class that should be used for the serializer. +* `get_serializer(self, instance=None, data=None, files=None, many=False, partial=False)` - Returns a serializer instance. +* `pre_save(self, obj)` - A hook that is called before saving an object. +* `post_save(self, obj, created=False)` - A hook that is called after saving an object. + + **Attributes**: * `model` - The model that should be used for this view. Used as a fallback for determining the serializer if `serializer_class` is not set, and as a fallback for determining the queryset if `queryset` is not set. Otherwise not required. diff --git a/docs/api-guide/pagination.md b/docs/api-guide/pagination.md index 71253afb0..13d4760a3 100644 --- a/docs/api-guide/pagination.md +++ b/docs/api-guide/pagination.md @@ -37,7 +37,7 @@ We could now return that data in a `Response` object, and it would be rendered i ## Paginating QuerySets -Our first example worked because we were using primative objects. If we wanted to paginate a queryset or other complex data, we'd need to specify a serializer to use to serialize the result set itself with. +Our first example worked because we were using primitive objects. If we wanted to paginate a queryset or other complex data, we'd need to specify a serializer to use to serialize the result set itself. We can do this using the `object_serializer_class` attribute on the inner `Meta` class of the pagination serializer. For example. @@ -114,8 +114,8 @@ You can also override the name used for the object list field, by setting the `r For example, to nest a pair of links labelled 'prev' and 'next', and set the name for the results field to 'objects', you might use something like this. class LinksSerializer(serializers.Serializer): - next = pagination.NextURLField(source='*') - prev = pagination.PreviousURLField(source='*') + next = pagination.NextPageField(source='*') + prev = pagination.PreviousPageField(source='*') class CustomPaginationSerializer(pagination.BasePaginationSerializer): links = LinksSerializer(source='*') # Takes the page object as the source diff --git a/docs/api-guide/parsers.md b/docs/api-guide/parsers.md index de9685578..a28304922 100644 --- a/docs/api-guide/parsers.md +++ b/docs/api-guide/parsers.md @@ -14,6 +14,16 @@ REST framework includes a number of built in Parser classes, that allow you to a The set of valid parsers for a view is always defined as a list of classes. When either `request.DATA` or `request.FILES` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content. +--- + +**Note**: When developing client applications always remember to make sure you're setting the `Content-Type` header when sending data in an HTTP request. + +If you don't set the content type, most clients will default to using `'application/x-www-form-urlencoded'`, which may not be what you wanted. + +As an example, if you are sending `json` encoded data using jQuery with the [.ajax() method][jquery-ajax], you should make sure to include the `contentType: 'application/json'` setting. + +--- + ## Setting the parsers The default set of parsers may be set globally, using the `DEFAULT_PARSER_CLASSES` setting. For example, the following settings would allow requests with `YAML` content. @@ -59,6 +69,8 @@ Parses `JSON` request content. Parses `YAML` request content. +Requires the `pyyaml` package to be installed. + **.media_type**: `application/yaml` ## XMLParser @@ -69,6 +81,8 @@ Note that the `XML` markup language is typically used as the base language for m If you are considering using `XML` for your API, you may want to consider implementing a custom renderer and parser for your specific requirements, and using an existing domain-specific media-type, or creating your own custom XML-based media-type. +Requires the `defusedxml` package to be installed. + **.media_type**: `application/xml` ## FormParser @@ -169,6 +183,7 @@ The following third party packages are also available. [MessagePack][messagepack] is a fast, efficient binary serialization format. [Juan Riaza][juanriaza] maintains the [djangorestframework-msgpack][djangorestframework-msgpack] package which provides MessagePack renderer and parser support for REST framework. +[jquery-ajax]: http://api.jquery.com/jQuery.ajax/ [cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion [messagepack]: https://github.com/juanriaza/django-rest-framework-msgpack [juanriaza]: https://github.com/juanriaza diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index fce68f6db..4772c5e0d 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -90,29 +90,105 @@ This permission is suitable if you want to your API to allow read permissions to ## DjangoModelPermissions -This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user has the relevant model permissions assigned. +This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. * `POST` requests require the user to have the `add` permission on the model. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model. * `DELETE` requests require the user to have the `delete` permission on the model. +If you want to use `DjangoModelPermissions` but also allow unauthenticated users to have read permission, override the class and set the `authenticated_users_only` property to `False`. For example: + + class HasModelPermissionsOrReadOnly(DjangoModelPermissions): + authenticated_users_only = False + The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests. To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. -The `DjangoModelPermissions` class also supports object-level permissions. Third-party authorization backends such as [django-guardian][guardian] that provide object-level permissions should work just fine with `DjangoModelPermissions` without any custom configuration required. +## TokenHasReadWriteScope + +This permission class is intended for use with either of the `OAuthAuthentication` and `OAuth2Authentication` classes, and ties into the scoping that their backends provide. + +Requests with a safe methods of `GET`, `OPTIONS` or `HEAD` will be allowed if the authenticated token has read permission. + +Requests for `POST`, `PUT`, `PATCH` and `DELETE` will be allowed if the authenticated token has write permission. + +This permission class relies on the implementations of the [django-oauth-plus][django-oauth-plus] and [django-oauth2-provider][django-oauth2-provider] libraries, which both provide limited support for controlling the scope of access tokens: + +* `django-oauth-plus`: Tokens are associated with a `Resource` class which has a `name`, `url` and `is_readonly` properties. +* `django-oauth2-provider`: Tokens are associated with a bitwise `scope` attribute, that defaults to providing bitwise values for `read` and/or `write`. + +If you require more advanced scoping for your API, such as restricting tokens to accessing a subset of functionality of your API then you will need to provide a custom permission class. See the source of the `django-oauth-plus` or `django-oauth2-provider` package for more details on scoping token access. --- # Custom permissions -To implement a custom permission, override `BasePermission` and implement the `.has_permission(self, request, view, obj=None)` method. +To implement a custom permission, override `BasePermission` and implement either, or both, of the following methods: -The method should return `True` if the request should be granted access, and `False` otherwise. +* `.has_permission(self, request, view)` +* `.has_object_permission(self, request, view, obj)` +The methods should return `True` if the request should be granted access, and `False` otherwise. + +If you need to test if a request is a read operation or a write operation, you should check the request method against the constant `SAFE_METHODS`, which is a tuple containing `'GET'`, `'OPTIONS'` and `'HEAD'`. For example: + + if request.method in permissions.SAFE_METHODS: + # Check permissions for read-only request + else: + # Check permissions for write request + +--- + +**Note**: In versions 2.0 and 2.1, the signature for the permission checks always included an optional `obj` parameter, like so: `.has_permission(self, request, view, obj=None)`. The method would be called twice, first for the global permission checks, with no object supplied, and second for the object-level check when required. + +As of version 2.2 this signature has now been replaced with two seperate method calls, which is more explict and obvious. The old style signature continues to work, but it's use will result in a `PendingDeprecationWarning`, which is silent by default. In 2.3 this will be escalated to a `DeprecationWarning`, and in 2.4 the old-style signature will be removed. + +For more details see the [2.2 release announcement][2.2-announcement]. + +--- + +## Examples + +The following is an example of a permission class that checks the incoming request's IP address against a blacklist, and denies the request if the IP has been blacklisted. + + class BlacklistPermission(permissions.BasePermission): + """ + Global permission check for blacklisted IPs. + """ + + def has_permission(self, request, view): + ip_addr = request.META['REMOTE_ADDR'] + blacklisted = Blacklist.objects.filter(ip_addr=ip_addr).exists() + return not blacklisted + +As well as global permissions, that are run against all incoming requests, you can also create object-level permissions, that are only run against operations that affect a particular object instance. For example: + + class IsOwnerOrReadOnly(permissions.BasePermission): + """ + Object-level permission to only allow owners of an object to edit it. + Assumes the model instance has an `owner` attribute. + """ + + def has_object_permission(self, request, view, obj): + # Read permissions are allowed to any request, + # so we'll always allow GET, HEAD or OPTIONS requests. + if request.method in permissions.SAFE_METHODS: + return True + + # Instance must have an attribute named `owner`. + return obj.owner == request.user + +Note that the generic views will check the appropriate object level permissions, but if you're writing your own custom views, you'll need to make sure you check the object level permission checks yourself. You can do so by calling `self.check_object_permissions(request, obj)` from the view once you have the object instance. This call will raise an appropriate `APIException` if any object-level permission checks fail, and will otherwise simply return. + +Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance. If you require object-level filtering of list views, you'll need to filter the queryset separately. See the [filtering documentation][filtering] for more details. [cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html [authentication]: authentication.md [throttling]: throttling.md [contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions [guardian]: https://github.com/lukaszb/django-guardian +[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus +[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider +[2.2-announcement]: ../topics/2.2-announcement.md +[filtering]: filtering.md diff --git a/docs/api-guide/relations.md b/docs/api-guide/relations.md index 351b5e09e..623fe1a90 100644 --- a/docs/api-guide/relations.md +++ b/docs/api-guide/relations.md @@ -12,35 +12,319 @@ Relational fields are used to represent model relationships. They can be applie --- -**Note:** The relational fields are declared in `relations.py`, but by convention you should import them using `from rest_framework import serializers` and refer to fields as `serializers.`. +**Note:** The relational fields are declared in `relations.py`, but by convention you should import them from the `serializers` module, using `from rest_framework import serializers` and refer to fields as `serializers.`. --- +# API Reference + +In order to explain the various types of relational fields, we'll use a couple of simple models for our examples. Our models will be for music albums, and the tracks listed on each album. + + class Album(models.Model): + album_name = models.CharField(max_length=100) + artist = models.CharField(max_length=100) + + class Track(models.Model): + album = models.ForeignKey(Album, related_name='tracks') + order = models.IntegerField() + title = models.CharField(max_length=100) + duration = models.IntegerField() + + class Meta: + unique_together = ('album', 'order') + order_by = 'order' + + def __unicode__(self): + return '%d: %s' % (self.order, self.title) + ## RelatedField -This field can be applied to any of the following: +`RelatedField` may be used to represent the target of the relationship using it's `__unicode__` method. -* A `ForeignKey` field. -* A `OneToOneField` field. -* A reverse OneToOne relationship -* Any other "to-one" relationship. - -By default `RelatedField` will represent the target of the field using it's `__unicode__` method. - -You can customize this behavior by subclassing `ManyRelatedField`, and overriding the `.to_native(self, value)` method. - -## ManyRelatedField - -This field can be applied to any of the following: +For example, the following serializer. -* A `ManyToManyField` field. -* A reverse ManyToMany relationship. -* A reverse ForeignKey relationship -* Any other "to-many" relationship. + class AlbumSerializer(serializers.ModelSerializer): + tracks = RelatedField(many=True) + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') -By default `ManyRelatedField` will represent the targets of the field using their `__unicode__` method. +Would serialize to the following representation. -For example, given the following models: + { + 'album_name': 'Things We Lost In The Fire', + 'artist': 'Low' + 'tracks': [ + '1: Sunflower', + '2: Whitetail', + '3: Dinosaur Act', + ... + ] + } + +This field is read only. + +**Arguments**: + +* `many` - If applied to a to-many relationship, you should set this argument to `True`. + +## PrimaryKeyRelatedField + +`PrimaryKeyRelatedField` may be used to represent the target of the relationship using it's primary key. + +For example, the following serializer: + + class AlbumSerializer(serializers.ModelSerializer): + tracks = PrimaryKeyRelatedField(many=True, read_only=True) + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +Would serialize to a representation like this: + + { + 'album_name': 'The Roots', + 'artist': 'Undun' + 'tracks': [ + 89, + 90, + 91, + ... + ] + } + +By default this field is read-write, although you can change this behavior using the `read_only` flag. + +**Arguments**: + +* `many` - If applied to a to-many relationship, you should set this argument to `True`. +* `required` - If set to `False`, the field will accept values of `None` or the empty-string for nullable relationships. +* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. + +## HyperlinkedRelatedField + +`HyperlinkedRelatedField` may be used to represent the target of the relationship using a hyperlink. + +For example, the following serializer: + + class AlbumSerializer(serializers.ModelSerializer): + tracks = HyperlinkedRelatedField(many=True, read_only=True, + view_name='track-detail') + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +Would serialize to a representation like this: + + { + 'album_name': 'Graceland', + 'artist': 'Paul Simon' + 'tracks': [ + 'http://www.example.com/api/tracks/45', + 'http://www.example.com/api/tracks/46', + 'http://www.example.com/api/tracks/47', + ... + ] + } + +By default this field is read-write, although you can change this behavior using the `read_only` flag. + +**Arguments**: + +* `view_name` - The view name that should be used as the target of the relationship. **required**. +* `many` - If applied to a to-many relationship, you should set this argument to `True`. +* `required` - If set to `False`, the field will accept values of `None` or the empty-string for nullable relationships. +* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. +* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`. +* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`. +* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`. +* `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument. + +## SlugRelatedField + +`SlugRelatedField` may be used to represent the target of the relationship using a field on the target. + +For example, the following serializer: + + class AlbumSerializer(serializers.ModelSerializer): + tracks = SlugRelatedField(many=True, read_only=True, slug_field='title') + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +Would serialize to a representation like this: + + { + 'album_name': 'Dear John', + 'artist': 'Loney Dear' + 'tracks': [ + 'Airport Surroundings', + 'Everything Turns to You', + 'I Was Only Going Out', + ... + ] + } + +By default this field is read-write, although you can change this behavior using the `read_only` flag. + +When using `SlugRelatedField` as a read-write field, you will normally want to ensure that the slug field corresponds to a model field with `unique=True`. + +**Arguments**: + +* `slug_field` - The field on the target that should be used to represent it. This should be a field that uniquely identifies any given instance. For example, `username`. **required** +* `many` - If applied to a to-many relationship, you should set this argument to `True`. +* `required` - If set to `False`, the field will accept values of `None` or the empty-string for nullable relationships. +* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. + +## HyperlinkedIdentityField + +This field can be applied as an identity relationship, such as the `'url'` field on a HyperlinkedModelSerializer. It can also be used for an attribute on the object. For example, the following serializer: + + class AlbumSerializer(serializers.HyperlinkedModelSerializer): + track_listing = HyperlinkedIdentityField(view_name='track-list') + + class Meta: + model = Album + fields = ('album_name', 'artist', 'track_listing') + +Would serialize to a representation like this: + + { + 'album_name': 'The Eraser', + 'artist': 'Thom Yorke' + 'track_listing': 'http://www.example.com/api/track_list/12', + } + +This field is always read-only. + +**Arguments**: + +* `view_name` - The view name that should be used as the target of the relationship. **required**. +* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`. +* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`. +* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`. +* `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument. + +--- + +# Nested relationships + +Nested relationships can be expressed by using serializers as fields. + +If the field is used to represent a to-many relationship, you should add the `many=True` flag to the serializer field. + +Note that nested relationships are currently read-only. For read-write relationships, you should use a flat relational style. + +## Example + +For example, the following serializer: + + class TrackSerializer(serializers.ModelSerializer): + class Meta: + model = Track + fields = ('order', 'title') + + class AlbumSerializer(serializers.ModelSerializer): + tracks = TrackSerializer(many=True) + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +Would serialize to a nested representation like this: + + { + 'album_name': 'The Grey Album', + 'artist': 'Danger Mouse' + 'tracks': [ + {'order': 1, 'title': 'Public Service Annoucement'}, + {'order': 2, 'title': 'What More Can I Say'}, + {'order': 3, 'title': 'Encore'}, + ... + ], + } + +# Custom relational fields + +To implement a custom relational field, you should override `RelatedField`, and implement the `.to_native(self, value)` method. This method takes the target of the field as the `value` argument, and should return the representation that should be used to serialize the target. + +If you want to implement a read-write relational field, you must also implement the `.from_native(self, data)` method, and add `read_only = False` to the class definition. + +## Example + +For, example, we could define a relational field, to serialize a track to a custom string representation, using it's ordering, title, and duration. + + import time + + class TrackListingField(serializers.RelatedField): + def to_native(self, value): + duration = time.strftime('%M:%S', time.gmtime(value.duration)) + return 'Track %d: %s (%s)' % (value.order, value.name, duration) + + class AlbumSerializer(serializers.ModelSerializer): + tracks = TrackListingField(many=True) + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +This custom field would then serialize to the following representation. + + { + 'album_name': 'Sometimes I Wish We Were an Eagle', + 'artist': 'Bill Callahan' + 'tracks': [ + 'Track 1: Jim Cain (04:39)', + 'Track 2: Eid Ma Clack Shaw (04:19)', + 'Track 3: The Wind and the Dove (04:34)', + ... + ] + } + +--- + +# Further notes + +## Reverse relations + +Note that reverse relationships are not automatically generated by the `ModelSerializer` and `HyperlinkedModelSerializer` classes. To include a reverse relationship, you cannot simply add it to the fields list. + +**The following will not work:** + + class AlbumSerializer(serializers.ModelSerializer): + class Meta: + fields = ('tracks', ...) + +Instead, you must explicitly add it to the serializer. For example: + + class AlbumSerializer(serializers.ModelSerializer): + tracks = serializers.PrimaryKeyRelatedField(many=True) + ... + +By default, the field will uses the same accessor as it's field name to retrieve the relationship, so in this example, `Album` instances would need to have the `tracks` attribute for this relationship to work. + +The best way to ensure this is typically to make sure that the relationship on the model definition has it's `related_name` argument properly set. For example: + + class Track(models.Model): + album = models.ForeignKey(Album, related_name='tracks') + ... + +Alternatively, you can use the `source` argument on the serializer field, to use a different accessor attribute than the field name. For example. + + class AlbumSerializer(serializers.ModelSerializer): + tracks = serializers.PrimaryKeyRelatedField(many=True, source='track_set') + +See the Django documentation on [reverse relationships][reverse-relationships] for more details. + +## Generic relationships + +If you want to serialize a generic foreign key, you need to define a custom field, to determine explicitly how you want serialize the targets of the relationship. + +For example, given the following model for a tag, which has a generic relationship with other arbitrary models: class TaggedItem(models.Model): """ @@ -48,15 +332,16 @@ For example, given the following models: See: https://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/ """ - tag = models.SlugField() + tag_name = models.SlugField() content_type = models.ForeignKey(ContentType) object_id = models.PositiveIntegerField() - content_object = GenericForeignKey('content_type', 'object_id') + tagged_object = GenericForeignKey('content_type', 'object_id') def __unicode__(self): return self.tag - - + +And the following two models, which may be have associated tags: + class Bookmark(models.Model): """ A bookmark consists of a URL, and 0 or more descriptive tags. @@ -64,76 +349,71 @@ For example, given the following models: url = models.URLField() tags = GenericRelation(TaggedItem) -And a model serializer defined like this: - class BookmarkSerializer(serializers.ModelSerializer): - tags = serializers.ManyRelatedField(source='tags') + class Note(models.Model): + """ + A note consists of some text, and 0 or more descriptive tags. + """ + text = models.CharField(max_length=1000) + tags = GenericRelation(TaggedItem) - class Meta: - model = Bookmark - exclude = ('id',) +We could define a custom field that could be used to serialize tagged instances, using the type of each instance to determine how it should be serialized. -Then an example output format for a Bookmark instance would be: + class TaggedObjectRelatedField(serializers.RelatedField): + """ + A custom field to use for the `tagged_object` generic relationship. + """ - { - 'tags': [u'django', u'python'], - 'url': u'https://www.djangoproject.com/' - } + def to_native(self, value): + """ + Serialize tagged objects to a simple textual representation. + """ + if isinstance(value, Bookmark): + return 'Bookmark: ' + value.url + elif isinstance(value, Note): + return 'Note: ' + value.text + raise Exception('Unexpected type of tagged object') -## PrimaryKeyRelatedField -## ManyPrimaryKeyRelatedField +If you need the target of the relationship to have a nested representation, you can use the required serializers inside the `.to_native()` method: -`PrimaryKeyRelatedField` and `ManyPrimaryKeyRelatedField` will represent the target of the relationship using it's primary key. + def to_native(self, value): + """ + Serialize bookmark instances using a bookmark serializer, + and note instances using a note serializer. + """ + if isinstance(value, Bookmark): + serializer = BookmarkSerializer(value) + elif isinstance(value, Note): + serializer = NoteSerializer(value) + else: + raise Exception('Unexpected type of tagged object') -By default these fields are read-write, although you can change this behavior using the `read_only` flag. + return serializer.data -**Arguments**: +Note that reverse generic keys, expressed using the `GenericRelation` field, can be serialized using the regular relational field types, since the type of the target in the relationship is always known. -* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. -* `null` - If set to `True`, the field will accept values of `None` or the empty-string for nullable relationships. +For more information see [the Django documentation on generic relations][generic-relations]. -## SlugRelatedField -## ManySlugRelatedField +--- -`SlugRelatedField` and `ManySlugRelatedField` will represent the target of the relationship using a unique slug. +## Deprecated APIs -By default these fields read-write, although you can change this behavior using the `read_only` flag. +The following classes have been deprecated, in favor of the `many=` syntax. +They continue to function, but their usage will raise a `PendingDeprecationWarning`, which is silent by default. -**Arguments**: +* `ManyRelatedField` +* `ManyPrimaryKeyRelatedField` +* `ManyHyperlinkedRelatedField` +* `ManySlugRelatedField` -* `slug_field` - The field on the target that should be used to represent it. This should be a field that uniquely identifies any given instance. For example, `username`. -* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. -* `null` - If set to `True`, the field will accept values of `None` or the empty-string for nullable relationships. +The `null=` flag has been deprecated in favor of the `required=` flag. It will continue to function, but will raise a `PendingDeprecationWarning`. -## HyperlinkedRelatedField -## ManyHyperlinkedRelatedField +In the 2.3 release, these warnings will be escalated to a `DeprecationWarning`, which is loud by default. +In the 2.4 release, these parts of the API will be removed entirely. -`HyperlinkedRelatedField` and `ManyHyperlinkedRelatedField` will represent the target of the relationship using a hyperlink. - -By default, `HyperlinkedRelatedField` is read-write, although you can change this behavior using the `read_only` flag. - -**Arguments**: - -* `view_name` - The view name that should be used as the target of the relationship. **required**. -* `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument. -* `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship. `Serializer` classes must either set a queryset explicitly, or set `read_only=True`. -* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`. -* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`. -* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`. -* `null` - If set to `True`, the field will accept values of `None` or the empty-string for nullable relationships. - -## HyperLinkedIdentityField - -This field can be applied as an identity relationship, such as the `'url'` field on a HyperlinkedModelSerializer. - -This field is always read-only. - -**Arguments**: - -* `view_name` - The view name that should be used as the target of the relationship. **required**. -* `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument. -* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`. -* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`. -* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`. +For more details see the [2.2 release announcement][2.2-announcement]. [cite]: http://lwn.net/Articles/193245/ +[reverse-relationships]: https://docs.djangoproject.com/en/dev/topics/db/queries/#following-relationships-backward +[generic-relations]: https://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/#id1 +[2.2-announcement]: ../topics/2.2-announcement.md diff --git a/docs/api-guide/renderers.md b/docs/api-guide/renderers.md index b4f7ec3d4..3c8396aa1 100644 --- a/docs/api-guide/renderers.md +++ b/docs/api-guide/renderers.md @@ -80,7 +80,7 @@ Renders the request data into `JSONP`. The `JSONP` media type provides a mechan The javascript callback function must be set by the client including a `callback` URL query parameter. For example `http://example.com/api/users?callback=jsonpCallback`. If the callback function is not explicitly set by the client it will default to `'callback'`. -**Note**: If you require cross-domain AJAX requests, you may also want to consider using [CORS] as an alternative to `JSONP`. +**Note**: If you require cross-domain AJAX requests, you may want to consider using the more modern approach of [CORS][cors] as an alternative to `JSONP`. See the [CORS documentation][cors-docs] for more details. **.media_type**: `application/javascript` @@ -90,6 +90,8 @@ The javascript callback function must be set by the client including a `callback Renders the request data into `YAML`. +Requires the `pyyaml` package to be installed. + **.media_type**: `application/yaml` **.format**: `'.yaml'` @@ -115,13 +117,13 @@ The TemplateHTMLRenderer will create a `RequestContext`, using the `response.dat The template name is determined by (in order of preference): -1. An explicit `.template_name` attribute set on the response. +1. An explicit `template_name` argument passed to the response. 2. An explicit `.template_name` attribute set on this class. 3. The return result of calling `view.get_template_names()`. An example of a view that uses `TemplateHTMLRenderer`: - class UserInstance(generics.RetrieveUserAPIView): + class UserDetail(generics.RetrieveUserAPIView): """ A view that returns a templated HTML representations of a given user. """ @@ -288,7 +290,8 @@ Comma-separated values are a plain-text tabular data format, that can be easily [cite]: https://docs.djangoproject.com/en/dev/ref/template-response/#the-rendering-process [conneg]: content-negotiation.md [browser-accept-headers]: http://www.gethifi.com/blog/browser-rest-http-accept-headers -[CORS]: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing +[cors]: http://www.w3.org/TR/cors/ +[cors-docs]: ../topics/ajax-csrf-cors.md [HATEOAS]: http://timelessrepo.com/haters-gonna-hateoas [quote]: http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven [application/vnd.github+json]: http://developer.github.com/v3/media/ @@ -298,4 +301,4 @@ Comma-separated values are a plain-text tabular data format, that can be easily [juanriaza]: https://github.com/juanriaza [mjumbewu]: https://github.com/mjumbewu [djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack -[djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv \ No newline at end of file +[djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv diff --git a/docs/api-guide/requests.md b/docs/api-guide/requests.md index 72932f5d6..39a34fcfb 100644 --- a/docs/api-guide/requests.md +++ b/docs/api-guide/requests.md @@ -83,13 +83,13 @@ You won't typically need to access this property. # Browser enhancements -REST framework supports a few browser enhancements such as browser-based `PUT` and `DELETE` forms. +REST framework supports a few browser enhancements such as browser-based `PUT`, `PATCH` and `DELETE` forms. ## .method `request.method` returns the **uppercased** string representation of the request's HTTP method. -Browser-based `PUT` and `DELETE` forms are transparently supported. +Browser-based `PUT`, `PATCH` and `DELETE` forms are transparently supported. For more information see the [browser enhancements documentation]. diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md index d98a602f7..42edf9af1 100644 --- a/docs/api-guide/serializers.md +++ b/docs/api-guide/serializers.md @@ -25,6 +25,7 @@ Let's start by creating a simple object we can use for example purposes: comment = Comment(email='leila@example.com', content='foo bar') We'll declare a serializer that we can use to serialize and deserialize `Comment` objects. + Declaring a serializer looks very similar to declaring a form: class CommentSerializer(serializers.Serializer): @@ -33,10 +34,17 @@ Declaring a serializer looks very similar to declaring a form: created = serializers.DateTimeField() def restore_object(self, attrs, instance=None): + """ + Given a dictionary of deserialized field values, either update + an existing model instance, or create a new model instance. + + Note that if we don't define this method, then deserializing + data will simply return a dictionary of items. + """ if instance is not None: - instance.title = attrs['title'] - instance.content = attrs['content'] - instance.created = attrs['created'] + instance.title = attrs.get('title', instance.title) + instance.content = attrs.get('content', instance.content) + instance.created = attrs.get('created', instance.created) return instance return Comment(**attrs) @@ -80,9 +88,21 @@ By default, serializers must be passed values for all required fields or they wi serializer = CommentSerializer(comment, data={'content': u'foo bar'}, partial=True) # Update `instance` with partial data +## Serializing querysets + +To serialize a queryset instead of an object instance, you should pass the `many=True` flag when instantiating the serializer. + + queryset = Comment.objects.all() + serializer = CommentSerializer(queryset, many=True) + serializer.data + # [{'email': u'leila@example.com', 'content': u'foo bar', 'created': datetime.datetime(2012, 8, 22, 16, 20, 9, 822774)}, {'email': u'jamie@example.com', 'content': u'baz', 'created': datetime.datetime(2013, 1, 12, 16, 12, 45, 104445)}] + ## Validation -When deserializing data, you always need to call `is_valid()` before attempting to access the deserialized object. If any validation errors occur, the `.errors` and `.non_field_errors` properties will contain the resulting error messages. +When deserializing data, you always need to call `is_valid()` before attempting to access the deserialized object. If any validation errors occur, the `.errors` property will contain a dictionary representing the resulting error messages. +Each key in the dictionary will be the field name, and the values will be lists of strings of any error messages corresponding to that field. The `non_field_errors` key may also be present, and will list any general validation errors. + +When deserializing a list of items, errors will be returned as a list of dictionaries representing each of the deserialized items. ### Field-level validation @@ -114,7 +134,7 @@ To do any other validation that requires access to multiple fields, add a method from rest_framework import serializers class EventSerializer(serializers.Serializer): - description = serializers.CahrField(max_length=100) + description = serializers.CharField(max_length=100) start = serializers.DateTimeField() finish = serializers.DateTimeField() @@ -155,6 +175,17 @@ The `Serializer` class is itself a type of `Field`, and can be used to represent --- +## Including extra context + +There are some cases where you need to provide extra context to the serializer in addition to the object being serialized. One common case is if you're using a serializer that includes hyperlinked relations, which requires the serializer to have access to the current request so that it can properly generate fully qualified URLs. + +You can provide arbitrary additional context by passing a `context` argument when instantiating the serializer. For example: + + serializer = AccountSerializer(account, context={'request': request}) + serializer.data + # {'id': 6, 'owner': u'denvercoder9', 'created': datetime.datetime(2013, 2, 12, 09, 44, 56, 678870), 'details': 'http://example.com/accounts/6/details'} + +The context dictionary can be used within any serializer field logic, such as a custom `.to_native()` method, by accessing the `self.context` attribute. ## Creating custom fields @@ -190,18 +221,12 @@ By default field values are treated as mapping to an attribute on the object. I As an example, let's create a field that can be used represent the class name of the object being serialized: - class ClassNameField(serializers.WritableField): + class ClassNameField(serializers.Field): def field_to_native(self, obj, field_name): """ - Serialize the object's class name, not an attribute of the object. + Serialize the object's class name. """ - return obj.__class__.__name__ - - def field_from_native(self, data, field_name, into): - """ - We don't want to set anything when we revert this field. - """ - pass + return obj.__class__ --- @@ -214,15 +239,17 @@ The `ModelSerializer` class lets you automatically create a Serializer class wit class Meta: model = Account -**[TODO: Explain model field to serializer field mapping in more detail]** +By default, all the model fields on the class will be mapped to corresponding serializer fields. + +Any foreign keys on the model will be mapped to `PrimaryKeyRelatedField` if you're using a `ModelSerializer`, or `HyperlinkedRelatedField` if you're using a `HyperlinkedModelSerializer`. ## Specifying fields explicitly You can add extra fields to a `ModelSerializer` or override the default fields by declaring fields on the class, just as you would for a `Serializer` class. class AccountSerializer(serializers.ModelSerializer): - url = CharField(source='get_absolute_url', read_only=True) - group = NaturalKeyField() + url = serializers.CharField(source='get_absolute_url', read_only=True) + groups = serializers.PrimaryKeyRelatedField(many=True) class Meta: model = Account @@ -231,17 +258,11 @@ Extra fields can correspond to any property or callable on the model. ## Relational fields -When serializing model instances, there are a number of different ways you might choose to represent relationships. The default representation is to use the primary keys of the related instances. +When serializing model instances, there are a number of different ways you might choose to represent relationships. The default representation for `ModelSerializer` is to use the primary keys of the related instances. -Alternative representations include serializing using natural keys, serializing complete nested representations, or serializing using a custom representation, such as a URL that uniquely identifies the model instances. +Alternative representations include serializing using hyperlinks, serializing complete nested representations, or serializing with a custom representation. -The `PrimaryKeyRelatedField` and `HyperlinkedRelatedField` fields provide alternative flat representations. - -The `ModelSerializer` class can itself be used as a field, in order to serialize relationships using nested representations. - -The `RelatedField` class may be subclassed to create a custom representation of a relationship. The subclass should override `.to_native()`, and optionally `.from_native()` if deserialization is supported. - -All the relational fields may be used for any relationship or reverse relationship on a model. +For full details see the [serializer relations][relations] documentation. ## Specifying which fields should be included @@ -316,3 +337,4 @@ The following custom model serializer could be used as a base class for model se [cite]: https://groups.google.com/d/topic/django-users/sVFaOfQi4wY/discussion +[relations]: relations.md diff --git a/docs/api-guide/settings.md b/docs/api-guide/settings.md index a422e5f61..116386969 100644 --- a/docs/api-guide/settings.md +++ b/docs/api-guide/settings.md @@ -34,7 +34,11 @@ The `api_settings` object will check for any user-defined settings, and otherwis # API Reference -## DEFAULT_RENDERER_CLASSES +## API policy settings + +*The following settings control the basic API policies, and are applied to every `APIView` class based view, or `@api_view` function based view.* + +#### DEFAULT_RENDERER_CLASSES A list or tuple of renderer classes, that determines the default set of renderers that may be used when returning a `Response` object. @@ -43,10 +47,9 @@ Default: ( 'rest_framework.renderers.JSONRenderer', 'rest_framework.renderers.BrowsableAPIRenderer', - 'rest_framework.renderers.TemplateHTMLRenderer' ) -## DEFAULT_PARSER_CLASSES +#### DEFAULT_PARSER_CLASSES A list or tuple of parser classes, that determines the default set of parsers used when accessing the `request.DATA` property. @@ -54,10 +57,11 @@ Default: ( 'rest_framework.parsers.JSONParser', - 'rest_framework.parsers.FormParser' + 'rest_framework.parsers.FormParser', + 'rest_framework.parsers.MultiPartParser' ) -## DEFAULT_AUTHENTICATION_CLASSES +#### DEFAULT_AUTHENTICATION_CLASSES A list or tuple of authentication classes, that determines the default set of authenticators used when accessing the `request.user` or `request.auth` properties. @@ -68,7 +72,7 @@ Default: 'rest_framework.authentication.BasicAuthentication' ) -## DEFAULT_PERMISSION_CLASSES +#### DEFAULT_PERMISSION_CLASSES A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view. @@ -78,53 +82,77 @@ Default: 'rest_framework.permissions.AllowAny', ) -## DEFAULT_THROTTLE_CLASSES +#### DEFAULT_THROTTLE_CLASSES A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view. Default: `()` -## DEFAULT_MODEL_SERIALIZER_CLASS +#### DEFAULT_CONTENT_NEGOTIATION_CLASS -**TODO** +A content negotiation class, that determines how a renderer is selected for the response, given an incoming request. -Default: `rest_framework.serializers.ModelSerializer` +Default: `'rest_framework.negotiation.DefaultContentNegotiation'` -## DEFAULT_PAGINATION_SERIALIZER_CLASS +--- -**TODO** +## Generic view settings + +*The following settings control the behavior of the generic class based views.* + +#### DEFAULT_MODEL_SERIALIZER_CLASS + +A class that determines the default type of model serializer that should be used by a generic view if `model` is specified, but `serializer_class` is not provided. + +Default: `'rest_framework.serializers.ModelSerializer'` + +#### DEFAULT_PAGINATION_SERIALIZER_CLASS + +A class the determines the default serialization style for paginated responses. Default: `rest_framework.pagination.PaginationSerializer` -## FILTER_BACKEND +#### FILTER_BACKEND The filter backend class that should be used for generic filtering. If set to `None` then generic filtering is disabled. -## PAGINATE_BY +#### PAGINATE_BY The default page size to use for pagination. If set to `None`, pagination is disabled by default. Default: `None` -## PAGINATE_BY_PARAM +#### PAGINATE_BY_PARAM The name of a query parameter, which can be used by the client to overide the default page size to use for pagination. If set to `None`, clients may not override the default page size. Default: `None` -## UNAUTHENTICATED_USER +--- + +## Authentication settings + +*The following settings control the behavior of unauthenticated requests.* + +#### UNAUTHENTICATED_USER The class that should be used to initialize `request.user` for unauthenticated requests. Default: `django.contrib.auth.models.AnonymousUser` -## UNAUTHENTICATED_TOKEN +#### UNAUTHENTICATED_TOKEN The class that should be used to initialize `request.auth` for unauthenticated requests. Default: `None` -## FORM_METHOD_OVERRIDE +--- + +## Browser overrides + +*The following settings provide URL or form-based overrides of the default browser behavior.* + +#### FORM_METHOD_OVERRIDE The name of a form field that may be used to override the HTTP method of the form. @@ -132,7 +160,7 @@ If the value of this setting is `None` then form method overloading will be disa Default: `'_method'` -## FORM_CONTENT_OVERRIDE +#### FORM_CONTENT_OVERRIDE The name of a form field that may be used to override the content of the form payload. Must be used together with `FORM_CONTENTTYPE_OVERRIDE`. @@ -140,7 +168,7 @@ If either setting is `None` then form content overloading will be disabled. Default: `'_content'` -## FORM_CONTENTTYPE_OVERRIDE +#### FORM_CONTENTTYPE_OVERRIDE The name of a form field that may be used to override the content type of the form payload. Must be used together with `FORM_CONTENT_OVERRIDE`. @@ -148,7 +176,7 @@ If either setting is `None` then form content overloading will be disabled. Default: `'_content_type'` -## URL_ACCEPT_OVERRIDE +#### URL_ACCEPT_OVERRIDE The name of a URL parameter that may be used to override the HTTP `Accept` header. @@ -156,13 +184,61 @@ If the value of this setting is `None` then URL accept overloading will be disab Default: `'accept'` -## URL_FORMAT_OVERRIDE +#### URL_FORMAT_OVERRIDE + +The name of a URL parameter that may be used to override the default `Accept` header based content negotiation. Default: `'format'` -## FORMAT_SUFFIX_KWARG +--- -**TODO** +## Date/Time formatting + +*The following settings are used to control how date and time representations may be parsed and rendered.* + +#### DATETIME_FORMAT + +A format string that should be used by default for rendering the output of `DateTimeField` serializer fields. + +Default: `'iso-8601'` + +#### DATETIME_INPUT_FORMATS + +A list of format strings that should be used by default for parsing inputs to `DateTimeField` serializer fields. + +Default: `['iso-8601']` + +#### DATE_FORMAT + +A format string that should be used by default for rendering the output of `DateField` serializer fields. + +Default: `'iso-8601'` + +#### DATE_INPUT_FORMATS + +A list of format strings that should be used by default for parsing inputs to `DateField` serializer fields. + +Default: `['iso-8601']` + +#### TIME_FORMAT + +A format string that should be used by default for rendering the output of `TimeField` serializer fields. + +Default: `'iso-8601'` + +#### TIME_INPUT_FORMATS + +A list of format strings that should be used by default for parsing inputs to `TimeField` serializer fields. + +Default: `['iso-8601']` + +--- + +## Miscellaneous settings + +#### FORMAT_SUFFIX_KWARG + +The name of a parameter in the URL conf that may be used to provide a format suffix. Default: `'format'` diff --git a/docs/api-guide/throttling.md b/docs/api-guide/throttling.md index b03bc9e04..1abd49f47 100644 --- a/docs/api-guide/throttling.md +++ b/docs/api-guide/throttling.md @@ -6,8 +6,6 @@ > > [Twitter API rate limiting response][cite] -[cite]: https://dev.twitter.com/docs/error-codes-responses - Throttling is similar to [permissions], in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API. As with permissions, multiple throttles may be used. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests. @@ -63,6 +61,10 @@ Or, if you're using the `@api_view` decorator with function based views. } return Response(content) +## Setting up the cache + +The throttle classes provided by REST framework use Django's cache backend. You should make sure that you've set appropriate [cache settings][cache-setting]. The default value of `LocMemCache` backend should be okay for simple setups. See Django's [cache documentation][cache-docs] for more details. + --- # API Reference @@ -150,8 +152,19 @@ User requests to either `ContactListView` or `ContactDetailView` would be restri # Custom throttles -To create a custom throttle, override `BaseThrottle` and implement `.allow_request(request, view)`. The method should return `True` if the request should be allowed, and `False` otherwise. +To create a custom throttle, override `BaseThrottle` and implement `.allow_request(self, request, view)`. The method should return `True` if the request should be allowed, and `False` otherwise. Optionally you may also override the `.wait()` method. If implemented, `.wait()` should return a recommended number of seconds to wait before attempting the next request, or `None`. The `.wait()` method will only be called if `.allow_request()` has previously returned `False`. +## Example + +The following is an example of a rate throttle, that will randomly throttle 1 in every 10 requests. + + class RandomRateThrottle(throttles.BaseThrottle): + def allow_request(self, request, view): + return random.randint(1, 10) == 1 + +[cite]: https://dev.twitter.com/docs/error-codes-responses [permissions]: permissions.md +[cache-setting]: https://docs.djangoproject.com/en/dev/ref/settings/#caches +[cache-docs]: https://docs.djangoproject.com/en/dev/topics/cache/#setting-up-the-cache \ No newline at end of file diff --git a/docs/api-guide/views.md b/docs/api-guide/views.md index d1e42ec1c..8b26b3e35 100644 --- a/docs/api-guide/views.md +++ b/docs/api-guide/views.md @@ -76,16 +76,16 @@ The following methods are used by REST framework to instantiate the various plug The following methods are called before dispatching to the handler method. -### .check_permissions(...) +### .check_permissions(self, request) -### .check_throttles(...) +### .check_throttles(self, request) -### .perform_content_negotiation(...) +### .perform_content_negotiation(self, request, force=False) ## Dispatch methods The following methods are called directly by the view's `.dispatch()` method. -These perform any actions that need to occur before or after calling the handler methods such as `.get()`, `.post()`, `put()` and `.delete()`. +These perform any actions that need to occur before or after calling the handler methods such as `.get()`, `.post()`, `put()`, `patch()` and `.delete()`. ### .initial(self, request, \*args, **kwargs) diff --git a/docs/css/default.css b/docs/css/default.css index 57446ff98..c160b63d1 100644 --- a/docs/css/default.css +++ b/docs/css/default.css @@ -25,18 +25,29 @@ pre { margin-top: 9px; } +body.index-page #main-content p.badges { + padding-bottom: 1px; +} + /* GitHub 'Star' badge */ -body.index-page #main-content iframe { +body.index-page #main-content iframe.github-star-button { float: right; margin-top: -12px; margin-right: -15px; } +/* Tweet button */ +body.index-page #main-content iframe.twitter-share-button { + float: right; + margin-top: -12px; + margin-right: 8px; +} + /* Travis CI badge */ -body.index-page #main-content p:first-of-type { +body.index-page #main-content img.travis-build-image { float: right; margin-right: 8px; - margin-top: -14px; + margin-top: -11px; margin-bottom: 0px; } diff --git a/docs/index.md b/docs/index.md index 497f19004..5357536d9 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,19 +1,19 @@ - -[![Travis build image][travis-build-image]][travis] +

+ + + + + +Travis build image +

# Django REST framework -**A toolkit for building well-connected, self-describing Web APIs.** +**Web APIs for Django, made easy.** ---- +Django REST framework is a flexible, powerful library that makes it incredibly easy to build Web APIs. It is designed as a modular and easy to customize architecture, based on Django's class based views. -**Note**: This documentation is for the 2.0 version of REST framework. If you are looking for earlier versions please see the [0.4.x branch][0.4] on GitHub. - ---- - -Django REST framework is a lightweight library that makes it easy to build Web APIs. It is designed as a modular and easy to customize architecture, based on Django's class based views. - -Web APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers. It also supports a wide range of media types, authentication and permission policies out of the box. +APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers. It also supports a wide range of media types, authentication and permission policies out of the box. If you are considering using REST framework for your API, we recommend reading the [REST framework 2 announcement][rest-framework-2-announcement] which gives a good overview of the framework and it's capabilities. @@ -27,14 +27,19 @@ There is also a sandbox API you can use for testing purposes, [available here][s REST framework requires the following: -* Python (2.6, 2.7) +* Python (2.6.5+, 2.7, 3.2, 3.3) * Django (1.3, 1.4, 1.5) The following packages are optional: * [Markdown][markdown] (2.1.0+) - Markdown support for the browseable API. * [PyYAML][yaml] (3.10+) - YAML content-type support. +* [defusedxml][defusedxml] (0.3+) - XML content-type support. * [django-filter][django-filter] (0.5.4+) - Filtering support. +* [django-oauth-plus][django-oauth-plus] (2.0+) and [oauth2][oauth2] (1.5.211+) - OAuth 1.0a support. +* [django-oauth2-provider][django-oauth2-provider] (0.2.3+) - OAuth 2.0 support. + +**Note**: The `oauth2` python package is badly misnamed, and actually provides OAuth 1.0a support. Also note that packages required for both OAuth 1.0a, and OAuth 2.0 are not yet Python 3 compatible. ## Installation @@ -70,7 +75,7 @@ Note that the URL path can be whatever you want, but you must include `'rest_fra ## Quickstart -Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running with REST framework. +Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running, and building APIs with REST framework. ## Tutorial @@ -111,10 +116,12 @@ The API guide is your complete reference manual to all the functionality provide General guides to using REST framework. +* [AJAX, CSRF & CORS][ajax-csrf-cors] * [Browser enhancements][browser-enhancements] * [The Browsable API][browsableapi] * [REST, Hypermedia & HATEOAS][rest-hypermedia-hateoas] * [2.0 Announcement][rest-framework-2-announcement] +* [2.2 Announcement][2.2-announcement] * [Release Notes][release-notes] * [Credits][credits] @@ -130,12 +137,21 @@ Run the tests: ./rest_framework/runtests/runtests.py +To run the tests against all supported configurations, first install [the tox testing tool][tox] globally, using `pip install tox`, then simply run `tox`: + + tox + ## Support -For support please see the [REST framework discussion group][group], or try the `#restframework` channel on `irc.freenode.net`. +For support please see the [REST framework discussion group][group], try the `#restframework` channel on `irc.freenode.net`, or raise a question on [Stack Overflow][stack-overflow], making sure to include the ['django-rest-framework'][django-rest-framework-tag] tag. -Paid support is also available from [DabApps], and can include work on REST framework core, or support with building your REST framework API. Please contact [Tom Christie][email] if you'd like to discuss commercial support options. +[Paid support is available][paid-support] from [DabApps][dabapps], and can include work on REST framework core, or support with building your REST framework API. Please [contact DabApps][contact-dabapps] if you'd like to discuss commercial support options. +For updates on REST framework development, you may also want to follow [the author][twitter] on Twitter. + + + + ## License Copyright (c) 2011-2013, Tom Christie @@ -166,7 +182,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [urlobject]: https://github.com/zacharyvoase/urlobject [markdown]: http://pypi.python.org/pypi/Markdown/ [yaml]: http://pypi.python.org/pypi/PyYAML +[defusedxml]: https://pypi.python.org/pypi/defusedxml [django-filter]: http://pypi.python.org/pypi/django-filter +[oauth2]: https://github.com/simplegeo/python-oauth2 +[django-oauth-plus]: https://bitbucket.org/david/django-oauth-plus/wiki/Home +[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider [0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X [image]: img/quickstart.png [sandbox]: http://restframework.herokuapp.com/ @@ -199,15 +219,23 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [status]: api-guide/status-codes.md [settings]: api-guide/settings.md -[csrf]: topics/csrf.md +[ajax-csrf-cors]: topics/ajax-csrf-cors.md [browser-enhancements]: topics/browser-enhancements.md [browsableapi]: topics/browsable-api.md [rest-hypermedia-hateoas]: topics/rest-hypermedia-hateoas.md [contributing]: topics/contributing.md [rest-framework-2-announcement]: topics/rest-framework-2-announcement.md +[2.2-announcement]: topics/2.2-announcement.md [release-notes]: topics/release-notes.md [credits]: topics/credits.md +[tox]: http://testrun.org/tox/latest/ + [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework -[DabApps]: http://dabapps.com -[email]: mailto:tom@tomchristie.com +[stack-overflow]: http://stackoverflow.com/ +[django-rest-framework-tag]: http://stackoverflow.com/questions/tagged/django-rest-framework +[django-tag]: http://stackoverflow.com/questions/tagged/django +[paid-support]: http://dabapps.com/services/build/api-development/ +[dabapps]: http://dabapps.com +[contact-dabapps]: http://dabapps.com/contact/ +[twitter]: https://twitter.com/_tomchristie diff --git a/docs/template.html b/docs/template.html index d789cc582..3e0f29aa0 100644 --- a/docs/template.html +++ b/docs/template.html @@ -2,11 +2,11 @@ - Django REST framework + {{ title }} - - + + @@ -89,10 +89,12 @@
  • Topics diff --git a/docs/topics/2.2-announcement.md b/docs/topics/2.2-announcement.md new file mode 100644 index 000000000..d7164ce46 --- /dev/null +++ b/docs/topics/2.2-announcement.md @@ -0,0 +1,159 @@ +# REST framework 2.2 announcement + +The 2.2 release represents an important point for REST framework, with the addition of Python 3 support, and the introduction of an official deprecation policy. + +## Python 3 support + +Thanks to some fantastic work from [Xavier Ordoquy][xordoquy], Django REST framework 2.2 now supports Python 3. You'll need to be running Django 1.5, and it's worth keeping in mind that Django's Python 3 support is currently [considered experimental][django-python-3]. + +Django 1.6's Python 3 support is expected to be officially labeled as 'production-ready'. + +If you want to start ensuring that your own projects are Python 3 ready, we can highly recommend Django's [Porting to Python 3][porting-python-3] documentation. + +Django REST framework's Python 2.6 support now requires 2.6.5 or above, in line with [Django 1.5's Python compatibility][python-compat]. + +## Deprecation policy + +We've now introduced an official deprecation policy, which is in line with [Django's deprecation policy][django-deprecation-policy]. This policy will make it easy for you to continue to track the latest, greatest version of REST framework. + +The timeline for deprecation works as follows: + +* Version 2.2 introduces some API changes as detailed in the release notes. It remains fully backwards compatible with 2.1, but will raise `PendingDeprecationWarning` warnings if you use bits of API that are due to be deprecated. These warnings are silent by default, but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests using `python -Wd manage.py test`, you'll be warned of any API changes you need to make. + +* Version 2.3 will escalate these warnings to `DeprecationWarning`, which is loud by default. + +* Version 2.4 will remove the deprecated bits of API entirely. + +Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change. + +## Community + +As of the 2.2 merge, we've also hit an impressive milestone. The number of committers listed in [the credits][credits], is now at over **one hundred individuals**. Each name on that list represents at least one merged pull request, however large or small. + +Our [mailing list][mailing-list] and #restframework IRC channel are also very active, and we've got a really impressive rate of development both on REST framework itself, and on third party packages such as the great [django-rest-framework-docs][django-rest-framework-docs] package from [Marc Gibbons][marcgibbons]. + +--- + +## API changes + +The 2.2 release makes a few changes to the API, in order to make it more consistent, simple, and easier to use. + +### Cleaner to-many related fields + +The `ManyRelatedField()` style is being deprecated in favor of a new `RelatedField(many=True)` syntax. + +For example, if a user is associated with multiple questions, which we want to represent using a primary key relationship, we might use something like the following: + + class UserSerializer(serializers.HyperlinkedModelSerializer): + questions = serializers.PrimaryKeyRelatedField(many=True) + + class Meta: + fields = ('username', 'questions') + +The new syntax is cleaner and more obvious, and the change will also make the documentation cleaner, simplify the internal API, and make writing custom relational fields easier. + +The change also applies to serializers. If you have a nested serializer, you should start using `many=True` for to-many relationships. For example, a serializer representation of an Album that can contain many Tracks might look something like this: + + class TrackSerializer(serializer.ModelSerializer): + class Meta: + model = Track + fields = ('name', 'duration') + + class AlbumSerializer(serializer.ModelSerializer): + tracks = TrackSerializer(many=True) + + class Meta: + model = Album + fields = ('album_name', 'artist', 'tracks') + +Additionally, the change also applies when serializing or deserializing data. For example to serialize a queryset of models you should now use the `many=True` flag. + + serializer = SnippetSerializer(Snippet.objects.all(), many=True) + serializer.data + +This more explicit behavior on serializing and deserializing data [makes integration with non-ORM backends such as MongoDB easier][564], as instances to be serialized can include the `__iter__` method, without incorrectly triggering list-based serialization, or requiring workarounds. + +The implicit to-many behavior on serializers, and the `ManyRelatedField` style classes will continue to function, but will raise a `PendingDeprecationWarning`, which can be made visible using the `-Wd` flag. + +**Note**: If you need to forcibly turn off the implict "`many=True` for `__iter__` objects" behavior, you can now do so by specifying `many=False`. This will become the default (instead of the current default of `None`) once the deprecation of the implicit behavior is finalised in version 2.4. + +### Cleaner optional relationships + +Serializer relationships for nullable Foreign Keys will change from using the current `null=True` flag, to instead using `required=False`. + +For example, is a user account has an optional foreign key to a company, that you want to express using a hyperlink, you might use the following field in a `Serializer` class: + + current_company = serializers.HyperlinkedRelatedField(required=False) + +This is in line both with the rest of the serializer fields API, and with Django's `Form` and `ModelForm` API. + +Using `required` throughout the serializers API means you won't need to consider if a particular field should take `blank` or `null` arguments instead of `required`, and also means there will be more consistent behavior for how fields are treated when they are not present in the incoming data. + +The `null=True` argument will continue to function, and will imply `required=False`, but will raise a `PendingDeprecationWarning`. + +### Cleaner CharField syntax + +The `CharField` API previously took an optional `blank=True` argument, which was intended to differentiate between null CharField input, and blank CharField input. + +In keeping with Django's CharField API, REST framework's `CharField` will only ever return the empty string, for missing or `None` inputs. The `blank` flag will no longer be in use, and you should instead just use the `required=` flag. For example: + + extra_details = CharField(required=False) + +The `blank` keyword argument will continue to function, but will raise a `PendingDeprecationWarning`. + +### Simpler object-level permissions + +Custom permissions classes previously used the signatute `.has_permission(self, request, view, obj=None)`. This method would be called twice, firstly for the global permissions check, with the `obj` parameter set to `None`, and again for the object-level permissions check when appropriate, with the `obj` parameter set to the relevant model instance. + +The global permissions check and object-level permissions check are now seperated into two seperate methods, which gives a cleaner, more obvious API. + +* Global permission checks now use the `.has_permission(self, request, view)` signature. +* Object-level permission checks use a new method `.has_object_permission(self, request, view, obj)`. + +For example, the following custom permission class: + + class IsOwner(permissions.BasePermission): + """ + Custom permission to only allow owners of an object to view or edit it. + Model instances are expected to include an `owner` attribute. + """ + + def has_permission(self, request, view, obj=None): + if obj is None: + # Ignore global permissions check + return True + + return obj.owner == request.user + +Now becomes: + + class IsOwner(permissions.BasePermission): + """ + Custom permission to only allow owners of an object to view or edit it. + Model instances are expected to include an `owner` attribute. + """ + + def has_object_permission(self, request, view, obj): + return obj.owner == request.user + +If you're overriding the `BasePermission` class, the old-style signature will continue to function, and will correctly handle both global and object-level permissions checks, but it's use will raise a `PendingDeprecationWarning`. + +Note also that the usage of the internal APIs for permission checking on the `View` class has been cleaned up slightly, and is now documented and subject to the deprecation policy in all future versions. + +### More explicit hyperlink relations behavior + +When using a serializer with a `HyperlinkedRelatedField` or `HyperlinkedIdentityField`, the hyperlinks would previously use absolute URLs if the serializer context included a `'request'` key, and fallback to using relative URLs otherwise. This could lead to non-obvious behavior, as it might not be clear why some serializers generated absolute URLs, and others do not. + +From version 2.2 onwards, serializers with hyperlinked relationships *always* require a `'request'` key to be supplied in the context dictionary. The implicit behavior will continue to function, but it's use will raise a `PendingDeprecationWarning`. + +[xordoquy]: https://github.com/xordoquy +[django-python-3]: https://docs.djangoproject.com/en/dev/faq/install/#can-i-use-django-with-python-3 +[porting-python-3]: https://docs.djangoproject.com/en/dev/topics/python3/ +[python-compat]: https://docs.djangoproject.com/en/dev/releases/1.5/#python-compatibility +[django-deprecation-policy]: https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy +[credits]: http://django-rest-framework.org/topics/credits.html +[mailing-list]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework +[django-rest-framework-docs]: https://github.com/marcgibbons/django-rest-framework-docs +[marcgibbons]: https://github.com/marcgibbons/ +[issues]: https://github.com/tomchristie/django-rest-framework/issues +[564]: https://github.com/tomchristie/django-rest-framework/issues/564 diff --git a/docs/topics/ajax-csrf-cors.md b/docs/topics/ajax-csrf-cors.md new file mode 100644 index 000000000..f7d12940d --- /dev/null +++ b/docs/topics/ajax-csrf-cors.md @@ -0,0 +1,41 @@ +# Working with AJAX, CSRF & CORS + +> "Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability — very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one." +> +> — [Jeff Atwood][cite] + +## Javascript clients + +If your building a javascript client to interface with your Web API, you'll need to consider if the client can use the same authentication policy that is used by the rest of the website, and also determine if you need to use CSRF tokens or CORS headers. + +AJAX requests that are made within the same context as the API they are interacting with will typically use `SessionAuthentication`. This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website. + +AJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as `TokenAuthentication`. + +## CSRF protection + +[Cross Site Request Forgery][csrf] protection is a mechanism of guarding against a particular type of attack, which can occur when a user has not logged out of a web site, and continues to have a valid session. In this circumstance a malicious site may be able to perform actions against the target site, within the context of the logged-in session. + +To guard against these type of attacks, you need to do two things: + +1. Ensure that the 'safe' HTTP operations, such as `GET`, `HEAD` and `OPTIONS` cannot be used to alter any server-side state. +2. Ensure that any 'unsafe' HTTP operations, such as `POST`, `PUT`, `PATCH` and `DELETE`, always require a valid CSRF token. + +If you're using `SessionAuthentication` you'll need to include valid CSRF tokens for any `POST`, `PUT`, `PATCH` or `DELETE` operations. + +The Django documentation describes how to [include CSRF tokens in AJAX requests][csrf-ajax]. + +## CORS + +[Cross-Origin Resource Sharing][cors] is a mechanism for allowing clients to interact with APIs that are hosted on a different domain. CORS works by requiring the server to include a specific set of headers that allow a browser to determine if and when cross-domain requests should be allowed. + +The best way to deal with CORS in REST framework is to add the required response headers in middleware. This ensures that CORS is supported transparently, without having to change any behavior in your views. + +[Otto Yiu][ottoyiu] maintains the [django-cors-headers] package, which is known to work correctly with REST framework APIs. + +[cite]: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html +[csrf]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) +[csrf-ajax]: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax +[cors]: http://www.w3.org/TR/cors/ +[ottoyiu]: https://github.com/ottoyiu/ +[django-cors-headers]: https://github.com/ottoyiu/django-cors-headers/ diff --git a/docs/topics/browsable-api.md b/docs/topics/browsable-api.md index 9fe82e696..5f80c4f95 100644 --- a/docs/topics/browsable-api.md +++ b/docs/topics/browsable-api.md @@ -35,23 +35,20 @@ A suitable replacement theme can be generated using Bootstrap's [Customize Tool] You can also change the navbar variant, which by default is `navbar-inverse`, using the `bootstrap_navbar_variant` block. The empty `{% block bootstrap_navbar_variant %}{% endblock %}` will use the original Bootstrap navbar style. -For more specific CSS tweaks, use the `extra_style` block instead. +For more specific CSS tweaks, use the `style` block instead. ### Blocks All of the blocks available in the browsable API base template that can be used in your `api.html`. -* `blockbots` - `` tag that blocks crawlers * `bodyclass` - (empty) class attribute for the `` * `bootstrap_theme` - CSS for the Bootstrap theme * `bootstrap_navbar_variant` - CSS class for the navbar * `branding` - section of the navbar, see [Bootstrap components][bcomponentsnav] * `breadcrumbs` - Links showing resource nesting, allowing the user to go back up the resources. It's recommended to preserve these, but they can be overridden using the breadcrumbs block. -* `extrastyle` - (empty) extra CSS for the page -* `extrahead` - (empty) extra markup for the page `` * `footer` - Any copyright notices or similar footer materials can go here (by default right-aligned) -* `global_heading` - (empty) Use to insert content below the header but before the breadcrumbs. +* `style` - CSS stylesheets for the page * `title` - title of the page * `userlinks` - This is a list of links on the right of the header, by default containing login/logout links. To add links instead of replace, use {{ block.super }} to preserve the authentication links. diff --git a/docs/topics/browser-enhancements.md b/docs/topics/browser-enhancements.md index 6a11f0fac..ce07fe95b 100644 --- a/docs/topics/browser-enhancements.md +++ b/docs/topics/browser-enhancements.md @@ -19,6 +19,21 @@ For example, given the following form: `request.method` would return `"DELETE"`. +## HTTP header based method overriding + +REST framework also supports method overriding via the semi-standard `X-HTTP-Method-Override` header. This can be useful if you are working with non-form content such as JSON and are working with an older web server and/or hosting provider that doesn't recognise particular HTTP methods such as `PATCH`. For example [Amazon Web Services ELB][aws_elb]. + +To use it, make a `POST` request, setting the `X-HTTP-Method-Override` header. + +For example, making a `PATCH` request via `POST` in jQuery: + + $.ajax({ + url: '/myresource/', + method: 'POST', + headers: {'X-HTTP-Method-Override': 'PATCH'}, + ... + }); + ## Browser based submission of non-form content Browser-based submission of content types other than form are supported by @@ -62,3 +77,4 @@ as well as how to support content types other than form-encoded data. [rails]: http://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-put-or-delete-methods-work [html5]: http://www.w3.org/TR/html5-diff/#changes-2010-06-24 [put_delete]: http://amundsen.com/examples/put-delete-forms/ +[aws_elb]: https://forums.aws.amazon.com/thread.jspa?messageID=400724 diff --git a/docs/topics/credits.md b/docs/topics/credits.md index b0b00c122..b533daa99 100644 --- a/docs/topics/credits.md +++ b/docs/topics/credits.md @@ -4,7 +4,7 @@ The following people have helped make REST framework great. * Tom Christie - [tomchristie] * Marko Tibold - [markotibold] -* Paul Bagwell - [pbgwl] +* Paul Miller - [paulmillr] * Sébastien Piquemal - [sebpiq] * Carmen Wick - [cwick] * Alex Ehlke - [aehlke] @@ -19,7 +19,7 @@ The following people have helped make REST framework great. * Craig Blaszczyk - [jakul] * Garcia Solero - [garciasolero] * Tom Drummond - [devioustree] -* Danilo Bargen - [gwrtheyrn] +* Danilo Bargen - [dbrgn] * Andrew McCloud - [amccloud] * Thomas Steinacher - [thomasst] * Meurig Freeman - [meurig] @@ -91,6 +91,27 @@ The following people have helped make REST framework great. * Richard Wackerbarth - [wackerbarth] * Johannes Spielmann - [shezi] * James Cleveland - [radiosilence] +* Steve Gregory - [steve-gregory] +* Federico Capoano - [nemesisdesign] +* Bruno Renié - [brutasse] +* Kevin Stone - [kevinastone] +* Guglielmo Celata - [guglielmo] +* Mike Tums - [mktums] +* Michael Elovskikh - [wronglink] +* MichaÅ‚ Jaworski - [swistakm] +* Andrea de Marco - [z4r] +* Fernando Rocha - [fernandogrd] +* Xavier Ordoquy - [xordoquy] +* Adam Wentz - [floppya] +* Andreas Pelme - [pelme] +* Ryan Detzel - [ryanrdetzel] +* Omer Katz - [thedrow] +* Wiliam Souza - [waa] +* Jonas Braun - [iekadou] +* Ian Dash - [bitmonkey] +* Bouke Haarsma - [bouke] +* Pierre Dulac - [dulaccc] +* Dave Kuhn - [kuhnza] Many thanks to everyone who's contributed to the project. @@ -114,7 +135,6 @@ For usage questions please see the [REST framework discussion group][group]. You can also contact [@_tomchristie][twitter] directly on twitter. -[email]: mailto:tom@tomchristie.com [twitter]: http://twitter.com/_tomchristie [bootstrap]: http://twitter.github.com/bootstrap/ [markdown]: http://daringfireball.net/projects/markdown/ @@ -130,7 +150,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter. [tomchristie]: https://github.com/tomchristie [markotibold]: https://github.com/markotibold -[pbgwl]: https://github.com/pbgwl +[paulmillr]: https://github.com/paulmillr [sebpiq]: https://github.com/sebpiq [cwick]: https://github.com/cwick [aehlke]: https://github.com/aehlke @@ -145,7 +165,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter. [jakul]: https://github.com/jakul [garciasolero]: https://github.com/garciasolero [devioustree]: https://github.com/devioustree -[gwrtheyrn]: https://github.com/gwrtheyrn +[dbrgn]: https://github.com/dbrgn [amccloud]: https://github.com/amccloud [thomasst]: https://github.com/thomasst [meurig]: https://github.com/meurig @@ -217,3 +237,24 @@ You can also contact [@_tomchristie][twitter] directly on twitter. [wackerbarth]: https://github.com/wackerbarth [shezi]: https://github.com/shezi [radiosilence]: https://github.com/radiosilence +[steve-gregory]: https://github.com/steve-gregory +[nemesisdesign]: https://github.com/nemesisdesign +[brutasse]: https://github.com/brutasse +[kevinastone]: https://github.com/kevinastone +[guglielmo]: https://github.com/guglielmo +[mktums]: https://github.com/mktums +[wronglink]: https://github.com/wronglink +[swistakm]: https://github.com/swistakm +[z4r]: https://github.com/z4r +[fernandogrd]: https://github.com/fernandogrd +[xordoquy]: https://github.com/xordoquy +[floppya]: https://github.com/floppya +[pelme]: https://github.com/pelme +[ryanrdetzel]: https://github.com/ryanrdetzel +[thedrow]: https://github.com/thedrow +[waa]: https://github.com/wiliamsouza +[iekadou]: https://github.com/iekadou +[bitmonkey]: https://github.com/bitmonkey +[bouke]: https://github.com/bouke +[dulaccc]: https://github.com/dulaccc +[kuhnza]: https://github.com/kuhnza diff --git a/docs/topics/csrf.md b/docs/topics/csrf.md deleted file mode 100644 index 043144c1b..000000000 --- a/docs/topics/csrf.md +++ /dev/null @@ -1,12 +0,0 @@ -# Working with AJAX and CSRF - -> "Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability -- very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one." -> -> — [Jeff Atwood][cite] - -* Explain need to add CSRF token to AJAX requests. -* Explain deferred CSRF style used by REST framework -* Why you should use Django's standard login/logout views, and not REST framework view - - -[cite]: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index f43dc1d3d..c45fff880 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -8,29 +8,140 @@ Minor version numbers (0.0.x) are used for changes that are API compatible. You should be able to upgrade between minor point releases without any other code changes. -Medium version numbers (0.x.0) may include minor API changes. You should read the release notes carefully before upgrading between medium point releases. +Medium version numbers (0.x.0) may include API changes, in line with the [deprecation policy][deprecation-policy]. You should read the release notes carefully before upgrading between medium point releases. -Major version numbers (x.0.0) are reserved for project milestones. No major point releases are currently planned. +Major version numbers (x.0.0) are reserved for substantial project milestones. No major point releases are currently planned. + +## Deprecation policy + +REST framework releases follow a formal deprecation policy, which is in line with [Django's deprecation policy][django-deprecation-policy]. + +The timeline for deprecation of a feature present in version 1.0 would work as follows: + +* Version 1.1 would remain **fully backwards compatible** with 1.0, but would raise `PendingDeprecationWarning` warnings if you use the feature that are due to be deprecated. These warnings are **silent by default**, but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests using `python -Wd manage.py test`, you'll be warned of any API changes you need to make. + +* Version 1.2 would escalate these warnings to `DeprecationWarning`, which is loud by default. + +* Version 1.3 would remove the deprecated bits of API entirely. + +Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change. + +## Upgrading + +To upgrade Django REST framework to the latest version, use pip: + + pip install -U djangorestframework + +You can determine your currently installed version using `pip freeze`: + + pip freeze | grep djangorestframework + +--- + +## 2.2.x series + +### Master + +* `Serializer.save()` now supports arbitrary keyword args which are passed through to the object `.save()` method. Mixins use `force_insert` and `force_update` where appropriate, resulting in one less database query. + +### 2.2.4 + +**Date**: 13th March 2013 + +* OAuth 2 support. +* OAuth 1.0a support. +* Support X-HTTP-Method-Override header. +* Filtering backends are now applied to the querysets for object lookups as well as lists. (Eg you can use a filtering backend to control which objects should 404) +* Deal with error data nicely when deserializing lists of objects. +* Extra override hook to configure `DjangoModelPermissions` for unauthenticated users. +* Bugfix: Fix regression which caused extra database query on paginated list views. +* Bugfix: Fix pk relationship bug for some types of 1-to-1 relations. +* Bugfix: Workaround for Django bug causing case where `Authtoken` could be registered for cascade delete from `User` even if not installed. + +### 2.2.3 + +**Date**: 7th March 2013 + +* Bugfix: Fix None values for for `DateField`, `DateTimeField` and `TimeField`. + +### 2.2.2 + +**Date**: 6th March 2013 + +* Support for custom input and output formats for `DateField`, `DateTimeField` and `TimeField`. +* Cleanup: Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior. Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view. +* Bugfix for serializer data being uncacheable with pickle protocol 0. +* Bugfixes for model field validation edge-cases. +* Bugfix for authtoken migration while using a custom user model and south. + +### 2.2.1 + +**Date**: 22nd Feb 2013 + +* Security fix: Use `defusedxml` package to address XML parsing vulnerabilities. +* Raw data tab added to browseable API. (Eg. Allow for JSON input.) +* Added TimeField. +* Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults. +* Unicode support for view names/descriptions in browseable API. +* Bugfix: request.DATA should return an empty `QueryDict` with no data, not `None`. +* Bugfix: Remove unneeded field validation, which caused extra queries. + +**Security note**: Following the [disclosure of security vulnerabilities][defusedxml-announce] in Python's XML parsing libraries, use of the `XMLParser` class now requires the `defusedxml` package to be installed. + +The security vulnerabilities only affect APIs which use the `XMLParser` class, by enabling it in any views, or by having it set in the `DEFAULT_PARSER_CLASSES` setting. Note that the `XMLParser` class is not enabled by default, so this change should affect a minority of users. + +### 2.2.0 + +**Date**: 13th Feb 2013 + +* Python 3 support. +* Added a `post_save()` hook to the generic views. +* Allow serializers to handle dicts as well as objects. +* Deprecate `ManyRelatedField()` syntax in favor of `RelatedField(many=True)` +* Deprecate `null=True` on relations in favor of `required=False`. +* Deprecate `blank=True` on CharFields, just use `required=False`. +* Deprecate optional `obj` argument in permissions checks in favor of `has_object_permission`. +* Deprecate implicit hyperlinked relations behavior. +* Bugfix: Fix broken DjangoModelPermissions. +* Bugfix: Allow serializer output to be cached. +* Bugfix: Fix styling on browsable API login. +* Bugfix: Fix issue with deserializing empty to-many relations. +* Bugfix: Ensure model field validation is still applied for ModelSerializer subclasses with an custom `.restore_object()` method. + +**Note**: See the [2.2 announcement][2.2-announcement] for full details. --- ## 2.1.x series -### Master +### 2.1.17 +**Date**: 26th Jan 2013 + +* Support proper 401 Unauthorized responses where appropriate, instead of always using 403 Forbidden. * Support json encoding of timedelta objects. +* `format_suffix_patterns()` now supports `include` style URL patterns. +* Bugfix: Fix issues with custom pagination serializers. +* Bugfix: Nested serializers now accept `source='*'` argument. +* Bugfix: Return proper validation errors when incorrect types supplied for relational fields. +* Bugfix: Support nullable FKs with `SlugRelatedField`. +* Bugfix: Don't call custom validation methods if the field has an error. + +**Note**: If the primary authentication class is `TokenAuthentication` or `BasicAuthentication`, a view will now correctly return 401 responses to unauthenticated access, with an appropriate `WWW-Authenticate` header, instead of 403 responses. ### 2.1.16 **Date**: 14th Jan 2013 -* Deprecate django.utils.simplejson in favor of Python 2.6's built-in json module. +* Deprecate `django.utils.simplejson` in favor of Python 2.6's built-in json module. * Bugfix: `auto_now`, `auto_now_add` and other `editable=False` fields now default to read-only. * Bugfix: PK fields now only default to read-only if they are an AutoField or if `editable=False`. * Bugfix: Validation errors instead of exceptions when serializers receive incorrect types. * Bugfix: Validation errors instead of exceptions when related fields receive incorrect types. * Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one +**Note**: Prior to 2.1.16, The Decimals would render in JSON using floating point if `simplejson` was installed, but otherwise render using string notation. Now that use of `simplejson` has been deprecated, Decimals will consistently render using string notation. See [#582] for more details. + ### 2.1.15 **Date**: 3rd Jan 2013 @@ -319,7 +430,12 @@ This change will not affect user code, so long as it's following the recommended * Initial release. [cite]: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html +[deprecation-policy]: #deprecation-policy +[django-deprecation-policy]: https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy +[defusedxml-announce]: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html +[2.2-announcement]: 2.2-announcement.md [staticfiles14]: https://docs.djangoproject.com/en/1.4/howto/static-files/#with-a-template-tag [staticfiles13]: https://docs.djangoproject.com/en/1.3/howto/static-files/#with-a-template-tag [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion [announcement]: rest-framework-2-announcement.md +[#582]: https://github.com/tomchristie/django-rest-framework/issues/582 diff --git a/docs/tutorial/1-serialization.md b/docs/tutorial/1-serialization.md index d3ada9e3a..205ee7e02 100644 --- a/docs/tutorial/1-serialization.md +++ b/docs/tutorial/1-serialization.md @@ -4,11 +4,11 @@ This tutorial will cover creating a simple pastebin code highlighting Web API. Along the way it will introduce the various components that make up REST framework, and give you a comprehensive understanding of how everything fits together. -The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started. +The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started. If you just want a quick overview, you should head over to the [quickstart] documentation instead. --- -**Note**: The code for this tutorial is available in the [tomchristie/rest-framework-tutorial][repo] repository on GitHub. As pieces of code are introduced, they are committed to this repository. The completed implementation is also online as a sandbox version for testing, [available here][sandbox]. +**Note**: The code for this tutorial is available in the [tomchristie/rest-framework-tutorial][repo] repository on GitHub. The completed implementation is also online as a sandbox version for testing, [available here][sandbox]. --- @@ -86,7 +86,7 @@ For the purposes of this tutorial we're going to start by creating a simple `Sni class Snippet(models.Model): created = models.DateTimeField(auto_now_add=True) - title = models.CharField(max_length=100, default='') + title = models.CharField(max_length=100, blank=True, default='') code = models.TextField() linenos = models.BooleanField(default=False) language = models.CharField(choices=LANGUAGE_CHOICES, @@ -109,7 +109,7 @@ The first thing we need to get started on our Web API is provide a way of serial from django.forms import widgets from rest_framework import serializers - from snippets import models + from snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES class SnippetSerializer(serializers.Serializer): @@ -119,26 +119,30 @@ The first thing we need to get started on our Web API is provide a way of serial code = serializers.CharField(widget=widgets.Textarea, max_length=100000) linenos = serializers.BooleanField(required=False) - language = serializers.ChoiceField(choices=models.LANGUAGE_CHOICES, + language = serializers.ChoiceField(choices=LANGUAGE_CHOICES, default='python') - style = serializers.ChoiceField(choices=models.STYLE_CHOICES, + style = serializers.ChoiceField(choices=STYLE_CHOICES, default='friendly') def restore_object(self, attrs, instance=None): """ - Create or update a new snippet instance. + Create or update a new snippet instance, given a dictionary + of deserialized field values. + + Note that if we don't define this method, then deserializing + data will simply return a dictionary of items. """ if instance: # Update existing instance - instance.title = attrs['title'] - instance.code = attrs['code'] - instance.linenos = attrs['linenos'] - instance.language = attrs['language'] - instance.style = attrs['style'] + instance.title = attrs.get('title', instance.title) + instance.code = attrs.get('code', instance.code) + instance.linenos = attrs.get('linenos', instance.linenos) + instance.language = attrs.get('language', instance.language) + instance.style = attrs.get('style', instance.style) return instance # Create new instance - return models.Snippet(**attrs) + return Snippet(**attrs) The first part of serializer class defines the fields that get serialized/deserialized. The `restore_object` method defines how fully fledged instances get created when deserializing data. @@ -150,13 +154,16 @@ Before we go any further we'll familiarize ourselves with using our new Serializ python manage.py shell -Okay, once we've got a few imports out of the way, let's create a code snippet to work with. +Okay, once we've got a few imports out of the way, let's create a couple of code snippets to work with. from snippets.models import Snippet from snippets.serializers import SnippetSerializer from rest_framework.renderers import JSONRenderer from rest_framework.parsers import JSONParser + snippet = Snippet(code='foo = "bar"\n') + snippet.save() + snippet = Snippet(code='print "hello, world"\n') snippet.save() @@ -164,13 +171,13 @@ We've now got a few snippet instances to play with. Let's take a look at serial serializer = SnippetSerializer(snippet) serializer.data - # {'pk': 1, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'} + # {'pk': 2, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'} At this point we've translated the model instance into python native datatypes. To finalize the serialization process we render the data into `json`. content = JSONRenderer().render(serializer.data) content - # '{"pk": 1, "title": "", "code": "print \\"hello, world\\"\\n", "linenos": false, "language": "python", "style": "friendly"}' + # '{"pk": 2, "title": "", "code": "print \\"hello, world\\"\\n", "linenos": false, "language": "python", "style": "friendly"}' Deserialization is similar. First we parse a stream into python native datatypes... @@ -189,6 +196,12 @@ Deserialization is similar. First we parse a stream into python native datatype Notice how similar the API is to working with forms. The similarity should become even more apparent when we start writing views that use our serializer. +We can also serialize querysets instead of model instances. To do so we simply add a `many=True` flag to the serializer arguments. + + serializer = SnippetSerializer(Snippet.objects.all(), many=True) + serializer.data + # [{'pk': 1, 'title': u'', 'code': u'foo = "bar"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'}, {'pk': 2, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'}] + ## Using ModelSerializers Our `SnippetSerializer` class is replicating a lot of information that's also contained in the `Snippet` model. It would be nice if we could keep out code a bit more concise. @@ -237,7 +250,7 @@ The root of our API is going to be a view that supports listing all the existing """ if request.method == 'GET': snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets) + serializer = SnippetSerializer(snippets, many=True) return JSONResponse(serializer.data) elif request.method == 'POST': @@ -295,11 +308,11 @@ It's worth noting that there are a couple of edge cases we're not dealing with p Now we can start up a sample server that serves our snippets. -Quit out of the shell +Quit out of the shell... quit() -and start up Django's development server +...and start up Django's development server. python manage.py runserver @@ -312,19 +325,19 @@ and start up Django's development server In another terminal window, we can test the server. -We can get a list of all of the snippets (we only have one at the moment) +We can get a list of all of the snippets. curl http://127.0.0.1:8000/snippets/ - [{"id": 1, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}] + [{"id": 1, "title": "", "code": "foo = \"bar\"\n", "linenos": false, "language": "python", "style": "friendly"}, {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}] -or we can get a particular snippet by referencing its id +Or we can get a particular snippet by referencing its id. - curl http://127.0.0.1:8000/snippets/1/ + curl http://127.0.0.1:8000/snippets/2/ - {"id": 1, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"} + {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"} -Similarly, you can have the same json displayed by referencing these URLs from your favorite web browser. +Similarly, you can have the same json displayed by visiting these URLs in a web browser. ## Where are we now diff --git a/docs/tutorial/2-requests-and-responses.md b/docs/tutorial/2-requests-and-responses.md index 340ea28ee..63cee3a67 100644 --- a/docs/tutorial/2-requests-and-responses.md +++ b/docs/tutorial/2-requests-and-responses.md @@ -51,7 +51,7 @@ We don't need our `JSONResponse` class anymore, so go ahead and delete that. On """ if request.method == 'GET': snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets) + serializer = SnippetSerializer(snippets, many=True) return Response(serializer.data) elif request.method == 'POST': @@ -75,11 +75,11 @@ Here is the view for an individual snippet. snippet = Snippet.objects.get(pk=pk) except Snippet.DoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) - + if request.method == 'GET': serializer = SnippetSerializer(snippet) return Response(serializer.data) - + elif request.method == 'PUT': serializer = SnippetSerializer(snippet, data=request.DATA) if serializer.is_valid(): @@ -126,13 +126,41 @@ We don't necessarily need to add these extra url patterns in, but it gives us a Go ahead and test the API from the command line, as we did in [tutorial part 1][tut-1]. Everything is working pretty similarly, although we've got some nicer error handling if we send invalid requests. -**TODO: Describe using accept headers, content-type headers, and format suffixed URLs** +We can get a list of all of the snippets, as before. + + curl http://127.0.0.1:8000/snippets/ + + [{"id": 1, "title": "", "code": "foo = \"bar\"\n", "linenos": false, "language": "python", "style": "friendly"}, {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}] + +We can control the format of the response that we get back, either by using the `Accept` header: + + curl http://127.0.0.1:8000/snippets/ -H 'Accept: application/json' # Request JSON + curl http://127.0.0.1:8000/snippets/ -H 'Accept: text/html' # Request HTML + +Or by appending a format suffix: + + curl http://127.0.0.1:8000/snippets/.json # JSON suffix + curl http://127.0.0.1:8000/snippets/.api # Browseable API suffix + +Similarly, we can control the format of the request that we send, using the `Content-Type` header. + + # POST using form data + curl -X POST http://127.0.0.1:8000/snippets/ -d "code=print 123" + + {"id": 3, "title": "", "code": "123", "linenos": false, "language": "python", "style": "friendly"} + + # POST using JSON + curl -X POST http://127.0.0.1:8000/snippets/ -d '{"code": "print 456"}' -H "Content-Type: application/json" + + {"id": 4, "title": "", "code": "print 456", "linenos": true, "language": "python", "style": "friendly"} Now go and open the API in a web browser, by visiting [http://127.0.0.1:8000/snippets/][devserver]. ### Browsability -Because the API chooses a return format based on what the client asks for, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a browser. This allows for the API to be easily browsable and usable by humans. +Because the API chooses the content type of the response based on the client request, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a web browser. This allows for the API to return a fully web-browsable HTML representation. + +Having a web-browseable API is a huge usability win, and makes developing and using your API much easier. It also dramatically lowers the barrier-to-entry for other developers wanting to inspect and work with your API. See the [browsable api][browseable-api] topic for more information about the browsable API feature and how to customize it. diff --git a/docs/tutorial/3-class-based-views.md b/docs/tutorial/3-class-based-views.md index 290ea5e9d..e05017c50 100644 --- a/docs/tutorial/3-class-based-views.md +++ b/docs/tutorial/3-class-based-views.md @@ -20,7 +20,7 @@ We'll start by rewriting the root view as a class based view. All this involves """ def get(self, request, format=None): snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets) + serializer = SnippetSerializer(snippets, many=True) return Response(serializer.data) def post(self, request, format=None): diff --git a/docs/tutorial/4-authentication-and-permissions.md b/docs/tutorial/4-authentication-and-permissions.md index f6daebb7a..3ee755a2f 100644 --- a/docs/tutorial/4-authentication-and-permissions.md +++ b/docs/tutorial/4-authentication-and-permissions.md @@ -22,7 +22,7 @@ We'd also need to make sure that when the model is saved, that we populate the h We'll need some extra imports: from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters.html import HtmlFormatter from pygments import highlight And now we can add a `.save()` method to our model class: @@ -54,8 +54,10 @@ You might also want to create a few different users, to use for testing the API. Now that we've got some users to work with, we'd better add representations of those users to our API. Creating a new serializer is easy: + from django.contrib.auth.models import User + class UserSerializer(serializers.ModelSerializer): - snippets = serializers.ManyPrimaryKeyRelatedField() + snippets = serializers.PrimaryKeyRelatedField(many=True) class Meta: model = User @@ -70,14 +72,14 @@ We'll also add a couple of views. We'd like to just use read-only views for the serializer_class = UserSerializer - class UserInstance(generics.RetrieveAPIView): + class UserDetail(generics.RetrieveAPIView): model = User serializer_class = UserSerializer Finally we need to add those views into the API, by referencing them from the URL conf. url(r'^users/$', views.UserList.as_view()), - url(r'^users/(?P[0-9]+)/$', views.UserInstance.as_view()), + url(r'^users/(?P[0-9]+)/$', views.UserDetail.as_view()), ## Associating Snippets with Users @@ -102,8 +104,6 @@ This field is doing something quite interesting. The `source` argument controls The field we've added is the untyped `Field` class, in contrast to the other typed fields, such as `CharField`, `BooleanField` etc... The untyped `Field` is always read-only, and will be used for serialized representations, but will not be used for updating model instances when they are deserialized. -**TODO: Explain the SessionAuthentication and BasicAuthentication classes, and demonstrate using HTTP basic authentication with curl requests** - ## Adding required permissions to views Now that code snippets are associated with users, we want to make sure that only authenticated users are able to create, update and delete code snippets. @@ -118,8 +118,6 @@ Then, add the following property to **both** the `SnippetList` and `SnippetDetai permission_classes = (permissions.IsAuthenticatedOrReadOnly,) -**TODO: Now that the permissions are restricted, demonstrate using HTTP basic authentication with curl requests** - ## Adding login to the Browseable API If you open a browser and navigate to the browseable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user. @@ -159,12 +157,9 @@ In the snippets app, create a new file, `permissions.py` Custom permission to only allow owners of an object to edit it. """ - def has_permission(self, request, view, obj=None): - # Skip the check unless this is an object-level test - if obj is None: - return True - - # Read permissions are allowed to any request + def has_object_permission(self, request, view, obj): + # Read permissions are allowed to any request, + # so we'll always allow GET, HEAD or OPTIONS requests. if request.method in permissions.SAFE_METHODS: return True @@ -182,10 +177,31 @@ Make sure to also import the `IsOwnerOrReadOnly` class. Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions only appear on a snippet instance endpoint if you're logged in as the same user that created the code snippet. +## Authenticating with the API + +Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets. We havn't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`. + +When we interact with the API through the web browser, we can login, and the browser session will then provide the required authentication for the requests. + +If we're interacting with the API programmatically we need to explicitly provide the authentication credentials on each request. + +If we try to create a snippet without authenticating, we'll get an error: + + curl -i -X POST http://127.0.0.1:8000/snippets/ -d "code=print 123" + + {"detail": "Authentication credentials were not provided."} + +We can make a successful request by including the username and password of one of the users we created earlier. + + curl -X POST http://127.0.0.1:8000/snippets/ -d "code=print 789" -u tom:password + + {"id": 5, "owner": "tom", "title": "foo", "code": "print 789", "linenos": false, "language": "python", "style": "friendly"} + ## Summary We've now got a fairly fine-grained set of permissions on our Web API, and end points for users of the system and for the code snippets that they have created. -In [part 5][tut-5] of the tutorial we'll look at how we can tie everything together by creating an HTML endpoint for our hightlighted snippets, and improve the cohesion of our API by using hyperlinking for the relationships within the system. +In [part 5][tut-5] of the tutorial we'll look at how we can tie everything together by creating an HTML endpoint for our highlighted snippets, and improve the cohesion of our API by using hyperlinking for the relationships within the system. -[tut-5]: 5-relationships-and-hyperlinked-apis.md \ No newline at end of file +[authentication]: ../api-guide/authentication.md +[tut-5]: 5-relationships-and-hyperlinked-apis.md diff --git a/docs/tutorial/5-relationships-and-hyperlinked-apis.md b/docs/tutorial/5-relationships-and-hyperlinked-apis.md index 27898f7b9..a702a09df 100644 --- a/docs/tutorial/5-relationships-and-hyperlinked-apis.md +++ b/docs/tutorial/5-relationships-and-hyperlinked-apis.md @@ -70,8 +70,8 @@ The `HyperlinkedModelSerializer` has the following differences from `ModelSerial * It does not include the `pk` field by default. * It includes a `url` field, using `HyperlinkedIdentityField`. -* Relationships use `HyperlinkedRelatedField` and `ManyHyperlinkedRelatedField`, - instead of `PrimaryKeyRelatedField` and `ManyPrimaryKeyRelatedField`. +* Relationships use `HyperlinkedRelatedField`, + instead of `PrimaryKeyRelatedField`. We can easily re-write our existing serializers to use hyperlinking. @@ -86,7 +86,7 @@ We can easily re-write our existing serializers to use hyperlinking. class UserSerializer(serializers.HyperlinkedModelSerializer): - snippets = serializers.ManyHyperlinkedRelatedField(view_name='snippet-detail') + snippets = serializers.HyperlinkedRelatedField(many=True, view_name='snippet-detail') class Meta: model = User @@ -123,7 +123,7 @@ After adding all those names into our URLconf, our final `'urls.py'` file should views.UserList.as_view(), name='user-list'), url(r'^users/(?P[0-9]+)/$', - views.UserInstance.as_view(), + views.UserDetail.as_view(), name='user-detail') )) @@ -165,7 +165,7 @@ We've reached the end of our tutorial. If you want to get more involved in the * Contribute on [GitHub][github] by reviewing and submitting issues, and making pull requests. * Join the [REST framework discussion group][group], and help build the community. -* [Follow the author on Twitter][twitter] and say hi. +* Follow [the author][twitter] on Twitter and say hi. **Now go build awesome things.** @@ -173,4 +173,4 @@ We've reached the end of our tutorial. If you want to get more involved in the [sandbox]: http://restframework.herokuapp.com/ [github]: https://github.com/tomchristie/django-rest-framework [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework -[twitter]: https://twitter.com/_tomchristie \ No newline at end of file +[twitter]: https://twitter.com/_tomchristie diff --git a/mkdocs.py b/mkdocs.py index 2918f7d3b..f6c89e04b 100755 --- a/mkdocs.py +++ b/mkdocs.py @@ -57,24 +57,36 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir): toc = '' text = open(path, 'r').read().decode('utf-8') + main_title = None + description = 'Django, API, REST' for line in text.splitlines(): if line.startswith('# '): title = line[2:].strip() template = main_header + description = description + ', ' + title elif line.startswith('## '): title = line[3:].strip() template = sub_header else: continue + if not main_title: + main_title = title anchor = title.lower().replace(' ', '-').replace(':-', '-').replace("'", '').replace('?', '').replace('.', '') template = template.replace('{{ title }}', title) template = template.replace('{{ anchor }}', anchor) toc += template + '\n' + if filename == 'index.md': + main_title = 'Django REST framework - APIs made easy' + else: + main_title = 'Django REST framework - ' + main_title + content = markdown.markdown(text, ['headerid']) output = page.replace('{{ content }}', content).replace('{{ toc }}', toc).replace('{{ base_url }}', base_url).replace('{{ suffix }}', suffix).replace('{{ index }}', index) + output = output.replace('{{ title }}', main_title) + output = output.replace('{{ description }}', description) output = output.replace('{{ page_id }}', filename[:-3]) output = re.sub(r'a href="([^"]*)\.md"', r'a href="\1%s"' % suffix, output) output = re.sub(r'
    :::bash', r'
    ', output)
diff --git a/optionals.txt b/optionals.txt
index 1d2358c6e..1853f74b2 100644
--- a/optionals.txt
+++ b/optionals.txt
@@ -1,3 +1,7 @@
 markdown>=2.1.0
 PyYAML>=3.10
+defusedxml>=0.3
 django-filter>=0.5.4
+django-oauth-plus>=2.0
+oauth2>=1.5.211
+django-oauth2-provider>=0.2.3
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index bc267fad7..cf0056360 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -1,3 +1,9 @@
-__version__ = '2.1.16'
+__version__ = '2.2.4'
 
 VERSION = __version__  # synonym
+
+# Header encoding (see RFC5987)
+HTTP_HEADER_ENCODING = 'iso-8859-1'
+
+# Default datetime input and output formats
+ISO_8601 = 'iso-8601'
diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index 30c78ebc8..b4b73699e 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -1,15 +1,30 @@
 """
 Provides a set of pluggable authentication policies.
 """
-
+from __future__ import unicode_literals
 from django.contrib.auth import authenticate
-from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
-from rest_framework import exceptions
+from django.core.exceptions import ImproperlyConfigured
+from rest_framework import exceptions, HTTP_HEADER_ENCODING
 from rest_framework.compat import CsrfViewMiddleware
+from rest_framework.compat import oauth, oauth_provider, oauth_provider_store
+from rest_framework.compat import oauth2_provider, oauth2_provider_forms, oauth2_provider_backends
 from rest_framework.authtoken.models import Token
 import base64
 
 
+def get_authorization_header(request):
+    """
+    Return request's 'Authorization:' header, as a bytestring.
+
+    Hide some test client ickyness where the header can be unicode.
+    """
+    auth = request.META.get('HTTP_AUTHORIZATION', b'')
+    if type(auth) == type(''):
+        # Work around django test client oddness
+        auth = auth.encode(HTTP_HEADER_ENCODING)
+    return auth
+
+
 class BaseAuthentication(object):
     """
     All authentication classes should extend BaseAuthentication.
@@ -21,40 +36,58 @@ class BaseAuthentication(object):
         """
         raise NotImplementedError(".authenticate() must be overridden.")
 
+    def authenticate_header(self, request):
+        """
+        Return a string to be used as the value of the `WWW-Authenticate`
+        header in a `401 Unauthenticated` response, or `None` if the
+        authentication scheme should return `403 Permission Denied` responses.
+        """
+        pass
+
 
 class BasicAuthentication(BaseAuthentication):
     """
     HTTP Basic authentication against username/password.
     """
+    www_authenticate_realm = 'api'
 
     def authenticate(self, request):
         """
         Returns a `User` if a correct username and password have been supplied
         using HTTP Basic authentication.  Otherwise returns `None`.
         """
-        if 'HTTP_AUTHORIZATION' in request.META:
-            auth = request.META['HTTP_AUTHORIZATION'].split()
-            if len(auth) == 2 and auth[0].lower() == "basic":
-                try:
-                    auth_parts = base64.b64decode(auth[1]).partition(':')
-                except TypeError:
-                    return None
+        auth = get_authorization_header(request).split()
 
-                try:
-                    userid = smart_unicode(auth_parts[0])
-                    password = smart_unicode(auth_parts[2])
-                except DjangoUnicodeDecodeError:
-                    return None
+        if not auth or auth[0].lower() != b'basic':
+            return None
 
-                return self.authenticate_credentials(userid, password)
+        if len(auth) == 1:
+            msg = 'Invalid basic header. No credentials provided.'
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
+            msg = 'Invalid basic header. Credentials string should not contain spaces.'
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':')
+        except (TypeError, UnicodeDecodeError):
+            msg = 'Invalid basic header. Credentials not correctly base64 encoded'
+            raise exceptions.AuthenticationFailed(msg)
+
+        userid, password = auth_parts[0], auth_parts[2]
+        return self.authenticate_credentials(userid, password)
 
     def authenticate_credentials(self, userid, password):
         """
         Authenticate the userid and password against username and password.
         """
         user = authenticate(username=userid, password=password)
-        if user is not None and user.is_active:
-            return (user, None)
+        if user is None or not user.is_active:
+            raise exceptions.AuthenticationFailed('Invalid username/password')
+        return (user, None)
+
+    def authenticate_header(self, request):
+        return 'Basic realm="%s"' % self.www_authenticate_realm
 
 
 class SessionAuthentication(BaseAuthentication):
@@ -74,7 +107,7 @@ class SessionAuthentication(BaseAuthentication):
 
         # Unauthenticated, CSRF validation not required
         if not user or not user.is_active:
-            return
+            return None
 
         # Enforce CSRF validation for session based authentication.
         class CSRFCheck(CsrfViewMiddleware):
@@ -85,7 +118,7 @@ class SessionAuthentication(BaseAuthentication):
         reason = CSRFCheck().process_view(http_request, None, (), {})
         if reason:
             # CSRF failed, bail with explicit error message
-            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
+            raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason)
 
         # CSRF passed with authenticated user
         return (user, None)
@@ -110,16 +143,199 @@ class TokenAuthentication(BaseAuthentication):
     """
 
     def authenticate(self, request):
-        auth = request.META.get('HTTP_AUTHORIZATION', '').split()
+        auth = get_authorization_header(request).split()
 
-        if len(auth) == 2 and auth[0].lower() == "token":
-            key = auth[1]
-            try:
-                token = self.model.objects.get(key=key)
-            except self.model.DoesNotExist:
-                return None
+        if not auth or auth[0].lower() != b'token':
+            return None
 
-            if token.user.is_active:
-                return (token.user, token)
+        if len(auth) == 1:
+            msg = 'Invalid token header. No credentials provided.'
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
+            msg = 'Invalid token header. Token string should not contain spaces.'
+            raise exceptions.AuthenticationFailed(msg)
 
-# TODO: OAuthAuthentication
+        return self.authenticate_credentials(auth[1])
+
+    def authenticate_credentials(self, key):
+        try:
+            token = self.model.objects.get(key=key)
+        except self.model.DoesNotExist:
+            raise exceptions.AuthenticationFailed('Invalid token')
+
+        if not token.user.is_active:
+            raise exceptions.AuthenticationFailed('User inactive or deleted')
+
+        return (token.user, token)
+
+    def authenticate_header(self, request):
+        return 'Token'
+
+
+class OAuthAuthentication(BaseAuthentication):
+    """
+    OAuth 1.0a authentication backend using `django-oauth-plus` and `oauth2`.
+
+    Note: The `oauth2` package actually provides oauth1.0a support.  Urg.
+          We import it from the `compat` module as `oauth`.
+    """
+    www_authenticate_realm = 'api'
+
+    def __init__(self, *args, **kwargs):
+        super(OAuthAuthentication, self).__init__(*args, **kwargs)
+
+        if oauth is None:
+            raise ImproperlyConfigured(
+                "The 'oauth2' package could not be imported."
+                "It is required for use with the 'OAuthAuthentication' class.")
+
+        if oauth_provider is None:
+            raise ImproperlyConfigured(
+                "The 'django-oauth-plus' package could not be imported."
+                "It is required for use with the 'OAuthAuthentication' class.")
+
+    def authenticate(self, request):
+        """
+        Returns two-tuple of (user, token) if authentication succeeds,
+        or None otherwise.
+        """
+        try:
+            oauth_request = oauth_provider.utils.get_oauth_request(request)
+        except oauth.Error as err:
+            raise exceptions.AuthenticationFailed(err.message)
+
+        oauth_params = oauth_provider.consts.OAUTH_PARAMETERS_NAMES
+
+        found = any(param for param in oauth_params if param in oauth_request)
+        missing = list(param for param in oauth_params if param not in oauth_request)
+
+        if not found:
+            # OAuth authentication was not attempted.
+            return None
+
+        if missing:
+            # OAuth was attempted but missing parameters.
+            msg = 'Missing parameters: %s' % (', '.join(missing))
+            raise exceptions.AuthenticationFailed(msg)
+
+        if not self.check_nonce(request, oauth_request):
+            msg = 'Nonce check failed'
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            consumer_key = oauth_request.get_parameter('oauth_consumer_key')
+            consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
+        except oauth_provider_store.InvalidConsumerError as err:
+            raise exceptions.AuthenticationFailed(err)
+
+        if consumer.status != oauth_provider.consts.ACCEPTED:
+            msg = 'Invalid consumer key status: %s' % consumer.get_status_display()
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            token_param = oauth_request.get_parameter('oauth_token')
+            token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
+        except oauth_provider_store.InvalidTokenError:
+            msg = 'Invalid access token: %s' % oauth_request.get_parameter('oauth_token')
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            self.validate_token(request, consumer, token)
+        except oauth.Error as err:
+            raise exceptions.AuthenticationFailed(err.message)
+
+        user = token.user
+
+        if not user.is_active:
+            msg = 'User inactive or deleted: %s' % user.username
+            raise exceptions.AuthenticationFailed(msg)
+
+        return (token.user, token)
+
+    def authenticate_header(self, request):
+        """
+        If permission is denied, return a '401 Unauthorized' response,
+        with an appropraite 'WWW-Authenticate' header.
+        """
+        return 'OAuth realm="%s"' % self.www_authenticate_realm
+
+    def validate_token(self, request, consumer, token):
+        """
+        Check the token and raise an `oauth.Error` exception if invalid.
+        """
+        oauth_server, oauth_request = oauth_provider.utils.initialize_server_request(request)
+        oauth_server.verify_request(oauth_request, consumer, token)
+
+    def check_nonce(self, request, oauth_request):
+        """
+        Checks nonce of request, and return True if valid.
+        """
+        return oauth_provider_store.check_nonce(request, oauth_request, oauth_request['oauth_nonce'])
+
+
+class OAuth2Authentication(BaseAuthentication):
+    """
+    OAuth 2 authentication backend using `django-oauth2-provider`
+    """
+    www_authenticate_realm = 'api'
+
+    def __init__(self, *args, **kwargs):
+        super(OAuth2Authentication, self).__init__(*args, **kwargs)
+
+        if oauth2_provider is None:
+            raise ImproperlyConfigured(
+                "The 'django-oauth2-provider' package could not be imported. "
+                "It is required for use with the 'OAuth2Authentication' class.")
+
+    def authenticate(self, request):
+        """
+        Returns two-tuple of (user, token) if authentication succeeds,
+        or None otherwise.
+        """
+
+        auth = get_authorization_header(request).split()
+
+        if not auth or auth[0].lower() != b'bearer':
+            return None
+
+        if len(auth) == 1:
+            msg = 'Invalid bearer header. No credentials provided.'
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
+            msg = 'Invalid bearer header. Token string should not contain spaces.'
+            raise exceptions.AuthenticationFailed(msg)
+
+        return self.authenticate_credentials(request, auth[1])
+
+    def authenticate_credentials(self, request, access_token):
+        """
+        Authenticate the request, given the access token.
+        """
+
+        # Authenticate the client
+        oauth2_client_form = oauth2_provider_forms.ClientAuthForm(request.REQUEST)
+        if not oauth2_client_form.is_valid():
+            raise exceptions.AuthenticationFailed('Client could not be validated')
+        client = oauth2_client_form.cleaned_data.get('client')
+
+        # Retrieve the `OAuth2AccessToken` instance from the access_token
+        auth_backend = oauth2_provider_backends.AccessTokenBackend()
+        token = auth_backend.authenticate(access_token, client)
+        if token is None:
+            raise exceptions.AuthenticationFailed('Invalid token')
+
+        user = token.user
+
+        if not user.is_active:
+            msg = 'User inactive or deleted: %s' % user.username
+            raise exceptions.AuthenticationFailed(msg)
+
+        return (token.user, token)
+
+    def authenticate_header(self, request):
+        """
+        Bearer is the only finalized type currently
+
+        Check details on the `OAuth2Authentication.authenticate` method
+        """
+        return 'Bearer realm="%s"' % self.www_authenticate_realm
diff --git a/rest_framework/authtoken/migrations/0001_initial.py b/rest_framework/authtoken/migrations/0001_initial.py
index f4e052e48..d5965e404 100644
--- a/rest_framework/authtoken/migrations/0001_initial.py
+++ b/rest_framework/authtoken/migrations/0001_initial.py
@@ -4,6 +4,8 @@ from south.db import db
 from south.v2 import SchemaMigration
 from django.db import models
 
+from rest_framework.settings import api_settings
+
 
 try:
     from django.contrib.auth import get_user_model
@@ -45,20 +47,7 @@ class Migration(SchemaMigration):
             'name': ('django.db.models.fields.CharField', [], {'max_length': '50'})
         },
         "%s.%s" % (User._meta.app_label, User._meta.module_name): {
-            'Meta': {'object_name': 'User'},
-            'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
-            'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}),
-            'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
-            'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}),
-            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
-            'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}),
-            'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
-            'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
-            'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
-            'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
-            'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}),
-            'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}),
-            'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'})
+            'Meta': {'object_name': User._meta.module_name},
         },
         'authtoken.token': {
             'Meta': {'object_name': 'Token'},
diff --git a/rest_framework/authtoken/models.py b/rest_framework/authtoken/models.py
index 4da2aa625..52c45ad11 100644
--- a/rest_framework/authtoken/models.py
+++ b/rest_framework/authtoken/models.py
@@ -2,6 +2,7 @@ import uuid
 import hmac
 from hashlib import sha1
 from rest_framework.compat import User
+from django.conf import settings
 from django.db import models
 
 
@@ -13,14 +14,22 @@ class Token(models.Model):
     user = models.OneToOneField(User, related_name='auth_token')
     created = models.DateTimeField(auto_now_add=True)
 
+    class Meta:
+        # Work around for a bug in Django:
+        # https://code.djangoproject.com/ticket/19422
+        #
+        # Also see corresponding ticket:
+        # https://github.com/tomchristie/django-rest-framework/issues/705
+        abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
+
     def save(self, *args, **kwargs):
         if not self.key:
             self.key = self.generate_key()
         return super(Token, self).save(*args, **kwargs)
 
     def generate_key(self):
-        unique = str(uuid.uuid4())
-        return hmac.new(unique, digestmod=sha1).hexdigest()
+        unique = uuid.uuid4()
+        return hmac.new(unique.bytes, digestmod=sha1).hexdigest()
 
     def __unicode__(self):
         return self.key
diff --git a/rest_framework/compat.py b/rest_framework/compat.py
index 5508f6c05..7b2ef7384 100644
--- a/rest_framework/compat.py
+++ b/rest_framework/compat.py
@@ -3,26 +3,56 @@ The `compat` module provides support for backwards compatibility with older
 versions of django/python, and compatibility wrappers around optional packages.
 """
 # flake8: noqa
+from __future__ import unicode_literals
+
 import django
 
+# Try to import six from Django, fallback to included `six`.
+try:
+    from django.utils import six
+except ImportError:
+    from rest_framework import six
+
 # location of patterns, url, include changes in 1.4 onwards
 try:
     from django.conf.urls import patterns, url, include
-except:
+except ImportError:
     from django.conf.urls.defaults import patterns, url, include
 
+# Handle django.utils.encoding rename:
+# smart_unicode -> smart_text
+# force_unicode -> force_text
+try:
+    from django.utils.encoding import smart_text
+except ImportError:
+    from django.utils.encoding import smart_unicode as smart_text
+try:
+    from django.utils.encoding import force_text
+except ImportError:
+    from django.utils.encoding import force_unicode as force_text
+
+
 # django-filter is optional
 try:
     import django_filters
-except:
+except ImportError:
     django_filters = None
 
 
 # cStringIO only if it's available, otherwise StringIO
 try:
-    import cStringIO as StringIO
+    import cStringIO.StringIO as StringIO
 except ImportError:
-    import StringIO
+    StringIO = six.StringIO
+
+BytesIO = six.BytesIO
+
+
+# urlparse compat import (Required because it changed in python 3.x)
+try:
+    from urllib import parse as urlparse
+except ImportError:
+    import urlparse
 
 
 # Try to import PIL in either of the two ways it can end up installed.
@@ -54,7 +84,7 @@ else:
     try:
         from django.contrib.auth.models import User
     except ImportError:
-        raise ImportError(u"User model is not to be found.")
+        raise ImportError("User model is not to be found.")
 
 
 # First implementation of Django class-based views did not include head method
@@ -75,11 +105,11 @@ else:
             # sanitize keyword arguments
             for key in initkwargs:
                 if key in cls.http_method_names:
-                    raise TypeError(u"You tried to pass in the %s method name as a "
-                                    u"keyword argument to %s(). Don't do that."
+                    raise TypeError("You tried to pass in the %s method name as a "
+                                    "keyword argument to %s(). Don't do that."
                                     % (key, cls.__name__))
                 if not hasattr(cls, key):
-                    raise TypeError(u"%s() received an invalid keyword %r" % (
+                    raise TypeError("%s() received an invalid keyword %r" % (
                         cls.__name__, key))
 
             def view(request, *args, **kwargs):
@@ -110,7 +140,6 @@ else:
     import re
     import random
     import logging
-    import urlparse
 
     from django.conf import settings
     from django.core.urlresolvers import get_callable
@@ -152,7 +181,8 @@ else:
         randrange = random.SystemRandom().randrange
     else:
         randrange = random.randrange
-    _MAX_CSRF_KEY = 18446744073709551616L     # 2 << 63
+
+    _MAX_CSRF_KEY = 18446744073709551616      # 2 << 63
 
     REASON_NO_REFERER = "Referer checking failed - no Referer."
     REASON_BAD_REFERER = "Referer checking failed - %s does not match %s."
@@ -319,7 +349,7 @@ except ImportError:
 
 # dateparse is ALSO new in Django 1.4
 try:
-    from django.utils.dateparse import parse_date, parse_datetime
+    from django.utils.dateparse import parse_date, parse_datetime, parse_time
 except ImportError:
     import datetime
     import re
@@ -391,8 +421,39 @@ except ImportError:
     yaml = None
 
 
-# xml.etree.parse only throws ParseError for python >= 2.7
+# XML is optional
 try:
-    from xml.etree import ParseError as ETParseError
-except ImportError:  # python < 2.7
-    ETParseError = None
+    import defusedxml.ElementTree as etree
+except ImportError:
+    etree = None
+
+# OAuth is optional
+try:
+    # Note: The `oauth2` package actually provides oauth1.0a support.  Urg.
+    import oauth2 as oauth
+except ImportError:
+    oauth = None
+
+# OAuth is optional
+try:
+    import oauth_provider
+    from oauth_provider.store import store as oauth_provider_store
+except ImportError:
+    oauth_provider = None
+    oauth_provider_store = None
+
+# OAuth 2 support is optional
+try:
+    import provider.oauth2 as oauth2_provider
+    from provider.oauth2 import backends as oauth2_provider_backends
+    from provider.oauth2 import models as oauth2_provider_models
+    from provider.oauth2 import forms as oauth2_provider_forms
+    from provider import scope as oauth2_provider_scope
+    from provider import constants as oauth2_constants
+except ImportError:
+    oauth2_provider = None
+    oauth2_provider_backends = None
+    oauth2_provider_models = None
+    oauth2_provider_forms = None
+    oauth2_provider_scope = None
+    oauth2_constants = None
diff --git a/rest_framework/decorators.py b/rest_framework/decorators.py
index 1b710a03c..8250cd3ba 100644
--- a/rest_framework/decorators.py
+++ b/rest_framework/decorators.py
@@ -1,4 +1,7 @@
+from __future__ import unicode_literals
+from rest_framework.compat import six
 from rest_framework.views import APIView
+import types
 
 
 def api_view(http_method_names):
@@ -11,7 +14,7 @@ def api_view(http_method_names):
     def decorator(func):
 
         WrappedAPIView = type(
-            'WrappedAPIView',
+            six.PY3 and 'WrappedAPIView' or b'WrappedAPIView',
             (APIView,),
             {'__doc__': func.__doc__}
         )
@@ -23,6 +26,14 @@ def api_view(http_method_names):
         #         pass
         #     WrappedAPIView.__doc__ = func.doc    <--- Not possible to do this
 
+        # api_view applied without (method_names)
+        assert not(isinstance(http_method_names, types.FunctionType)), \
+            '@api_view missing list of allowed HTTP methods'
+
+        # api_view applied with eg. string instead of list of strings
+        assert isinstance(http_method_names, (list, tuple)), \
+            '@api_view expected a list of strings, recieved %s' % type(http_method_names).__name__
+
         allowed_methods = set(http_method_names) | set(('options',))
         WrappedAPIView.http_method_names = [method.lower() for method in allowed_methods]
 
diff --git a/rest_framework/exceptions.py b/rest_framework/exceptions.py
index 89479deb6..0c96ecdd5 100644
--- a/rest_framework/exceptions.py
+++ b/rest_framework/exceptions.py
@@ -4,6 +4,7 @@ Handled exceptions raised by REST framework.
 In addition Django's built in 403 and 404 exceptions are handled.
 (`django.http.Http404` and `django.core.exceptions.PermissionDenied`)
 """
+from __future__ import unicode_literals
 from rest_framework import status
 
 
@@ -23,6 +24,22 @@ class ParseError(APIException):
         self.detail = detail or self.default_detail
 
 
+class AuthenticationFailed(APIException):
+    status_code = status.HTTP_401_UNAUTHORIZED
+    default_detail = 'Incorrect authentication credentials.'
+
+    def __init__(self, detail=None):
+        self.detail = detail or self.default_detail
+
+
+class NotAuthenticated(APIException):
+    status_code = status.HTTP_401_UNAUTHORIZED
+    default_detail = 'Authentication credentials were not provided.'
+
+    def __init__(self, detail=None):
+        self.detail = detail or self.default_detail
+
+
 class PermissionDenied(APIException):
     status_code = status.HTTP_403_FORBIDDEN
     default_detail = 'You do not have permission to perform this action.'
diff --git a/rest_framework/fields.py b/rest_framework/fields.py
index 998911e12..4b6931ad4 100644
--- a/rest_framework/fields.py
+++ b/rest_framework/fields.py
@@ -1,30 +1,96 @@
+from __future__ import unicode_literals
+
 import copy
 import datetime
 import inspect
 import re
 import warnings
 
-from io import BytesIO
-
 from django.core import validators
 from django.core.exceptions import ValidationError
 from django.conf import settings
 from django import forms
 from django.forms import widgets
-from django.utils.encoding import is_protected_type, smart_unicode
+from django.utils.encoding import is_protected_type
 from django.utils.translation import ugettext_lazy as _
-from rest_framework.compat import parse_date, parse_datetime
-from rest_framework.compat import timezone
+
+from rest_framework import ISO_8601
+from rest_framework.compat import timezone, parse_date, parse_datetime, parse_time
+from rest_framework.compat import BytesIO
+from rest_framework.compat import six
+from rest_framework.compat import smart_text
+from rest_framework.settings import api_settings
 
 
 def is_simple_callable(obj):
     """
     True if the object is a callable that takes no arguments.
     """
-    return (
-        (inspect.isfunction(obj) and not inspect.getargspec(obj)[0]) or
-        (inspect.ismethod(obj) and len(inspect.getargspec(obj)[0]) <= 1)
-    )
+    function = inspect.isfunction(obj)
+    method = inspect.ismethod(obj)
+
+    if not (function or method):
+        return False
+
+    args, _, _, defaults = inspect.getargspec(obj)
+    len_args = len(args) if function else len(args) - 1
+    len_defaults = len(defaults) if defaults else 0
+    return len_args <= len_defaults
+
+
+def get_component(obj, attr_name):
+    """
+    Given an object, and an attribute name,
+    return that attribute on the object.
+    """
+    if isinstance(obj, dict):
+        val = obj[attr_name]
+    else:
+        val = getattr(obj, attr_name)
+
+    if is_simple_callable(val):
+        return val()
+    return val
+
+
+def readable_datetime_formats(formats):
+    format = ', '.join(formats).replace(ISO_8601, 'YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HHMM|-HHMM|Z]')
+    return humanize_strptime(format)
+
+
+def readable_date_formats(formats):
+    format = ', '.join(formats).replace(ISO_8601, 'YYYY[-MM[-DD]]')
+    return humanize_strptime(format)
+
+
+def readable_time_formats(formats):
+    format = ', '.join(formats).replace(ISO_8601, 'hh:mm[:ss[.uuuuuu]]')
+    return humanize_strptime(format)
+
+
+def humanize_strptime(format_string):
+    # Note that we're missing some of the locale specific mappings that
+    # don't really make sense.
+    mapping = {
+        "%Y": "YYYY",
+        "%y": "YY",
+        "%m": "MM",
+        "%b": "[Jan-Dec]",
+        "%B": "[January-December]",
+        "%d": "DD",
+        "%H": "hh",
+        "%I": "hh",  # Requires '%p' to differentiate from '%H'.
+        "%M": "mm",
+        "%S": "ss",
+        "%f": "uuuuuu",
+        "%a": "[Mon-Sun]",
+        "%A": "[Monday-Sunday]",
+        "%p": "[AM|PM]",
+        "%z": "[+HHMM|-HHMM]"
+    }
+    for key, val in mapping.items():
+        format_string = format_string.replace(key, val)
+    return format_string
 
 
 class Field(object):
@@ -32,7 +98,8 @@ class Field(object):
     creation_counter = 0
     empty = ''
     type_name = None
-    _use_files = None
+    partial = False
+    use_files = False
     form_field_class = forms.CharField
 
     def __init__(self, source=None):
@@ -53,7 +120,8 @@ class Field(object):
         self.parent = parent
         self.root = parent.root or parent
         self.context = self.root.context
-        if self.root.partial:
+        self.partial = self.root.partial
+        if self.partial:
             self.required = False
 
     def field_from_native(self, data, files, field_name, into):
@@ -74,14 +142,14 @@ class Field(object):
         if self.source == '*':
             return self.to_native(obj)
 
-        if self.source:
-            value = obj
-            for component in self.source.split('.'):
-                value = getattr(value, component)
-                if is_simple_callable(value):
-                    value = value()
-        else:
-            value = getattr(obj, field_name)
+        source = self.source or field_name
+        value = obj
+
+        for component in source.split('.'):
+            value = get_component(value, component)
+            if value is None:
+                break
+
         return self.to_native(value)
 
     def to_native(self, value):
@@ -93,11 +161,11 @@ class Field(object):
 
         if is_protected_type(value):
             return value
-        elif hasattr(value, '__iter__') and not isinstance(value, (dict, basestring)):
+        elif hasattr(value, '__iter__') and not isinstance(value, (dict, six.string_types)):
             return [self.to_native(item) for item in value]
         elif isinstance(value, dict):
             return dict(map(self.to_native, (k, v)) for k, v in value.items())
-        return smart_unicode(value)
+        return smart_text(value)
 
     def attributes(self):
         """
@@ -124,6 +192,13 @@ class WritableField(Field):
                  validators=[], error_messages=None, widget=None,
                  default=None, blank=None):
 
+        # 'blank' is to be deprecated in favor of 'required'
+        if blank is not None:
+            warnings.warn('The `blank` keyword argument is due to deprecated. '
+                          'Use the `required` keyword argument instead.',
+                          PendingDeprecationWarning, stacklevel=2)
+            required = not(blank)
+
         super(WritableField, self).__init__(source=source)
 
         self.read_only = read_only
@@ -141,7 +216,6 @@ class WritableField(Field):
 
         self.validators = self.default_validators + validators
         self.default = default if default is not None else self.default
-        self.blank = blank
 
         # Widgets are ony used for HTML forms.
         widget = widget or self.widget
@@ -180,13 +254,13 @@ class WritableField(Field):
             return
 
         try:
-            if self._use_files:
+            if self.use_files:
                 files = files or {}
                 native = files[field_name]
             else:
                 native = data[field_name]
         except KeyError:
-            if self.default is not None and not self.root.partial:
+            if self.default is not None and not self.partial:
                 # Note: partial updates shouldn't set defaults
                 native = self.default
             else:
@@ -217,7 +291,7 @@ class ModelField(WritableField):
     def __init__(self, *args, **kwargs):
         try:
             self.model_field = kwargs.pop('model_field')
-        except:
+        except KeyError:
             raise ValueError("ModelField requires 'model_field' kwarg")
 
         self.min_length = kwargs.pop('min_length',
@@ -258,7 +332,7 @@ class BooleanField(WritableField):
     form_field_class = forms.BooleanField
     widget = widgets.CheckboxInput
     default_error_messages = {
-        'invalid': _(u"'%s' value must be either True or False."),
+        'invalid': _("'%s' value must be either True or False."),
     }
     empty = False
 
@@ -287,20 +361,10 @@ class CharField(WritableField):
         if max_length is not None:
             self.validators.append(validators.MaxLengthValidator(max_length))
 
-    def validate(self, value):
-        """
-        Validates that the value is supplied (if required).
-        """
-        # if empty string and allow blank
-        if self.blank and not value:
-            return
-        else:
-            super(CharField, self).validate(value)
-
     def from_native(self, value):
-        if isinstance(value, basestring) or value is None:
+        if isinstance(value, six.string_types) or value is None:
             return value
-        return smart_unicode(value)
+        return smart_text(value)
 
 
 class URLField(CharField):
@@ -325,7 +389,8 @@ class ChoiceField(WritableField):
     form_field_class = forms.ChoiceField
     widget = widgets.Select
     default_error_messages = {
-        'invalid_choice': _('Select a valid choice. %(value)s is not one of the available choices.'),
+        'invalid_choice': _('Select a valid choice. %(value)s is not one of '
+                            'the available choices.'),
     }
 
     def __init__(self, choices=(), *args, **kwargs):
@@ -359,10 +424,10 @@ class ChoiceField(WritableField):
             if isinstance(v, (list, tuple)):
                 # This is an optgroup, so look inside the group for options
                 for k2, v2 in v:
-                    if value == smart_unicode(k2):
+                    if value == smart_text(k2):
                         return True
             else:
-                if value == smart_unicode(k) or value == k:
+                if value == smart_text(k) or value == k:
                     return True
         return False
 
@@ -402,7 +467,7 @@ class RegexField(CharField):
         return self._regex
 
     def _set_regex(self, regex):
-        if isinstance(regex, basestring):
+        if isinstance(regex, six.string_types):
             regex = re.compile(regex)
         self._regex = regex
         if hasattr(self, '_regex_validator') and self._regex_validator in self.validators:
@@ -425,12 +490,16 @@ class DateField(WritableField):
     form_field_class = forms.DateField
 
     default_error_messages = {
-        'invalid': _(u"'%s' value has an invalid date format. It must be "
-                     u"in YYYY-MM-DD format."),
-        'invalid_date': _(u"'%s' value has the correct format (YYYY-MM-DD) "
-                          u"but it is an invalid date."),
+        'invalid': _("Date has wrong format. Use one of these formats instead: %s"),
     }
     empty = None
+    input_formats = api_settings.DATE_INPUT_FORMATS
+    format = api_settings.DATE_FORMAT
+
+    def __init__(self, input_formats=None, format=None, *args, **kwargs):
+        self.input_formats = input_formats if input_formats is not None else self.input_formats
+        self.format = format if format is not None else self.format
+        super(DateField, self).__init__(*args, **kwargs)
 
     def from_native(self, value):
         if value in validators.EMPTY_VALUES:
@@ -446,17 +515,37 @@ class DateField(WritableField):
         if isinstance(value, datetime.date):
             return value
 
-        try:
-            parsed = parse_date(value)
-            if parsed is not None:
-                return parsed
-        except ValueError:
-            msg = self.error_messages['invalid_date'] % value
-            raise ValidationError(msg)
+        for format in self.input_formats:
+            if format.lower() == ISO_8601:
+                try:
+                    parsed = parse_date(value)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    if parsed is not None:
+                        return parsed
+            else:
+                try:
+                    parsed = datetime.datetime.strptime(value, format)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    return parsed.date()
 
-        msg = self.error_messages['invalid'] % value
+        msg = self.error_messages['invalid'] % readable_date_formats(self.input_formats)
         raise ValidationError(msg)
 
+    def to_native(self, value):
+        if value is None:
+            return None
+
+        if isinstance(value, datetime.datetime):
+            value = value.date()
+
+        if self.format.lower() == ISO_8601:
+            return value.isoformat()
+        return value.strftime(self.format)
+
 
 class DateTimeField(WritableField):
     type_name = 'DateTimeField'
@@ -464,15 +553,16 @@ class DateTimeField(WritableField):
     form_field_class = forms.DateTimeField
 
     default_error_messages = {
-        'invalid': _(u"'%s' value has an invalid format. It must be in "
-                     u"YYYY-MM-DD HH:MM[:ss[.uuuuuu]][TZ] format."),
-        'invalid_date': _(u"'%s' value has the correct format "
-                          u"(YYYY-MM-DD) but it is an invalid date."),
-        'invalid_datetime': _(u"'%s' value has the correct format "
-                              u"(YYYY-MM-DD HH:MM[:ss[.uuuuuu]][TZ]) "
-                              u"but it is an invalid date/time."),
+        'invalid': _("Datetime has wrong format. Use one of these formats instead: %s"),
     }
     empty = None
+    input_formats = api_settings.DATETIME_INPUT_FORMATS
+    format = api_settings.DATETIME_FORMAT
+
+    def __init__(self, input_formats=None, format=None, *args, **kwargs):
+        self.input_formats = input_formats if input_formats is not None else self.input_formats
+        self.format = format if format is not None else self.format
+        super(DateTimeField, self).__init__(*args, **kwargs)
 
     def from_native(self, value):
         if value in validators.EMPTY_VALUES:
@@ -487,32 +577,97 @@ class DateTimeField(WritableField):
                 # local time. This won't work during DST change, but we can't
                 # do much about it, so we let the exceptions percolate up the
                 # call stack.
-                warnings.warn(u"DateTimeField received a naive datetime (%s)"
-                              u" while time zone support is active." % value,
+                warnings.warn("DateTimeField received a naive datetime (%s)"
+                              " while time zone support is active." % value,
                               RuntimeWarning)
                 default_timezone = timezone.get_default_timezone()
                 value = timezone.make_aware(value, default_timezone)
             return value
 
-        try:
-            parsed = parse_datetime(value)
-            if parsed is not None:
-                return parsed
-        except ValueError:
-            msg = self.error_messages['invalid_datetime'] % value
-            raise ValidationError(msg)
+        for format in self.input_formats:
+            if format.lower() == ISO_8601:
+                try:
+                    parsed = parse_datetime(value)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    if parsed is not None:
+                        return parsed
+            else:
+                try:
+                    parsed = datetime.datetime.strptime(value, format)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    return parsed
 
-        try:
-            parsed = parse_date(value)
-            if parsed is not None:
-                return datetime.datetime(parsed.year, parsed.month, parsed.day)
-        except ValueError:
-            msg = self.error_messages['invalid_date'] % value
-            raise ValidationError(msg)
-
-        msg = self.error_messages['invalid'] % value
+        msg = self.error_messages['invalid'] % readable_datetime_formats(self.input_formats)
         raise ValidationError(msg)
 
+    def to_native(self, value):
+        if value is None:
+            return None
+
+        if self.format.lower() == ISO_8601:
+            return value.isoformat()
+        return value.strftime(self.format)
+
+
+class TimeField(WritableField):
+    type_name = 'TimeField'
+    widget = widgets.TimeInput
+    form_field_class = forms.TimeField
+
+    default_error_messages = {
+        'invalid': _("Time has wrong format. Use one of these formats instead: %s"),
+    }
+    empty = None
+    input_formats = api_settings.TIME_INPUT_FORMATS
+    format = api_settings.TIME_FORMAT
+
+    def __init__(self, input_formats=None, format=None, *args, **kwargs):
+        self.input_formats = input_formats if input_formats is not None else self.input_formats
+        self.format = format if format is not None else self.format
+        super(TimeField, self).__init__(*args, **kwargs)
+
+    def from_native(self, value):
+        if value in validators.EMPTY_VALUES:
+            return None
+
+        if isinstance(value, datetime.time):
+            return value
+
+        for format in self.input_formats:
+            if format.lower() == ISO_8601:
+                try:
+                    parsed = parse_time(value)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    if parsed is not None:
+                        return parsed
+            else:
+                try:
+                    parsed = datetime.datetime.strptime(value, format)
+                except (ValueError, TypeError):
+                    pass
+                else:
+                    return parsed.time()
+
+        msg = self.error_messages['invalid'] % readable_time_formats(self.input_formats)
+        raise ValidationError(msg)
+
+    def to_native(self, value):
+        if value is None:
+            return None
+
+        if isinstance(value, datetime.datetime):
+            value = value.time()
+
+        if self.format.lower() == ISO_8601:
+            return value.isoformat()
+        return value.strftime(self.format)
+
 
 class IntegerField(WritableField):
     type_name = 'IntegerField'
@@ -564,7 +719,7 @@ class FloatField(WritableField):
 
 
 class FileField(WritableField):
-    _use_files = True
+    use_files = True
     type_name = 'FileField'
     form_field_class = forms.FileField
     widget = widgets.FileInput
@@ -608,11 +763,12 @@ class FileField(WritableField):
 
 
 class ImageField(FileField):
-    _use_files = True
+    use_files = True
     form_field_class = forms.ImageField
 
     default_error_messages = {
-        'invalid_image': _("Upload a valid image. The file you uploaded was either not an image or a corrupted image."),
+        'invalid_image': _("Upload a valid image. The file you uploaded was "
+                           "either not an image or a corrupted image."),
     }
 
     def from_native(self, data):
diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index bcc876607..6fea46faf 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from rest_framework.compat import django_filters
 
 FilterSet = django_filters and django_filters.FilterSet or None
@@ -54,6 +55,6 @@ class DjangoFilterBackend(BaseFilterBackend):
         filter_class = self.get_filter_class(view)
 
         if filter_class:
-            return filter_class(request.GET, queryset=queryset)
+            return filter_class(request.QUERY_PARAMS, queryset=queryset)
 
         return queryset
diff --git a/rest_framework/generics.py b/rest_framework/generics.py
index f575470ef..55918267a 100644
--- a/rest_framework/generics.py
+++ b/rest_framework/generics.py
@@ -1,7 +1,7 @@
 """
 Generic views that provide commonly needed behaviour.
 """
-
+from __future__ import unicode_literals
 from rest_framework import views, mixins
 from rest_framework.settings import api_settings
 from django.views.generic.detail import SingleObjectMixin
@@ -18,6 +18,16 @@ class GenericAPIView(views.APIView):
     model = None
     serializer_class = None
     model_serializer_class = api_settings.DEFAULT_MODEL_SERIALIZER_CLASS
+    filter_backend = api_settings.FILTER_BACKEND
+
+    def filter_queryset(self, queryset):
+        """
+        Given a queryset, filter it with whichever filter backend is in use.
+        """
+        if not self.filter_backend:
+            return queryset
+        backend = self.filter_backend()
+        return backend.filter_queryset(self.request, queryset, self)
 
     def get_serializer_context(self):
         """
@@ -48,7 +58,7 @@ class GenericAPIView(views.APIView):
         return serializer_class
 
     def get_serializer(self, instance=None, data=None,
-                       files=None, partial=False):
+                       files=None, many=False, partial=False):
         """
         Return the serializer instance that should be used for validating and
         deserializing input, and for serializing output.
@@ -56,7 +66,21 @@ class GenericAPIView(views.APIView):
         serializer_class = self.get_serializer_class()
         context = self.get_serializer_context()
         return serializer_class(instance, data=data, files=files,
-                                partial=partial, context=context)
+                                many=many, partial=partial, context=context)
+
+    def pre_save(self, obj):
+        """
+        Placeholder method for calling before saving an object.
+        May be used eg. to set attributes on the object that are implicit
+        in either the request, or the url.
+        """
+        pass
+
+    def post_save(self, obj, created=False):
+        """
+        Placeholder method for calling after saving an object.
+        """
+        pass
 
     def pre_save(self, obj):
         pass
@@ -70,16 +94,6 @@ class MultipleObjectAPIView(MultipleObjectMixin, GenericAPIView):
     paginate_by = api_settings.PAGINATE_BY
     paginate_by_param = api_settings.PAGINATE_BY_PARAM
     pagination_serializer_class = api_settings.DEFAULT_PAGINATION_SERIALIZER_CLASS
-    filter_backend = api_settings.FILTER_BACKEND
-
-    def filter_queryset(self, queryset):
-        """
-        Given a queryset, filter it with whichever filter backend is in use.
-        """
-        if not self.filter_backend:
-            return queryset
-        backend = self.filter_backend()
-        return backend.filter_queryset(self.request, queryset, self)
 
     def get_pagination_serializer(self, page=None):
         """
@@ -120,8 +134,7 @@ class SingleObjectAPIView(SingleObjectMixin, GenericAPIView):
         Override default to add support for object-level permissions.
         """
         obj = super(SingleObjectAPIView, self).get_object(queryset)
-        if not self.has_permission(self.request, obj):
-            self.permission_denied(self.request)
+        self.check_object_permissions(self.request, obj)
         return obj
 
 
diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index e0ae216e8..7d9a6e654 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -4,22 +4,48 @@ Basic building blocks for generic class based views.
 We don't bind behaviour to http method handlers yet,
 which allows mixin classes to be composed in interesting ways.
 """
+from __future__ import unicode_literals
+
 from django.http import Http404
 from rest_framework import status
 from rest_framework.response import Response
+from rest_framework.request import clone_request
+
+
+def _get_validation_exclusions(obj, pk=None, slug_field=None):
+    """
+    Given a model instance, and an optional pk and slug field,
+    return the full list of all other field names on that model.
+
+    For use when performing full_clean on a model instance,
+    so we only clean the required fields.
+    """
+    include = []
+
+    if pk:
+        pk_field = obj._meta.pk
+        while pk_field.rel:
+            pk_field = pk_field.rel.to._meta.pk
+        include.append(pk_field.name)
+
+    if slug_field:
+        include.append(slug_field)
+
+    return [field.name for field in obj._meta.fields if field.name not in include]
 
 
 class CreateModelMixin(object):
     """
     Create a model instance.
-    Should be mixed in with any `BaseView`.
+    Should be mixed in with any `GenericAPIView`.
     """
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.DATA, files=request.FILES)
 
         if serializer.is_valid():
             self.pre_save(serializer.object)
-            self.object = serializer.save()
+            self.object = serializer.save(force_insert=True)
+            self.post_save(self.object, created=True)
             headers = self.get_success_headers(serializer.data)
             return Response(serializer.data, status=status.HTTP_201_CREATED,
                             headers=headers)
@@ -38,7 +64,7 @@ class ListModelMixin(object):
     List a queryset.
     Should be mixed in with `MultipleObjectAPIView`.
     """
-    empty_error = u"Empty list and '%(class_name)s.allow_empty' is False."
+    empty_error = "Empty list and '%(class_name)s.allow_empty' is False."
 
     def list(self, request, *args, **kwargs):
         queryset = self.get_queryset()
@@ -60,7 +86,7 @@ class ListModelMixin(object):
             paginator, page, queryset, is_paginated = packed
             serializer = self.get_pagination_serializer(page)
         else:
-            serializer = self.get_serializer(self.object_list)
+            serializer = self.get_serializer(self.object_list, many=True)
 
         return Response(serializer.data)
 
@@ -68,10 +94,12 @@ class ListModelMixin(object):
 class RetrieveModelMixin(object):
     """
     Retrieve a model instance.
-    Should be mixed in with `SingleObjectBaseView`.
+    Should be mixed in with `SingleObjectAPIView`.
     """
     def retrieve(self, request, *args, **kwargs):
-        self.object = self.get_object()
+        queryset = self.get_queryset()
+        filtered_queryset = self.filter_queryset(queryset)
+        self.object = self.get_object(filtered_queryset)
         serializer = self.get_serializer(self.object)
         return Response(serializer.data)
 
@@ -79,23 +107,32 @@ class RetrieveModelMixin(object):
 class UpdateModelMixin(object):
     """
     Update a model instance.
-    Should be mixed in with `SingleObjectBaseView`.
+    Should be mixed in with `SingleObjectAPIView`.
     """
     def update(self, request, *args, **kwargs):
         partial = kwargs.pop('partial', False)
+        self.object = None
         try:
             self.object = self.get_object()
-            success_status_code = status.HTTP_200_OK
         except Http404:
-            self.object = None
+            # If this is a PUT-as-create operation, we need to ensure that
+            # we have relevant permissions, as if this was a POST request.
+            self.check_permissions(clone_request(request, 'POST'))
+            created = True
+            save_kwargs = {'force_insert': True}
             success_status_code = status.HTTP_201_CREATED
+        else:
+            created = False
+            save_kwargs = {'force_update': True}
+            success_status_code = status.HTTP_200_OK
 
         serializer = self.get_serializer(self.object, data=request.DATA,
                                          files=request.FILES, partial=partial)
 
         if serializer.is_valid():
             self.pre_save(serializer.object)
-            self.object = serializer.save()
+            self.object = serializer.save(**save_kwargs)
+            self.post_save(self.object, created=created)
             return Response(serializer.data, status=success_status_code)
 
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@@ -106,24 +143,26 @@ class UpdateModelMixin(object):
         """
         # pk and/or slug attributes are implicit in the URL.
         pk = self.kwargs.get(self.pk_url_kwarg, None)
+        slug = self.kwargs.get(self.slug_url_kwarg, None)
+        slug_field = slug and self.get_slug_field() or None
+
         if pk:
             setattr(obj, 'pk', pk)
 
-        slug = self.kwargs.get(self.slug_url_kwarg, None)
         if slug:
-            slug_field = self.get_slug_field()
             setattr(obj, slug_field, slug)
 
         # Ensure we clean the attributes so that we don't eg return integer
         # pk using a string representation, as provided by the url conf kwarg.
         if hasattr(obj, 'full_clean'):
-            obj.full_clean()
+            exclude = _get_validation_exclusions(obj, pk, slug_field)
+            obj.full_clean(exclude)
 
 
 class DestroyModelMixin(object):
     """
     Destroy a model instance.
-    Should be mixed in with `SingleObjectBaseView`.
+    Should be mixed in with `SingleObjectAPIView`.
     """
     def destroy(self, request, *args, **kwargs):
         obj = self.get_object()
diff --git a/rest_framework/negotiation.py b/rest_framework/negotiation.py
index ee2800a6e..0694d35f5 100644
--- a/rest_framework/negotiation.py
+++ b/rest_framework/negotiation.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.http import Http404
 from rest_framework import exceptions
 from rest_framework.settings import api_settings
@@ -33,7 +34,7 @@ class DefaultContentNegotiation(BaseContentNegotiation):
         """
         # Allow URL style format override.  eg. "?format=json
         format_query_param = self.settings.URL_FORMAT_OVERRIDE
-        format = format_suffix or request.GET.get(format_query_param)
+        format = format_suffix or request.QUERY_PARAMS.get(format_query_param)
 
         if format:
             renderers = self.filter_renderers(renderers, format)
@@ -80,5 +81,5 @@ class DefaultContentNegotiation(BaseContentNegotiation):
         Allows URL style accept override.  eg. "?accept=application/json"
         """
         header = request.META.get('HTTP_ACCEPT', '*/*')
-        header = request.GET.get(self.settings.URL_ACCEPT_OVERRIDE, header)
+        header = request.QUERY_PARAMS.get(self.settings.URL_ACCEPT_OVERRIDE, header)
         return [token.strip() for token in header.split(',')]
diff --git a/rest_framework/pagination.py b/rest_framework/pagination.py
index d241ade7c..03a7a30f8 100644
--- a/rest_framework/pagination.py
+++ b/rest_framework/pagination.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from rest_framework import serializers
 from rest_framework.templatetags.rest_framework import replace_query_param
 
@@ -34,6 +35,17 @@ class PreviousPageField(serializers.Field):
         return replace_query_param(url, self.page_field, page)
 
 
+class DefaultObjectSerializer(serializers.Field):
+    """
+    If no object serializer is specified, then this serializer will be applied
+    as the default.
+    """
+
+    def __init__(self, source=None, context=None):
+        # Note: Swallow context kwarg - only required for eg. ModelSerializer.
+        super(DefaultObjectSerializer, self).__init__(source=source)
+
+
 class PaginationSerializerOptions(serializers.SerializerOptions):
     """
     An object that stores the options that may be provided to a
@@ -44,7 +56,7 @@ class PaginationSerializerOptions(serializers.SerializerOptions):
     def __init__(self, meta):
         super(PaginationSerializerOptions, self).__init__(meta)
         self.object_serializer_class = getattr(meta, 'object_serializer_class',
-                                               serializers.Field)
+                                               DefaultObjectSerializer)
 
 
 class BasePaginationSerializer(serializers.Serializer):
@@ -62,14 +74,13 @@ class BasePaginationSerializer(serializers.Serializer):
         super(BasePaginationSerializer, self).__init__(*args, **kwargs)
         results_field = self.results_field
         object_serializer = self.opts.object_serializer_class
-        self.fields[results_field] = object_serializer(source='object_list')
 
-    def to_native(self, obj):
-        """
-        Prevent default behaviour of iterating over elements, and serializing
-        each in turn.
-        """
-        return self.convert_object(obj)
+        if 'context' in kwargs:
+            context_kwarg = {'context': kwargs['context']}
+        else:
+            context_kwarg = {}
+
+        self.fields[results_field] = object_serializer(source='object_list', **context_kwarg)
 
 
 class PaginationSerializer(BasePaginationSerializer):
diff --git a/rest_framework/parsers.py b/rest_framework/parsers.py
index 149d64311..491acd68c 100644
--- a/rest_framework/parsers.py
+++ b/rest_framework/parsers.py
@@ -4,14 +4,14 @@ Parsers are used to parse the content of incoming HTTP requests.
 They give us a generic way of being able to handle various media types
 on the request, such as form content or json encoded data.
 """
-
+from __future__ import unicode_literals
+from django.conf import settings
 from django.http import QueryDict
 from django.http.multipartparser import MultiPartParser as DjangoMultiPartParser
 from django.http.multipartparser import MultiPartParserError
-from rest_framework.compat import yaml, ETParseError
+from rest_framework.compat import yaml, etree
 from rest_framework.exceptions import ParseError
-from xml.etree import ElementTree as ET
-from xml.parsers.expat import ExpatError
+from rest_framework.compat import six
 import json
 import datetime
 import decimal
@@ -54,10 +54,14 @@ class JSONParser(BaseParser):
         `data` will be an object which is the parsed content of the response.
         `files` will always be `None`.
         """
+        parser_context = parser_context or {}
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
+
         try:
-            return json.load(stream)
-        except ValueError, exc:
-            raise ParseError('JSON parse error - %s' % unicode(exc))
+            data = stream.read().decode(encoding)
+            return json.loads(data)
+        except ValueError as exc:
+            raise ParseError('JSON parse error - %s' % six.text_type(exc))
 
 
 class YAMLParser(BaseParser):
@@ -74,10 +78,16 @@ class YAMLParser(BaseParser):
         `data` will be an object which is the parsed content of the response.
         `files` will always be `None`.
         """
+        assert yaml, 'YAMLParser requires pyyaml to be installed'
+
+        parser_context = parser_context or {}
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
+
         try:
-            return yaml.safe_load(stream)
-        except (ValueError, yaml.parser.ParserError), exc:
-            raise ParseError('YAML parse error - %s' % unicode(exc))
+            data = stream.read().decode(encoding)
+            return yaml.safe_load(data)
+        except (ValueError, yaml.parser.ParserError) as exc:
+            raise ParseError('YAML parse error - %s' % six.u(exc))
 
 
 class FormParser(BaseParser):
@@ -94,7 +104,9 @@ class FormParser(BaseParser):
         `data` will be a :class:`QueryDict` containing all the form parameters.
         `files` will always be :const:`None`.
         """
-        data = QueryDict(stream.read())
+        parser_context = parser_context or {}
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
+        data = QueryDict(stream.read(), encoding=encoding)
         return data
 
 
@@ -114,15 +126,16 @@ class MultiPartParser(BaseParser):
         """
         parser_context = parser_context or {}
         request = parser_context['request']
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
         meta = request.META
         upload_handlers = request.upload_handlers
 
         try:
-            parser = DjangoMultiPartParser(meta, stream, upload_handlers)
+            parser = DjangoMultiPartParser(meta, stream, upload_handlers, encoding)
             data, files = parser.parse()
             return DataAndFiles(data, files)
-        except MultiPartParserError, exc:
-            raise ParseError('Multipart form parse error - %s' % unicode(exc))
+        except MultiPartParserError as exc:
+            raise ParseError('Multipart form parse error - %s' % six.u(exc))
 
 
 class XMLParser(BaseParser):
@@ -133,10 +146,15 @@ class XMLParser(BaseParser):
     media_type = 'application/xml'
 
     def parse(self, stream, media_type=None, parser_context=None):
+        assert etree, 'XMLParser requires defusedxml to be installed'
+
+        parser_context = parser_context or {}
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
+        parser = etree.DefusedXMLParser(encoding=encoding)
         try:
-            tree = ET.parse(stream)
-        except (ExpatError, ETParseError, ValueError), exc:
-            raise ParseError('XML parse error - %s' % unicode(exc))
+            tree = etree.parse(stream, parser=parser, forbid_dtd=True)
+        except (etree.ParseError, ValueError) as exc:
+            raise ParseError('XML parse error - %s' % six.u(exc))
         data = self._xml_convert(tree.getroot())
 
         return data
@@ -146,7 +164,7 @@ class XMLParser(BaseParser):
         convert the xml `element` into the corresponding python object
         """
 
-        children = element.getchildren()
+        children = list(element)
 
         if len(children) == 0:
             return self._type_convert(element.text)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 655b78a34..ae895f394 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -1,21 +1,36 @@
 """
 Provides a set of pluggable permission policies.
 """
-
+from __future__ import unicode_literals
+import inspect
+import warnings
 
 SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
 
+from rest_framework.compat import oauth2_provider_scope, oauth2_constants
+
 
 class BasePermission(object):
     """
     A base class from which all permission classes should inherit.
     """
 
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         """
         Return `True` if permission is granted, `False` otherwise.
         """
-        raise NotImplementedError(".has_permission() must be overridden.")
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        """
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        if len(inspect.getargspec(self.has_permission)[0]) == 4:
+            warnings.warn('The `obj` argument in `has_permission` is due to be deprecated. '
+                      'Use `has_object_permission()` instead for object permissions.',
+                       PendingDeprecationWarning, stacklevel=2)
+            return self.has_permission(request, view, obj)
+        return True
 
 
 class AllowAny(BasePermission):
@@ -25,7 +40,7 @@ class AllowAny(BasePermission):
     permission_classes list, but it's useful because it makes the intention
     more explicit.
     """
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         return True
 
 
@@ -34,7 +49,7 @@ class IsAuthenticated(BasePermission):
     Allows access only to authenticated users.
     """
 
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         if request.user and request.user.is_authenticated():
             return True
         return False
@@ -45,7 +60,7 @@ class IsAdminUser(BasePermission):
     Allows access only to admin users.
     """
 
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         if request.user and request.user.is_staff:
             return True
         return False
@@ -56,7 +71,7 @@ class IsAuthenticatedOrReadOnly(BasePermission):
     The request is authenticated as a user, or is a read-only request.
     """
 
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         if (request.method in SAFE_METHODS or
             request.user and
             request.user.is_authenticated()):
@@ -89,6 +104,8 @@ class DjangoModelPermissions(BasePermission):
         'DELETE': ['%(app_label)s.delete_%(model_name)s'],
     }
 
+    authenticated_users_only = True
+
     def get_required_permissions(self, method, model_cls):
         """
         Given a model and an HTTP method, return the list of permission
@@ -100,15 +117,43 @@ class DjangoModelPermissions(BasePermission):
         }
         return [perm % kwargs for perm in self.perms_map[method]]
 
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         model_cls = getattr(view, 'model', None)
-        if not model_cls:
-            return True
+        queryset = getattr(view, 'queryset', None)
+
+        if model_cls is None and queryset is not None:
+            model_cls = queryset.model
+
+        assert model_cls, ('Cannot apply DjangoModelPermissions on a view that'
+                           ' does not have `.model` or `.queryset` property.')
 
         perms = self.get_required_permissions(request.method, model_cls)
 
         if (request.user and
-            request.user.is_authenticated() and
-            request.user.has_perms(perms, obj)):
+            (request.user.is_authenticated() or not self.authenticated_users_only) and
+            request.user.has_perms(perms)):
             return True
         return False
+
+
+class TokenHasReadWriteScope(BasePermission):
+    """
+    The request is authenticated as a user and the token used has the right scope
+    """
+
+    def has_permission(self, request, view):
+        token = request.auth
+        read_only = request.method in SAFE_METHODS
+
+        if not token:
+            return False
+
+        if hasattr(token, 'resource'):  # OAuth 1
+            return read_only or not request.auth.resource.is_readonly
+        elif hasattr(token, 'scope'):  # OAuth 2
+            required = oauth2_constants.READ if read_only else oauth2_constants.WRITE
+            return oauth2_provider_scope.check(required, request.auth.scope)
+
+        assert False, ('TokenHasReadWriteScope requires either the'
+        '`OAuthAuthentication` or `OAuth2Authentication` authentication '
+        'class to be used.')
diff --git a/rest_framework/relations.py b/rest_framework/relations.py
index 5e4552b7a..2a10e9af5 100644
--- a/rest_framework/relations.py
+++ b/rest_framework/relations.py
@@ -1,13 +1,16 @@
+from __future__ import unicode_literals
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
-from django.core.urlresolvers import resolve, get_script_prefix
+from django.core.urlresolvers import resolve, get_script_prefix, NoReverseMatch
 from django import forms
 from django.forms import widgets
 from django.forms.models import ModelChoiceIterator
-from django.utils.encoding import smart_unicode
 from django.utils.translation import ugettext_lazy as _
-from rest_framework.fields import Field, WritableField
+from rest_framework.fields import Field, WritableField, get_component
 from rest_framework.reverse import reverse
-from urlparse import urlparse
+from rest_framework.compat import urlparse
+from rest_framework.compat import smart_text
+import warnings
+
 
 ##### Relational fields #####
 
@@ -17,19 +20,35 @@ class RelatedField(WritableField):
     """
     Base class for related model fields.
 
-    If not overridden, this represents a to-one relationship, using the unicode
-    representation of the target.
+    This represents a relationship using the unicode representation of the target.
     """
     widget = widgets.Select
+    many_widget = widgets.SelectMultiple
+    form_field_class = forms.ChoiceField
+    many_form_field_class = forms.MultipleChoiceField
+
     cache_choices = False
     empty_label = None
-    default_read_only = True  # TODO: Remove this
+    read_only = True
+    many = False
 
     def __init__(self, *args, **kwargs):
+
+        # 'null' is to be deprecated in favor of 'required'
+        if 'null' in kwargs:
+            warnings.warn('The `null` keyword argument is due to be deprecated. '
+                          'Use the `required` keyword argument instead.',
+                          PendingDeprecationWarning, stacklevel=2)
+            kwargs['required'] = not kwargs.pop('null')
+
         self.queryset = kwargs.pop('queryset', None)
-        self.null = kwargs.pop('null', False)
+        self.many = kwargs.pop('many', self.many)
+        if self.many:
+            self.widget = self.many_widget
+            self.form_field_class = self.many_form_field_class
+
+        kwargs['read_only'] = kwargs.pop('read_only', self.read_only)
         super(RelatedField, self).__init__(*args, **kwargs)
-        self.read_only = kwargs.pop('read_only', self.default_read_only)
 
     def initialize(self, parent, field_name):
         super(RelatedField, self).initialize(parent, field_name)
@@ -40,7 +59,7 @@ class RelatedField(WritableField):
                     self.queryset = manager.related.model._default_manager.all()
                 else:  # Reverse
                     self.queryset = manager.field.rel.to._default_manager.all()
-            except:
+            except Exception:
                 raise
                 msg = ('Serializer related fields must include a `queryset`' +
                        ' argument or set `read_only=True')
@@ -48,11 +67,6 @@ class RelatedField(WritableField):
 
     ### We need this stuff to make form choices work...
 
-    # def __deepcopy__(self, memo):
-    #     result = super(RelatedField, self).__deepcopy__(memo)
-    #     result.queryset = result.queryset
-    #     return result
-
     def prepare_value(self, obj):
         return self.to_native(obj)
 
@@ -60,8 +74,8 @@ class RelatedField(WritableField):
         """
         Return a readable representation for use with eg. select widgets.
         """
-        desc = smart_unicode(obj)
-        ident = smart_unicode(self.to_native(obj))
+        desc = smart_text(obj)
+        ident = smart_text(self.to_native(obj))
         if desc == ident:
             return desc
         return "%s - %s" % (desc, ident)
@@ -102,9 +116,24 @@ class RelatedField(WritableField):
 
     def field_to_native(self, obj, field_name):
         try:
-            value = getattr(obj, self.source or field_name)
+            if self.source == '*':
+                return self.to_native(obj)
+
+            source = self.source or field_name
+            value = obj
+
+            for component in source.split('.'):
+                value = get_component(value, component)
+                if value is None:
+                    break
         except ObjectDoesNotExist:
             return None
+
+        if value is None:
+            return None
+
+        if self.many:
+            return [self.to_native(item) for item in value.all()]
         return self.to_native(value)
 
     def field_from_native(self, data, files, field_name, into):
@@ -112,69 +141,43 @@ class RelatedField(WritableField):
             return
 
         try:
-            value = data[field_name]
+            if self.many:
+                try:
+                    # Form data
+                    value = data.getlist(field_name)
+                    if value == [''] or value == []:
+                        raise KeyError
+                except AttributeError:
+                    # Non-form data
+                    value = data[field_name]
+            else:
+                value = data[field_name]
         except KeyError:
-            if self.required:
-                raise ValidationError(self.error_messages['required'])
-            return
+            if self.partial:
+                return
+            value = [] if self.many else None
 
-        if value in (None, '') and not self.null:
-            raise ValidationError('Value may not be null')
-        elif value in (None, '') and self.null:
+        if value in (None, '') and self.required:
+            raise ValidationError(self.error_messages['required'])
+        elif value in (None, ''):
             into[(self.source or field_name)] = None
+        elif self.many:
+            into[(self.source or field_name)] = [self.from_native(item) for item in value]
         else:
             into[(self.source or field_name)] = self.from_native(value)
 
 
-class ManyRelatedMixin(object):
-    """
-    Mixin to convert a related field to a many related field.
-    """
-    widget = widgets.SelectMultiple
-
-    def field_to_native(self, obj, field_name):
-        value = getattr(obj, self.source or field_name)
-        return [self.to_native(item) for item in value.all()]
-
-    def field_from_native(self, data, files, field_name, into):
-        if self.read_only:
-            return
-
-        try:
-            # Form data
-            value = data.getlist(self.source or field_name)
-        except:
-            # Non-form data
-            value = data.get(self.source or field_name)
-        else:
-            if value == ['']:
-                value = []
-
-        into[field_name] = [self.from_native(item) for item in value]
-
-
-class ManyRelatedField(ManyRelatedMixin, RelatedField):
-    """
-    Base class for related model managers.
-
-    If not overridden, this represents a to-many relationship, using the unicode
-    representations of the target, and is read-only.
-    """
-    pass
-
-
 ### PrimaryKey relationships
 
 class PrimaryKeyRelatedField(RelatedField):
     """
-    Represents a to-one relationship as a pk value.
+    Represents a relationship as a pk value.
     """
-    default_read_only = False
-    form_field_class = forms.ChoiceField
+    read_only = False
 
     default_error_messages = {
         'does_not_exist': _("Invalid pk '%s' - object does not exist."),
-        'invalid': _('Invalid value.'),
+        'incorrect_type': _('Incorrect type.  Expected pk value, received %s.'),
     }
 
     # TODO: Remove these field hacks...
@@ -185,8 +188,8 @@ class PrimaryKeyRelatedField(RelatedField):
         """
         Return a readable representation for use with eg. select widgets.
         """
-        desc = smart_unicode(obj)
-        ident = smart_unicode(self.to_native(obj.pk))
+        desc = smart_text(obj)
+        ident = smart_text(self.to_native(obj.pk))
         if desc == ident:
             return desc
         return "%s - %s" % (desc, ident)
@@ -202,85 +205,49 @@ class PrimaryKeyRelatedField(RelatedField):
         try:
             return self.queryset.get(pk=data)
         except ObjectDoesNotExist:
-            msg = self.error_messages['does_not_exist'] % smart_unicode(data)
+            msg = self.error_messages['does_not_exist'] % smart_text(data)
             raise ValidationError(msg)
         except (TypeError, ValueError):
-            msg = self.error_messages['invalid']
+            received = type(data).__name__
+            msg = self.error_messages['incorrect_type'] % received
             raise ValidationError(msg)
 
     def field_to_native(self, obj, field_name):
+        if self.many:
+            # To-many relationship
+            try:
+                # Prefer obj.serializable_value for performance reasons
+                queryset = obj.serializable_value(self.source or field_name)
+            except AttributeError:
+                # RelatedManager (reverse relationship)
+                queryset = getattr(obj, self.source or field_name)
+
+            # Forward relationship
+            return [self.to_native(item.pk) for item in queryset.all()]
+
+        # To-one relationship
         try:
             # Prefer obj.serializable_value for performance reasons
             pk = obj.serializable_value(self.source or field_name)
         except AttributeError:
             # RelatedObject (reverse relationship)
             try:
-                obj = getattr(obj, self.source or field_name)
+                pk = getattr(obj, self.source or field_name).pk
             except ObjectDoesNotExist:
                 return None
-            return self.to_native(obj.pk)
+
         # Forward relationship
         return self.to_native(pk)
 
 
-class ManyPrimaryKeyRelatedField(ManyRelatedField):
-    """
-    Represents a to-many relationship as a pk value.
-    """
-    default_read_only = False
-    form_field_class = forms.MultipleChoiceField
-
-    default_error_messages = {
-        'does_not_exist': _("Invalid pk '%s' - object does not exist."),
-        'invalid': _('Invalid value.'),
-    }
-
-    def prepare_value(self, obj):
-        return self.to_native(obj.pk)
-
-    def label_from_instance(self, obj):
-        """
-        Return a readable representation for use with eg. select widgets.
-        """
-        desc = smart_unicode(obj)
-        ident = smart_unicode(self.to_native(obj.pk))
-        if desc == ident:
-            return desc
-        return "%s - %s" % (desc, ident)
-
-    def to_native(self, pk):
-        return pk
-
-    def field_to_native(self, obj, field_name):
-        try:
-            # Prefer obj.serializable_value for performance reasons
-            queryset = obj.serializable_value(self.source or field_name)
-        except AttributeError:
-            # RelatedManager (reverse relationship)
-            queryset = getattr(obj, self.source or field_name)
-            return [self.to_native(item.pk) for item in queryset.all()]
-        # Forward relationship
-        return [self.to_native(item.pk) for item in queryset.all()]
-
-    def from_native(self, data):
-        if self.queryset is None:
-            raise Exception('Writable related fields must include a `queryset` argument')
-
-        try:
-            return self.queryset.get(pk=data)
-        except ObjectDoesNotExist:
-            msg = self.error_messages['does_not_exist'] % smart_unicode(data)
-            raise ValidationError(msg)
-        except (TypeError, ValueError):
-            msg = self.error_messages['invalid']
-            raise ValidationError(msg)
-
 ### Slug relationships
 
 
 class SlugRelatedField(RelatedField):
-    default_read_only = False
-    form_field_class = forms.ChoiceField
+    """
+    Represents a relationship using a unique field on the target.
+    """
+    read_only = False
 
     default_error_messages = {
         'does_not_exist': _("Object with %s=%s does not exist."),
@@ -303,40 +270,35 @@ class SlugRelatedField(RelatedField):
             return self.queryset.get(**{self.slug_field: data})
         except ObjectDoesNotExist:
             raise ValidationError(self.error_messages['does_not_exist'] %
-                                  (self.slug_field, unicode(data)))
+                                  (self.slug_field, smart_text(data)))
         except (TypeError, ValueError):
             msg = self.error_messages['invalid']
             raise ValidationError(msg)
 
 
-class ManySlugRelatedField(ManyRelatedMixin, SlugRelatedField):
-    form_field_class = forms.MultipleChoiceField
-
-
 ### Hyperlinked relationships
 
 class HyperlinkedRelatedField(RelatedField):
     """
-    Represents a to-one relationship, using hyperlinking.
+    Represents a relationship using hyperlinking.
     """
     pk_url_kwarg = 'pk'
     slug_field = 'slug'
     slug_url_kwarg = None  # Defaults to same as `slug_field` unless overridden
-    default_read_only = False
-    form_field_class = forms.ChoiceField
+    read_only = False
 
     default_error_messages = {
         'no_match': _('Invalid hyperlink - No URL match'),
         'incorrect_match': _('Invalid hyperlink - Incorrect URL match'),
         'configuration_error': _('Invalid hyperlink due to configuration error'),
         'does_not_exist': _("Invalid hyperlink - object does not exist."),
-        'invalid': _('Invalid value.'),
+        'incorrect_type': _('Incorrect type.  Expected url string, received %s.'),
     }
 
     def __init__(self, *args, **kwargs):
         try:
             self.view_name = kwargs.pop('view_name')
-        except:
+        except KeyError:
             raise ValueError("Hyperlinked field requires 'view_name' kwarg")
 
         self.slug_field = kwargs.pop('slug_field', self.slug_field)
@@ -357,13 +319,20 @@ class HyperlinkedRelatedField(RelatedField):
         view_name = self.view_name
         request = self.context.get('request', None)
         format = self.format or self.context.get('format', None)
+
+        if request is None:
+            warnings.warn("Using `HyperlinkedRelatedField` without including the "
+                          "request in the serializer context is due to be deprecated. "
+                          "Add `context={'request': request}` when instantiating the serializer.",
+                          PendingDeprecationWarning, stacklevel=4)
+
         pk = getattr(obj, 'pk', None)
         if pk is None:
             return
         kwargs = {self.pk_url_kwarg: pk}
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         slug = getattr(obj, self.slug_field, None)
@@ -374,13 +343,13 @@ class HyperlinkedRelatedField(RelatedField):
         kwargs = {self.slug_url_kwarg: slug}
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         kwargs = {self.pk_url_kwarg: obj.pk, self.slug_url_kwarg: slug}
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         raise Exception('Could not resolve URL for field using view name "%s"' % view_name)
@@ -394,19 +363,19 @@ class HyperlinkedRelatedField(RelatedField):
         try:
             http_prefix = value.startswith('http:') or value.startswith('https:')
         except AttributeError:
-            msg = self.error_messages['invalid']
-            raise ValidationError(msg)
+            msg = self.error_messages['incorrect_type']
+            raise ValidationError(msg % type(value).__name__)
 
         if http_prefix:
             # If needed convert absolute URLs to relative path
-            value = urlparse(value).path
+            value = urlparse.urlparse(value).path
             prefix = get_script_prefix()
             if value.startswith(prefix):
                 value = '/' + value[len(prefix):]
 
         try:
             match = resolve(value)
-        except:
+        except Exception:
             raise ValidationError(self.error_messages['no_match'])
 
         if match.view_name != self.view_name:
@@ -431,19 +400,12 @@ class HyperlinkedRelatedField(RelatedField):
         except ObjectDoesNotExist:
             raise ValidationError(self.error_messages['does_not_exist'])
         except (TypeError, ValueError):
-            msg = self.error_messages['invalid']
-            raise ValidationError(msg)
+            msg = self.error_messages['incorrect_type']
+            raise ValidationError(msg % type(value).__name__)
 
         return obj
 
 
-class ManyHyperlinkedRelatedField(ManyRelatedMixin, HyperlinkedRelatedField):
-    """
-    Represents a to-many relationship, using hyperlinking.
-    """
-    form_field_class = forms.MultipleChoiceField
-
-
 class HyperlinkedIdentityField(Field):
     """
     Represents the instance, or a property on the instance, using hyperlinking.
@@ -451,6 +413,7 @@ class HyperlinkedIdentityField(Field):
     pk_url_kwarg = 'pk'
     slug_field = 'slug'
     slug_url_kwarg = None  # Defaults to same as `slug_field` unless overridden
+    read_only = True
 
     def __init__(self, *args, **kwargs):
         # TODO: Make view_name mandatory, and have the
@@ -472,6 +435,12 @@ class HyperlinkedIdentityField(Field):
         view_name = self.view_name or self.parent.opts.view_name
         kwargs = {self.pk_url_kwarg: obj.pk}
 
+        if request is None:
+            warnings.warn("Using `HyperlinkedIdentityField` without including the "
+                          "request in the serializer context is due to be deprecated. "
+                          "Add `context={'request': request}` when instantiating the serializer.",
+                          PendingDeprecationWarning, stacklevel=4)
+
         # By default use whatever format is given for the current context
         # unless the target is a different type to the source.
         #
@@ -486,7 +455,7 @@ class HyperlinkedIdentityField(Field):
 
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         slug = getattr(obj, self.slug_field, None)
@@ -497,13 +466,51 @@ class HyperlinkedIdentityField(Field):
         kwargs = {self.slug_url_kwarg: slug}
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         kwargs = {self.pk_url_kwarg: obj.pk, self.slug_url_kwarg: slug}
         try:
             return reverse(view_name, kwargs=kwargs, request=request, format=format)
-        except:
+        except NoReverseMatch:
             pass
 
         raise Exception('Could not resolve URL for field using view name "%s"' % view_name)
+
+
+### Old-style many classes for backwards compat
+
+class ManyRelatedField(RelatedField):
+    def __init__(self, *args, **kwargs):
+        warnings.warn('`ManyRelatedField()` is due to be deprecated. '
+                      'Use `RelatedField(many=True)` instead.',
+                       PendingDeprecationWarning, stacklevel=2)
+        kwargs['many'] = True
+        super(ManyRelatedField, self).__init__(*args, **kwargs)
+
+
+class ManyPrimaryKeyRelatedField(PrimaryKeyRelatedField):
+    def __init__(self, *args, **kwargs):
+        warnings.warn('`ManyPrimaryKeyRelatedField()` is due to be deprecated. '
+                      'Use `PrimaryKeyRelatedField(many=True)` instead.',
+                       PendingDeprecationWarning, stacklevel=2)
+        kwargs['many'] = True
+        super(ManyPrimaryKeyRelatedField, self).__init__(*args, **kwargs)
+
+
+class ManySlugRelatedField(SlugRelatedField):
+    def __init__(self, *args, **kwargs):
+        warnings.warn('`ManySlugRelatedField()` is due to be deprecated. '
+                      'Use `SlugRelatedField(many=True)` instead.',
+                       PendingDeprecationWarning, stacklevel=2)
+        kwargs['many'] = True
+        super(ManySlugRelatedField, self).__init__(*args, **kwargs)
+
+
+class ManyHyperlinkedRelatedField(HyperlinkedRelatedField):
+    def __init__(self, *args, **kwargs):
+        warnings.warn('`ManyHyperlinkedRelatedField()` is due to be deprecated. '
+                      'Use `HyperlinkedRelatedField(many=True)` instead.',
+                       PendingDeprecationWarning, stacklevel=2)
+        kwargs['many'] = True
+        super(ManyHyperlinkedRelatedField, self).__init__(*args, **kwargs)
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
index 0a34abaa0..4c15e0db3 100644
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -6,21 +6,25 @@ on the response, such as JSON encoded data or HTML output.
 
 REST framework also provides an HTML renderer the renders the browsable API.
 """
+from __future__ import unicode_literals
+
 import copy
 import string
 import json
 from django import forms
 from django.http.multipartparser import parse_header
 from django.template import RequestContext, loader, Template
+from django.utils.xmlutils import SimplerXMLGenerator
+from rest_framework.compat import StringIO
+from rest_framework.compat import six
+from rest_framework.compat import smart_text
 from rest_framework.compat import yaml
 from rest_framework.exceptions import ConfigurationError
 from rest_framework.settings import api_settings
 from rest_framework.request import clone_request
-from rest_framework.utils import dict2xml
 from rest_framework.utils import encoders
 from rest_framework.utils.breadcrumbs import get_breadcrumbs
-from rest_framework import VERSION, status
-from rest_framework import parsers
+from rest_framework import exceptions, parsers, status, VERSION
 
 
 class BaseRenderer(object):
@@ -60,7 +64,7 @@ class JSONRenderer(BaseRenderer):
         if accepted_media_type:
             # If the media type looks like 'application/json; indent=4',
             # then pretty print the result.
-            base_media_type, params = parse_header(accepted_media_type)
+            base_media_type, params = parse_header(accepted_media_type.encode('ascii'))
             indent = params.get('indent', indent)
             try:
                 indent = max(min(int(indent), 8), 0)
@@ -86,7 +90,7 @@ class JSONPRenderer(JSONRenderer):
         Determine the name of the callback to wrap around the json output.
         """
         request = renderer_context.get('request', None)
-        params = request and request.GET or {}
+        params = request and request.QUERY_PARAMS or {}
         return params.get(self.callback_parameter, self.default_callback)
 
     def render(self, data, accepted_media_type=None, renderer_context=None):
@@ -100,7 +104,7 @@ class JSONPRenderer(JSONRenderer):
         callback = self.get_callback(renderer_context)
         json = super(JSONPRenderer, self).render(data, accepted_media_type,
                                                  renderer_context)
-        return u"%s(%s);" % (callback, json)
+        return "%s(%s);" % (callback, json)
 
 
 class XMLRenderer(BaseRenderer):
@@ -117,7 +121,38 @@ class XMLRenderer(BaseRenderer):
         """
         if data is None:
             return ''
-        return dict2xml(data)
+
+        stream = StringIO()
+
+        xml = SimplerXMLGenerator(stream, "utf-8")
+        xml.startDocument()
+        xml.startElement("root", {})
+
+        self._to_xml(xml, data)
+
+        xml.endElement("root")
+        xml.endDocument()
+        return stream.getvalue()
+
+    def _to_xml(self, xml, data):
+        if isinstance(data, (list, tuple)):
+            for item in data:
+                xml.startElement("list-item", {})
+                self._to_xml(xml, item)
+                xml.endElement("list-item")
+
+        elif isinstance(data, dict):
+            for key, value in six.iteritems(data):
+                xml.startElement(key, {})
+                self._to_xml(xml, value)
+                xml.endElement(key)
+
+        elif data is None:
+            # Don't output any value
+            pass
+
+        else:
+            xml.characters(smart_text(data))
 
 
 class YAMLRenderer(BaseRenderer):
@@ -133,6 +168,8 @@ class YAMLRenderer(BaseRenderer):
         """
         Renders *obj* into serialized YAML.
         """
+        assert yaml, 'YAMLRenderer requires pyyaml to be installed'
+
         if data is None:
             return ''
 
@@ -215,7 +252,7 @@ class TemplateHTMLRenderer(BaseRenderer):
         try:
             # Try to find an appropriate error template
             return self.resolve_template(template_names)
-        except:
+        except Exception:
             # Fall back to using eg '404 Not Found'
             return Template('%d %s' % (response.status_code,
                                        response.status_text.title()))
@@ -297,12 +334,10 @@ class BrowsableAPIRenderer(BaseRenderer):
         if not api_settings.FORM_METHOD_OVERRIDE:
             return  # Cannot use form overloading
 
-        request = clone_request(request, method)
         try:
-            if not view.has_permission(request, obj):
-                return  # Don't have permission
-        except:
-            return  # Don't have permission and exception explicitly raise
+            view.check_permissions(clone_request(request, method))
+        except exceptions.APIException:
+            return False  # Doesn't have permissions
         return True
 
     def serializer_to_form_fields(self, serializer):
@@ -333,6 +368,7 @@ class BrowsableAPIRenderer(BaseRenderer):
             kwargs['label'] = k
 
             fields[k] = v.form_field_class(**kwargs)
+
         return fields
 
     def get_form(self, view, method, request):
@@ -345,24 +381,23 @@ class BrowsableAPIRenderer(BaseRenderer):
         if not self.show_form_for_method(view, method, request, obj):
             return
 
-        if method == 'DELETE' or method == 'OPTIONS':
+        if method in ('DELETE', 'OPTIONS'):
             return True  # Don't actually need to return a form
 
         if not getattr(view, 'get_serializer', None) or not parsers.FormParser in view.parser_classes:
-            media_types = [parser.media_type for parser in view.parser_classes]
-            return self.get_generic_content_form(media_types)
+            return
 
         serializer = view.get_serializer(instance=obj)
         fields = self.serializer_to_form_fields(serializer)
 
         # Creating an on the fly form see:
         # http://stackoverflow.com/questions/3915024/dynamically-creating-classes-python
-        OnTheFlyForm = type("OnTheFlyForm", (forms.Form,), fields)
+        OnTheFlyForm = type(str("OnTheFlyForm"), (forms.Form,), fields)
         data = (obj is not None) and serializer.data or None
         form_instance = OnTheFlyForm(data)
         return form_instance
 
-    def get_generic_content_form(self, media_types):
+    def get_raw_data_form(self, view, method, request, media_types):
         """
         Returns a form that allows for arbitrary content types to be tunneled
         via standard HTML forms.
@@ -375,6 +410,11 @@ class BrowsableAPIRenderer(BaseRenderer):
                 and api_settings.FORM_CONTENTTYPE_OVERRIDE):
             return None
 
+        # Check permissions
+        obj = getattr(view, 'object', None)
+        if not self.show_form_for_method(view, method, request, obj):
+            return
+
         content_type_field = api_settings.FORM_CONTENTTYPE_OVERRIDE
         content_field = api_settings.FORM_CONTENT_OVERRIDE
         choices = [(media_type, media_type) for media_type in media_types]
@@ -386,7 +426,7 @@ class BrowsableAPIRenderer(BaseRenderer):
                 super(GenericContentForm, self).__init__()
 
                 self.fields[content_type_field] = forms.ChoiceField(
-                    label='Content Type',
+                    label='Media type',
                     choices=choices,
                     initial=initial
                 )
@@ -401,13 +441,13 @@ class BrowsableAPIRenderer(BaseRenderer):
         try:
             return view.get_name()
         except AttributeError:
-            return view.__doc__
+            return smart_text(view.__class__.__name__)
 
     def get_description(self, view):
         try:
             return view.get_description(html=True)
         except AttributeError:
-            return view.__doc__
+            return smart_text(view.__doc__ or '')
 
     def render(self, data, accepted_media_type=None, renderer_context=None):
         """
@@ -422,15 +462,22 @@ class BrowsableAPIRenderer(BaseRenderer):
         view = renderer_context['view']
         request = renderer_context['request']
         response = renderer_context['response']
+        media_types = [parser.media_type for parser in view.parser_classes]
 
         renderer = self.get_default_renderer(view)
         content = self.get_content(renderer, data, accepted_media_type, renderer_context)
 
         put_form = self.get_form(view, 'PUT', request)
         post_form = self.get_form(view, 'POST', request)
+        patch_form = self.get_form(view, 'PATCH', request)
         delete_form = self.get_form(view, 'DELETE', request)
         options_form = self.get_form(view, 'OPTIONS', request)
 
+        raw_data_put_form = self.get_raw_data_form(view, 'PUT', request, media_types)
+        raw_data_post_form = self.get_raw_data_form(view, 'POST', request, media_types)
+        raw_data_patch_form = self.get_raw_data_form(view, 'PATCH', request, media_types)
+        raw_data_put_or_patch_form = raw_data_put_form or raw_data_patch_form
+
         name = self.get_name(view)
         description = self.get_description(view)
         breadcrumb_list = get_breadcrumbs(request.path)
@@ -447,10 +494,18 @@ class BrowsableAPIRenderer(BaseRenderer):
             'breadcrumblist': breadcrumb_list,
             'allowed_methods': view.allowed_methods,
             'available_formats': [renderer.format for renderer in view.renderer_classes],
+
             'put_form': put_form,
             'post_form': post_form,
+            'patch_form': patch_form,
             'delete_form': delete_form,
             'options_form': options_form,
+
+            'raw_data_put_form': raw_data_put_form,
+            'raw_data_post_form': raw_data_post_form,
+            'raw_data_patch_form': raw_data_patch_form,
+            'raw_data_put_or_patch_form': raw_data_put_or_patch_form,
+
             'api_settings': api_settings
         })
 
diff --git a/rest_framework/request.py b/rest_framework/request.py
index b7133608a..ffbbab338 100644
--- a/rest_framework/request.py
+++ b/rest_framework/request.py
@@ -9,10 +9,14 @@ The wrapped request then offers a richer API, in particular :
     - full support of PUT method, including support for file uploads
     - form overloading of HTTP method, content type and content
 """
-from StringIO import StringIO
-
+from __future__ import unicode_literals
+from django.conf import settings
+from django.http import QueryDict
 from django.http.multipartparser import parse_header
+from django.utils.datastructures import MultiValueDict
+from rest_framework import HTTP_HEADER_ENCODING
 from rest_framework import exceptions
+from rest_framework.compat import BytesIO
 from rest_framework.settings import api_settings
 
 
@@ -20,7 +24,7 @@ def is_form_media_type(media_type):
     """
     Return True if the media type is a valid form media type.
     """
-    base_media_type, params = parse_header(media_type)
+    base_media_type, params = parse_header(media_type.encode(HTTP_HEADER_ENCODING))
     return (base_media_type == 'application/x-www-form-urlencoded' or
             base_media_type == 'multipart/form-data')
 
@@ -42,10 +46,11 @@ def clone_request(request, method):
     Internal helper method to clone a request, replacing with a different
     HTTP method.  Used for checking permissions against other methods.
     """
-    ret = Request(request._request,
-                  request.parsers,
-                  request.authenticators,
-                  request.parser_context)
+    ret = Request(request=request._request,
+                  parsers=request.parsers,
+                  authenticators=request.authenticators,
+                  negotiator=request.negotiator,
+                  parser_context=request.parser_context)
     ret._data = request._data
     ret._files = request._files
     ret._content_type = request._content_type
@@ -55,6 +60,8 @@ def clone_request(request, method):
         ret._user = request._user
     if hasattr(request, '_auth'):
         ret._auth = request._auth
+    if hasattr(request, '_authenticator'):
+        ret._authenticator = request._authenticator
     return ret
 
 
@@ -90,6 +97,7 @@ class Request(object):
         if self.parser_context is None:
             self.parser_context = {}
         self.parser_context['request'] = self
+        self.parser_context['encoding'] = request.encoding or settings.DEFAULT_CHARSET
 
     def _default_negotiator(self):
         return api_settings.DEFAULT_CONTENT_NEGOTIATION_CLASS()
@@ -166,17 +174,17 @@ class Request(object):
         by the authentication classes provided to the request.
         """
         if not hasattr(self, '_user'):
-            self._user, self._auth = self._authenticate()
+            self._authenticator, self._user, self._auth = self._authenticate()
         return self._user
 
     @user.setter
     def user(self, value):
-         """
-         Sets the user on the current request. This is necessary to maintain
-         compatilbility with django.contrib.auth where the user proprety is
-         set in the login and logout functions.
-         """
-         self._user = value
+        """
+        Sets the user on the current request. This is necessary to maintain
+        compatilbility with django.contrib.auth where the user proprety is
+        set in the login and logout functions.
+        """
+        self._user = value
 
     @property
     def auth(self):
@@ -185,7 +193,7 @@ class Request(object):
         request, such as an authentication token.
         """
         if not hasattr(self, '_auth'):
-            self._user, self._auth = self._authenticate()
+            self._authenticator, self._user, self._auth = self._authenticate()
         return self._auth
 
     @auth.setter
@@ -196,6 +204,16 @@ class Request(object):
         """
         self._auth = value
 
+    @property
+    def successful_authenticator(self):
+        """
+        Return the instance of the authentication instance class that was used
+        to authenticate the request, or `None`.
+        """
+        if not hasattr(self, '_authenticator'):
+            self._authenticator, self._user, self._auth = self._authenticate()
+        return self._authenticator
+
     def _load_data_and_files(self):
         """
         Parses the request content into self.DATA and self.FILES.
@@ -213,11 +231,17 @@ class Request(object):
         """
         self._content_type = self.META.get('HTTP_CONTENT_TYPE',
                                            self.META.get('CONTENT_TYPE', ''))
+
         self._perform_form_overloading()
-        # if the HTTP method was not overloaded, we take the raw HTTP method
+
         if not _hasattr(self, '_method'):
             self._method = self._request.method
 
+            if self._method == 'POST':
+                # Allow X-HTTP-METHOD-OVERRIDE header
+                self._method = self.META.get('HTTP_X_HTTP_METHOD_OVERRIDE',
+                                             self._method)
+
     def _load_stream(self):
         """
         Return the content body of the request, as a stream.
@@ -233,7 +257,7 @@ class Request(object):
         elif hasattr(self._request, 'read'):
             self._stream = self._request
         else:
-            self._stream = StringIO(self.raw_post_data)
+            self._stream = BytesIO(self.raw_post_data)
 
     def _perform_form_overloading(self):
         """
@@ -268,7 +292,7 @@ class Request(object):
             self._CONTENT_PARAM in self._data and
             self._CONTENTTYPE_PARAM in self._data):
             self._content_type = self._data[self._CONTENTTYPE_PARAM]
-            self._stream = StringIO(self._data[self._CONTENT_PARAM])
+            self._stream = BytesIO(self._data[self._CONTENT_PARAM].encode(HTTP_HEADER_ENCODING))
             self._data, self._files = (Empty, Empty)
 
     def _parse(self):
@@ -281,7 +305,9 @@ class Request(object):
         media_type = self.content_type
 
         if stream is None or media_type is None:
-            return (None, None)
+            empty_data = QueryDict('', self._request._encoding)
+            empty_files = MultiValueDict()
+            return (empty_data, empty_files)
 
         parser = self.negotiator.select_parser(self, self.parsers)
 
@@ -295,25 +321,28 @@ class Request(object):
         try:
             return (parsed.data, parsed.files)
         except AttributeError:
-            return (parsed, None)
+            empty_files = MultiValueDict()
+            return (parsed, empty_files)
 
     def _authenticate(self):
         """
-        Attempt to authenticate the request using each authentication instance in turn.
-        Returns a two-tuple of (user, authtoken).
+        Attempt to authenticate the request using each authentication instance
+        in turn.
+        Returns a three-tuple of (authenticator, user, authtoken).
         """
         for authenticator in self.authenticators:
             user_auth_tuple = authenticator.authenticate(self)
             if not user_auth_tuple is None:
-                return user_auth_tuple
+                user, auth = user_auth_tuple
+                return (authenticator, user, auth)
         return self._not_authenticated()
 
     def _not_authenticated(self):
         """
-        Return a two-tuple of (user, authtoken), representing an
-        unauthenticated request.
+        Return a three-tuple of (authenticator, user, authtoken), representing
+        an unauthenticated request.
 
-        By default this will be (AnonymousUser, None).
+        By default this will be (None, AnonymousUser, None).
         """
         if api_settings.UNAUTHENTICATED_USER:
             user = api_settings.UNAUTHENTICATED_USER()
@@ -325,7 +354,7 @@ class Request(object):
         else:
             auth = None
 
-        return (user, auth)
+        return (None, user, auth)
 
     def __getattr__(self, attr):
         """
diff --git a/rest_framework/response.py b/rest_framework/response.py
index be78c43ae..5e1bf46e2 100644
--- a/rest_framework/response.py
+++ b/rest_framework/response.py
@@ -1,5 +1,7 @@
+from __future__ import unicode_literals
 from django.core.handlers.wsgi import STATUS_CODE_TEXT
 from django.template.response import SimpleTemplateResponse
+from rest_framework.compat import six
 
 
 class Response(SimpleTemplateResponse):
@@ -22,9 +24,9 @@ class Response(SimpleTemplateResponse):
         self.data = data
         self.template_name = template_name
         self.exception = exception
-        
+
         if headers:
-            for name,value in headers.iteritems():
+            for name, value in six.iteritems(headers):
                 self[name] = value
 
     @property
diff --git a/rest_framework/reverse.py b/rest_framework/reverse.py
index c9db02f06..a51b07f54 100644
--- a/rest_framework/reverse.py
+++ b/rest_framework/reverse.py
@@ -1,6 +1,7 @@
 """
 Provide reverse functions that return fully qualified URLs
 """
+from __future__ import unicode_literals
 from django.core.urlresolvers import reverse as django_reverse
 from django.utils.functional import lazy
 
diff --git a/rest_framework/runtests/runcoverage.py b/rest_framework/runtests/runcoverage.py
index bcab1d148..ce11b213e 100755
--- a/rest_framework/runtests/runcoverage.py
+++ b/rest_framework/runtests/runcoverage.py
@@ -52,12 +52,15 @@ def main():
         if os.path.basename(path) in ['tests', 'runtests', 'migrations']:
             continue
 
-        # Drop the compat module from coverage, since we're not interested in the coverage
-        # of a module which is specifically for resolving environment dependant imports.
+        # Drop the compat and six modules from coverage, since we're not interested in the coverage
+        # of modules which are specifically for resolving environment dependant imports.
         # (Because we'll end up getting different coverage reports for it for each environment)
         if 'compat.py' in files:
             files.remove('compat.py')
 
+        if 'six.py' in files:
+            files.remove('six.py')
+
         # Same applies to template tags module.
         # This module has to include branching on Django versions,
         # so it's never possible for it to have full coverage.
diff --git a/rest_framework/runtests/runtests.py b/rest_framework/runtests/runtests.py
index 505994e28..4a333fb3e 100755
--- a/rest_framework/runtests/runtests.py
+++ b/rest_framework/runtests/runtests.py
@@ -33,7 +33,7 @@ def main():
     elif len(sys.argv) == 1:
         test_case = ''
     else:
-        print usage()
+        print(usage())
         sys.exit(1)
     failures = test_runner.run_tests(['tests' + test_case])
 
diff --git a/rest_framework/runtests/settings.py b/rest_framework/runtests/settings.py
index dd5d9dc3c..9b519f271 100644
--- a/rest_framework/runtests/settings.py
+++ b/rest_framework/runtests/settings.py
@@ -97,11 +97,41 @@ INSTALLED_APPS = (
     # 'django.contrib.admindocs',
     'rest_framework',
     'rest_framework.authtoken',
-    'rest_framework.tests'
+    'rest_framework.tests',
 )
 
+# OAuth is optional and won't work if there is no oauth_provider & oauth2
+try:
+    import oauth_provider
+    import oauth2
+except ImportError:
+    pass
+else:
+    INSTALLED_APPS += (
+        'oauth_provider',
+    )
+
+try:
+    import provider
+except ImportError:
+    pass
+else:
+    INSTALLED_APPS += (
+        'provider',
+        'provider.oauth2',
+    )
+
 STATIC_URL = '/static/'
 
+PASSWORD_HASHERS = (
+    'django.contrib.auth.hashers.SHA1PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+    'django.contrib.auth.hashers.BCryptPasswordHasher',
+    'django.contrib.auth.hashers.MD5PasswordHasher',
+    'django.contrib.auth.hashers.CryptPasswordHasher',
+)
+
 import django
 
 if django.VERSION < (1, 3):
diff --git a/rest_framework/serializers.py b/rest_framework/serializers.py
index 27458f968..4fe857a61 100644
--- a/rest_framework/serializers.py
+++ b/rest_framework/serializers.py
@@ -1,11 +1,13 @@
+from __future__ import unicode_literals
 import copy
 import datetime
 import types
 from decimal import Decimal
+from django.core.paginator import Page
 from django.db import models
 from django.forms import widgets
 from django.utils.datastructures import SortedDict
-from rest_framework.compat import get_concrete_model
+from rest_framework.compat import get_concrete_model, six
 
 # Note: We do the following so that users of the framework can use this style:
 #
@@ -25,20 +27,23 @@ class DictWithMetadata(dict):
     def __getstate__(self):
         """
         Used by pickle (e.g., caching).
-        Overriden to remove metadata from the dict, since it shouldn't be pickled
-        and may in some instances be unpickleable.
+        Overriden to remove the metadata from the dict, since it shouldn't be
+        pickled and may in some instances be unpickleable.
         """
-        # return an instance of the first dict in MRO that isn't a DictWithMetadata
-        for base in self.__class__.__mro__:
-            if not isinstance(base, DictWithMetadata) and isinstance(base, dict):
-                return base(self)
+        return dict(self)
 
 
-class SortedDictWithMetadata(SortedDict, DictWithMetadata):
+class SortedDictWithMetadata(SortedDict):
     """
     A sorted dict-like object, that can have additional properties attached.
     """
-    pass
+    def __getstate__(self):
+        """
+        Used by pickle (e.g., caching).
+        Overriden to remove the metadata from the dict, since it shouldn't be
+        pickle and may in some instances be unpickleable.
+        """
+        return SortedDict(self).__dict__
 
 
 def _is_protected_type(obj):
@@ -63,7 +68,7 @@ def _get_declared_fields(bases, attrs):
     Note that all fields from the base classes are used.
     """
     fields = [(field_name, attrs.pop(field_name))
-              for field_name, obj in attrs.items()
+              for field_name, obj in list(six.iteritems(attrs))
               if isinstance(obj, Field)]
     fields.sort(key=lambda x: x[1].creation_counter)
 
@@ -72,7 +77,7 @@ def _get_declared_fields(bases, attrs):
     # in order to maintain the correct order of fields.
     for base in bases[::-1]:
         if hasattr(base, 'base_fields'):
-            fields = base.base_fields.items() + fields
+            fields = list(base.base_fields.items()) + fields
 
     return SortedDict(fields)
 
@@ -94,19 +99,24 @@ class SerializerOptions(object):
 
 
 class BaseSerializer(Field):
+    """
+    This is the Serializer implementation.
+    We need to implement it as `BaseSerializer` due to metaclass magicks.
+    """
     class Meta(object):
         pass
 
     _options_class = SerializerOptions
-    _dict_class = SortedDictWithMetadata  # Set to unsorted dict for backwards compatibility with unsorted implementations.
+    _dict_class = SortedDictWithMetadata
 
     def __init__(self, instance=None, data=None, files=None,
-                 context=None, partial=False, **kwargs):
-        super(BaseSerializer, self).__init__(**kwargs)
+                 context=None, partial=False, many=None, source=None):
+        super(BaseSerializer, self).__init__(source=source)
         self.opts = self._options_class(self.Meta)
         self.parent = None
         self.root = None
         self.partial = partial
+        self.many = many
 
         self.context = context or {}
 
@@ -150,6 +160,7 @@ class BaseSerializer(Field):
 
         # If 'fields' is specified, use those fields, in that order.
         if self.opts.fields:
+            assert isinstance(self.opts.fields, (list, tuple)), '`include` must be a list or tuple'
             new = SortedDict()
             for key in self.opts.fields:
                 new[key] = ret[key]
@@ -157,6 +168,7 @@ class BaseSerializer(Field):
 
         # Remove anything in 'exclude'
         if self.opts.exclude:
+            assert isinstance(self.opts.fields, (list, tuple)), '`exclude` must be a list or tuple'
             for key in self.opts.exclude:
                 ret.pop(key, None)
 
@@ -186,22 +198,6 @@ class BaseSerializer(Field):
         """
         return field_name
 
-    def convert_object(self, obj):
-        """
-        Core of serialization.
-        Convert an object into a dictionary of serialized field values.
-        """
-        ret = self._dict_class()
-        ret.fields = {}
-
-        for field_name, field in self.fields.items():
-            field.initialize(parent=self, field_name=field_name)
-            key = self.get_field_key(field_name)
-            value = field.field_to_native(obj, field_name)
-            ret[key] = value
-            ret.fields[key] = field
-        return ret
-
     def restore_fields(self, data, files):
         """
         Core of deserialization, together with `restore_object`.
@@ -210,7 +206,7 @@ class BaseSerializer(Field):
         reverted_data = {}
 
         if data is not None and not isinstance(data, dict):
-            self._errors['non_field_errors'] = [u'Invalid data']
+            self._errors['non_field_errors'] = ['Invalid data']
             return None
 
         for field_name, field in self.fields.items():
@@ -227,6 +223,8 @@ class BaseSerializer(Field):
         Run `validate_()` and `validate()` methods on the serializer
         """
         for field_name, field in self.fields.items():
+            if field_name in self._errors:
+                continue
             try:
                 validate_method = getattr(self, 'validate_%s' % field_name, None)
                 if validate_method:
@@ -271,18 +269,21 @@ class BaseSerializer(Field):
         """
         Serialize objects -> primitives.
         """
-        if hasattr(obj, '__iter__'):
-            return [self.convert_object(item) for item in obj]
-        return self.convert_object(obj)
+        ret = self._dict_class()
+        ret.fields = {}
+
+        for field_name, field in self.fields.items():
+            field.initialize(parent=self, field_name=field_name)
+            key = self.get_field_key(field_name)
+            value = field.field_to_native(obj, field_name)
+            ret[key] = value
+            ret.fields[key] = field
+        return ret
 
     def from_native(self, data, files):
         """
         Deserialize primitives -> objects.
         """
-        if hasattr(data, '__iter__') and not isinstance(data, dict):
-            # TODO: error data when deserializing lists
-            return [self.from_native(item, None) for item in data]
-
         self._errors = {}
         if data is not None or files is not None:
             attrs = self.restore_fields(data, files)
@@ -298,6 +299,9 @@ class BaseSerializer(Field):
         Override default so that we can apply ModelSerializer as a nested
         field to relationships.
         """
+        if self.source == '*':
+            return self.to_native(obj)
+
         try:
             if self.source:
                 for component in self.source.split('.'):
@@ -318,6 +322,13 @@ class BaseSerializer(Field):
         if obj is None:
             return None
 
+        if self.many is not None:
+            many = self.many
+        else:
+            many = hasattr(obj, '__iter__') and not isinstance(obj, (Page, dict, six.text_type))
+
+        if many:
+            return [self.to_native(item) for item in obj]
         return self.to_native(obj)
 
     @property
@@ -327,9 +338,30 @@ class BaseSerializer(Field):
         setting self.object if no errors occurred.
         """
         if self._errors is None:
-            obj = self.from_native(self.init_data, self.init_files)
+            data, files = self.init_data, self.init_files
+
+            if self.many is not None:
+                many = self.many
+            else:
+                many = hasattr(data, '__iter__') and not isinstance(data, (Page, dict, six.text_type))
+                if many:
+                    warnings.warn('Implict list/queryset serialization is due to be deprecated. '
+                                  'Use the `many=True` flag when instantiating the serializer.',
+                                  PendingDeprecationWarning, stacklevel=3)
+
+            if many:
+                ret = []
+                errors = []
+                for item in data:
+                    ret.append(self.from_native(item, None))
+                    errors.append(self._errors)
+                self._errors = any(errors) and errors or []
+            else:
+                ret = self.from_native(data, files)
+
             if not self._errors:
-                self.object = obj
+                self.object = ret
+
         return self._errors
 
     def is_valid(self):
@@ -337,20 +369,44 @@ class BaseSerializer(Field):
 
     @property
     def data(self):
+        """
+        Returns the serialized data on the serializer.
+        """
         if self._data is None:
-            self._data = self.to_native(self.object)
+            obj = self.object
+
+            if self.many is not None:
+                many = self.many
+            else:
+                many = hasattr(obj, '__iter__') and not isinstance(obj, (Page, dict))
+                if many:
+                    warnings.warn('Implict list/queryset serialization is due to be deprecated. '
+                                  'Use the `many=True` flag when instantiating the serializer.',
+                                  PendingDeprecationWarning, stacklevel=2)
+
+            if many:
+                self._data = [self.to_native(item) for item in obj]
+            else:
+                self._data = self.to_native(obj)
+
         return self._data
 
-    def save(self):
+    def save_object(self, obj, **kwargs):
+        obj.save(**kwargs)
+
+    def save(self, **kwargs):
         """
         Save the deserialized object and return it.
         """
-        self.object.save()
+        if isinstance(self.object, list):
+            [self.save_object(item, **kwargs) for item in self.object]
+        else:
+            self.save_object(self.object, **kwargs)
         return self.object
 
 
-class Serializer(BaseSerializer):
-    __metaclass__ = SerializerMetaclass
+class Serializer(six.with_metaclass(SerializerMetaclass, BaseSerializer)):
+    pass
 
 
 class ModelSerializerOptions(SerializerOptions):
@@ -369,16 +425,42 @@ class ModelSerializer(Serializer):
     """
     _options_class = ModelSerializerOptions
 
+    field_mapping = {
+        models.AutoField: IntegerField,
+        models.FloatField: FloatField,
+        models.IntegerField: IntegerField,
+        models.PositiveIntegerField: IntegerField,
+        models.SmallIntegerField: IntegerField,
+        models.PositiveSmallIntegerField: IntegerField,
+        models.DateTimeField: DateTimeField,
+        models.DateField: DateField,
+        models.TimeField: TimeField,
+        models.EmailField: EmailField,
+        models.CharField: CharField,
+        models.URLField: URLField,
+        models.SlugField: SlugField,
+        models.TextField: CharField,
+        models.CommaSeparatedIntegerField: CharField,
+        models.BooleanField: BooleanField,
+        models.FileField: FileField,
+        models.ImageField: ImageField,
+    }
+
     def get_default_fields(self):
         """
         Return all the fields that should be serialized for the model.
         """
 
         cls = self.opts.model
+        assert cls is not None, \
+                "Serializer class '%s' is missing 'model' Meta option" % self.__class__.__name__
         opts = get_concrete_model(cls)._meta
         pk_field = opts.pk
-        while pk_field.rel:
+
+        # If model is a child via multitable inheritance, use parent's pk
+        while pk_field.rel and pk_field.rel.parent_link:
             pk_field = pk_field.rel.to._meta.pk
+
         fields = [pk_field]
         fields += [field for field in opts.fields if field.serialize]
         fields += [field for field in opts.many_to_many if field.serialize]
@@ -433,12 +515,11 @@ class ModelSerializer(Serializer):
         # TODO: filter queryset using:
         # .using(db).complex_filter(self.rel.limit_choices_to)
         kwargs = {
-            'null': model_field.null or model_field.blank,
-            'queryset': model_field.rel.to._default_manager
+            'required': not(model_field.null or model_field.blank),
+            'queryset': model_field.rel.to._default_manager,
+            'many': to_many
         }
 
-        if to_many:
-            return ManyPrimaryKeyRelatedField(**kwargs)
         return PrimaryKeyRelatedField(**kwargs)
 
     def get_field(self, model_field):
@@ -446,20 +527,18 @@ class ModelSerializer(Serializer):
         Creates a default instance of a basic non-relational field.
         """
         kwargs = {}
+        has_default = model_field.has_default()
 
-        kwargs['blank'] = model_field.blank
-
-        if model_field.null or model_field.blank:
+        if model_field.null or model_field.blank or has_default:
             kwargs['required'] = False
 
         if isinstance(model_field, models.AutoField) or not model_field.editable:
             kwargs['read_only'] = True
 
-        if model_field.has_default():
-            kwargs['required'] = False
+        if has_default:
             kwargs['default'] = model_field.get_default()
 
-        if model_field.__class__ == models.TextField:
+        if issubclass(model_field.__class__, models.TextField):
             kwargs['widget'] = widgets.Textarea
 
         # TODO: TypedChoiceField?
@@ -467,27 +546,8 @@ class ModelSerializer(Serializer):
             kwargs['choices'] = model_field.flatchoices
             return ChoiceField(**kwargs)
 
-        field_mapping = {
-            models.AutoField: IntegerField,
-            models.FloatField: FloatField,
-            models.IntegerField: IntegerField,
-            models.PositiveIntegerField: IntegerField,
-            models.SmallIntegerField: IntegerField,
-            models.PositiveSmallIntegerField: IntegerField,
-            models.DateTimeField: DateTimeField,
-            models.DateField: DateField,
-            models.EmailField: EmailField,
-            models.CharField: CharField,
-            models.URLField: URLField,
-            models.SlugField: SlugField,
-            models.TextField: CharField,
-            models.CommaSeparatedIntegerField: CharField,
-            models.BooleanField: BooleanField,
-            models.FileField: FileField,
-            models.ImageField: ImageField,
-        }
         try:
-            return field_mapping[model_field.__class__](**kwargs)
+            return self.field_mapping[model_field.__class__](**kwargs)
         except KeyError:
             return ModelField(model_field=model_field, **kwargs)
 
@@ -499,10 +559,27 @@ class ModelSerializer(Serializer):
         opts = get_concrete_model(cls)._meta
         exclusions = [field.name for field in opts.fields + opts.many_to_many]
         for field_name, field in self.fields.items():
+            field_name = field.source or field_name
             if field_name in exclusions and not field.read_only:
                 exclusions.remove(field_name)
         return exclusions
 
+    def full_clean(self, instance):
+        """
+        Perform Django's full_clean, and populate the `errors` dictionary
+        if any validation errors occur.
+
+        Note that we don't perform this inside the `.restore_object()` method,
+        so that subclasses can override `.restore_object()`, and still get
+        the full_clean validation checking.
+        """
+        try:
+            instance.full_clean(exclude=self.get_validation_exclusions())
+        except ValidationError as err:
+            self._errors = err.message_dict
+            return None
+        return instance
+
     def restore_object(self, attrs, instance=None):
         """
         Restore the model instance.
@@ -534,19 +611,21 @@ class ModelSerializer(Serializer):
         else:
             instance = self.opts.model(**attrs)
 
-        try:
-            instance.full_clean(exclude=self.get_validation_exclusions())
-        except ValidationError, err:
-            self._errors = err.message_dict
-            return None
-
         return instance
 
-    def save(self):
+    def from_native(self, data, files):
+        """
+        Override the default method to also include model field validation.
+        """
+        instance = super(ModelSerializer, self).from_native(data, files)
+        if instance:
+            return self.full_clean(instance)
+
+    def save_object(self, obj, **kwargs):
         """
         Save the deserialized object and return it.
         """
-        self.object.save()
+        obj.save(**kwargs)
 
         if getattr(self, 'm2m_data', None):
             for accessor_name, object_list in self.m2m_data.items():
@@ -558,8 +637,6 @@ class ModelSerializer(Serializer):
                 setattr(self.object, accessor_name, object_list)
             self.related_data = {}
 
-        return self.object
-
 
 class HyperlinkedModelSerializerOptions(ModelSerializerOptions):
     """
@@ -572,6 +649,8 @@ class HyperlinkedModelSerializerOptions(ModelSerializerOptions):
 
 class HyperlinkedModelSerializer(ModelSerializer):
     """
+    A subclass of ModelSerializer that uses hyperlinked relationships,
+    instead of primary key relationships.
     """
     _options_class = HyperlinkedModelSerializerOptions
     _default_view_name = '%(model_name)s-detail'
@@ -605,10 +684,9 @@ class HyperlinkedModelSerializer(ModelSerializer):
         # .using(db).complex_filter(self.rel.limit_choices_to)
         rel = model_field.rel.to
         kwargs = {
-            'null': model_field.null,
+            'required': not(model_field.null or model_field.blank),
             'queryset': rel._default_manager,
-            'view_name': self._get_default_view_name(rel)
+            'view_name': self._get_default_view_name(rel),
+            'many': to_many
         }
-        if to_many:
-            return ManyHyperlinkedRelatedField(**kwargs)
         return HyperlinkedRelatedField(**kwargs)
diff --git a/rest_framework/settings.py b/rest_framework/settings.py
index 5c77c55cd..eede0c5a0 100644
--- a/rest_framework/settings.py
+++ b/rest_framework/settings.py
@@ -17,9 +17,14 @@ This module provides the `api_setting` object, that is used to access
 REST framework settings, checking for user settings first, then falling
 back to the defaults.
 """
+from __future__ import unicode_literals
+
 from django.conf import settings
 from django.utils import importlib
 
+from rest_framework import ISO_8601
+from rest_framework.compat import six
+
 
 USER_SETTINGS = getattr(settings, 'REST_FRAMEWORK', None)
 
@@ -74,6 +79,22 @@ DEFAULTS = {
     'URL_FORMAT_OVERRIDE': 'format',
 
     'FORMAT_SUFFIX_KWARG': 'format',
+
+    # Input and output formats
+    'DATE_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'DATE_FORMAT': ISO_8601,
+
+    'DATETIME_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'DATETIME_FORMAT': ISO_8601,
+
+    'TIME_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'TIME_FORMAT': ISO_8601,
 }
 
 
@@ -98,7 +119,7 @@ def perform_import(val, setting_name):
     If the given setting is a string import notation,
     then perform the necessary import or imports.
     """
-    if isinstance(val, basestring):
+    if isinstance(val, six.string_types):
         return import_from_string(val, setting_name)
     elif isinstance(val, (list, tuple)):
         return [import_from_string(item, setting_name) for item in val]
diff --git a/rest_framework/six.py b/rest_framework/six.py
new file mode 100644
index 000000000..9e3823128
--- /dev/null
+++ b/rest_framework/six.py
@@ -0,0 +1,389 @@
+"""Utilities for writing code that runs on Python 2 and 3"""
+
+import operator
+import sys
+import types
+
+__author__ = "Benjamin Peterson "
+__version__ = "1.2.0"
+
+
+# True if we are running on Python 3.
+PY3 = sys.version_info[0] == 3
+
+if PY3:
+    string_types = str,
+    integer_types = int,
+    class_types = type,
+    text_type = str
+    binary_type = bytes
+
+    MAXSIZE = sys.maxsize
+else:
+    string_types = basestring,
+    integer_types = (int, long)
+    class_types = (type, types.ClassType)
+    text_type = unicode
+    binary_type = str
+
+    if sys.platform == "java":
+        # Jython always uses 32 bits.
+        MAXSIZE = int((1 << 31) - 1)
+    else:
+        # It's possible to have sizeof(long) != sizeof(Py_ssize_t).
+        class X(object):
+            def __len__(self):
+                return 1 << 31
+        try:
+            len(X())
+        except OverflowError:
+            # 32-bit
+            MAXSIZE = int((1 << 31) - 1)
+        else:
+            # 64-bit
+            MAXSIZE = int((1 << 63) - 1)
+            del X
+
+
+def _add_doc(func, doc):
+    """Add documentation to a function."""
+    func.__doc__ = doc
+
+
+def _import_module(name):
+    """Import module, returning the module after the last dot."""
+    __import__(name)
+    return sys.modules[name]
+
+
+class _LazyDescr(object):
+
+    def __init__(self, name):
+        self.name = name
+
+    def __get__(self, obj, tp):
+        result = self._resolve()
+        setattr(obj, self.name, result)
+        # This is a bit ugly, but it avoids running this again.
+        delattr(tp, self.name)
+        return result
+
+
+class MovedModule(_LazyDescr):
+
+    def __init__(self, name, old, new=None):
+        super(MovedModule, self).__init__(name)
+        if PY3:
+            if new is None:
+                new = name
+            self.mod = new
+        else:
+            self.mod = old
+
+    def _resolve(self):
+        return _import_module(self.mod)
+
+
+class MovedAttribute(_LazyDescr):
+
+    def __init__(self, name, old_mod, new_mod, old_attr=None, new_attr=None):
+        super(MovedAttribute, self).__init__(name)
+        if PY3:
+            if new_mod is None:
+                new_mod = name
+            self.mod = new_mod
+            if new_attr is None:
+                if old_attr is None:
+                    new_attr = name
+                else:
+                    new_attr = old_attr
+            self.attr = new_attr
+        else:
+            self.mod = old_mod
+            if old_attr is None:
+                old_attr = name
+            self.attr = old_attr
+
+    def _resolve(self):
+        module = _import_module(self.mod)
+        return getattr(module, self.attr)
+
+
+
+class _MovedItems(types.ModuleType):
+    """Lazy loading of moved objects"""
+
+
+_moved_attributes = [
+    MovedAttribute("cStringIO", "cStringIO", "io", "StringIO"),
+    MovedAttribute("filter", "itertools", "builtins", "ifilter", "filter"),
+    MovedAttribute("input", "__builtin__", "builtins", "raw_input", "input"),
+    MovedAttribute("map", "itertools", "builtins", "imap", "map"),
+    MovedAttribute("reload_module", "__builtin__", "imp", "reload"),
+    MovedAttribute("reduce", "__builtin__", "functools"),
+    MovedAttribute("StringIO", "StringIO", "io"),
+    MovedAttribute("xrange", "__builtin__", "builtins", "xrange", "range"),
+    MovedAttribute("zip", "itertools", "builtins", "izip", "zip"),
+
+    MovedModule("builtins", "__builtin__"),
+    MovedModule("configparser", "ConfigParser"),
+    MovedModule("copyreg", "copy_reg"),
+    MovedModule("http_cookiejar", "cookielib", "http.cookiejar"),
+    MovedModule("http_cookies", "Cookie", "http.cookies"),
+    MovedModule("html_entities", "htmlentitydefs", "html.entities"),
+    MovedModule("html_parser", "HTMLParser", "html.parser"),
+    MovedModule("http_client", "httplib", "http.client"),
+    MovedModule("BaseHTTPServer", "BaseHTTPServer", "http.server"),
+    MovedModule("CGIHTTPServer", "CGIHTTPServer", "http.server"),
+    MovedModule("SimpleHTTPServer", "SimpleHTTPServer", "http.server"),
+    MovedModule("cPickle", "cPickle", "pickle"),
+    MovedModule("queue", "Queue"),
+    MovedModule("reprlib", "repr"),
+    MovedModule("socketserver", "SocketServer"),
+    MovedModule("tkinter", "Tkinter"),
+    MovedModule("tkinter_dialog", "Dialog", "tkinter.dialog"),
+    MovedModule("tkinter_filedialog", "FileDialog", "tkinter.filedialog"),
+    MovedModule("tkinter_scrolledtext", "ScrolledText", "tkinter.scrolledtext"),
+    MovedModule("tkinter_simpledialog", "SimpleDialog", "tkinter.simpledialog"),
+    MovedModule("tkinter_tix", "Tix", "tkinter.tix"),
+    MovedModule("tkinter_constants", "Tkconstants", "tkinter.constants"),
+    MovedModule("tkinter_dnd", "Tkdnd", "tkinter.dnd"),
+    MovedModule("tkinter_colorchooser", "tkColorChooser",
+                "tkinter.colorchooser"),
+    MovedModule("tkinter_commondialog", "tkCommonDialog",
+                "tkinter.commondialog"),
+    MovedModule("tkinter_tkfiledialog", "tkFileDialog", "tkinter.filedialog"),
+    MovedModule("tkinter_font", "tkFont", "tkinter.font"),
+    MovedModule("tkinter_messagebox", "tkMessageBox", "tkinter.messagebox"),
+    MovedModule("tkinter_tksimpledialog", "tkSimpleDialog",
+                "tkinter.simpledialog"),
+    MovedModule("urllib_robotparser", "robotparser", "urllib.robotparser"),
+    MovedModule("winreg", "_winreg"),
+]
+for attr in _moved_attributes:
+    setattr(_MovedItems, attr.name, attr)
+del attr
+
+moves = sys.modules["django.utils.six.moves"] = _MovedItems("moves")
+
+
+def add_move(move):
+    """Add an item to six.moves."""
+    setattr(_MovedItems, move.name, move)
+
+
+def remove_move(name):
+    """Remove item from six.moves."""
+    try:
+        delattr(_MovedItems, name)
+    except AttributeError:
+        try:
+            del moves.__dict__[name]
+        except KeyError:
+            raise AttributeError("no such move, %r" % (name,))
+
+
+if PY3:
+    _meth_func = "__func__"
+    _meth_self = "__self__"
+
+    _func_code = "__code__"
+    _func_defaults = "__defaults__"
+
+    _iterkeys = "keys"
+    _itervalues = "values"
+    _iteritems = "items"
+else:
+    _meth_func = "im_func"
+    _meth_self = "im_self"
+
+    _func_code = "func_code"
+    _func_defaults = "func_defaults"
+
+    _iterkeys = "iterkeys"
+    _itervalues = "itervalues"
+    _iteritems = "iteritems"
+
+
+try:
+    advance_iterator = next
+except NameError:
+    def advance_iterator(it):
+        return it.next()
+next = advance_iterator
+
+
+if PY3:
+    def get_unbound_function(unbound):
+        return unbound
+
+    Iterator = object
+
+    def callable(obj):
+        return any("__call__" in klass.__dict__ for klass in type(obj).__mro__)
+else:
+    def get_unbound_function(unbound):
+        return unbound.im_func
+
+    class Iterator(object):
+
+        def next(self):
+            return type(self).__next__(self)
+
+    callable = callable
+_add_doc(get_unbound_function,
+         """Get the function out of a possibly unbound function""")
+
+
+get_method_function = operator.attrgetter(_meth_func)
+get_method_self = operator.attrgetter(_meth_self)
+get_function_code = operator.attrgetter(_func_code)
+get_function_defaults = operator.attrgetter(_func_defaults)
+
+
+def iterkeys(d):
+    """Return an iterator over the keys of a dictionary."""
+    return iter(getattr(d, _iterkeys)())
+
+def itervalues(d):
+    """Return an iterator over the values of a dictionary."""
+    return iter(getattr(d, _itervalues)())
+
+def iteritems(d):
+    """Return an iterator over the (key, value) pairs of a dictionary."""
+    return iter(getattr(d, _iteritems)())
+
+
+if PY3:
+    def b(s):
+        return s.encode("latin-1")
+    def u(s):
+        return s
+    if sys.version_info[1] <= 1:
+        def int2byte(i):
+            return bytes((i,))
+    else:
+        # This is about 2x faster than the implementation above on 3.2+
+        int2byte = operator.methodcaller("to_bytes", 1, "big")
+    import io
+    StringIO = io.StringIO
+    BytesIO = io.BytesIO
+else:
+    def b(s):
+        return s
+    def u(s):
+        return unicode(s, "unicode_escape")
+    int2byte = chr
+    import StringIO
+    StringIO = BytesIO = StringIO.StringIO
+_add_doc(b, """Byte literal""")
+_add_doc(u, """Text literal""")
+
+
+if PY3:
+    import builtins
+    exec_ = getattr(builtins, "exec")
+
+
+    def reraise(tp, value, tb=None):
+        if value.__traceback__ is not tb:
+            raise value.with_traceback(tb)
+        raise value
+
+
+    print_ = getattr(builtins, "print")
+    del builtins
+
+else:
+    def exec_(code, globs=None, locs=None):
+        """Execute code in a namespace."""
+        if globs is None:
+            frame = sys._getframe(1)
+            globs = frame.f_globals
+            if locs is None:
+                locs = frame.f_locals
+            del frame
+        elif locs is None:
+            locs = globs
+        exec("""exec code in globs, locs""")
+
+
+    exec_("""def reraise(tp, value, tb=None):
+    raise tp, value, tb
+""")
+
+
+    def print_(*args, **kwargs):
+        """The new-style print function."""
+        fp = kwargs.pop("file", sys.stdout)
+        if fp is None:
+            return
+        def write(data):
+            if not isinstance(data, basestring):
+                data = str(data)
+            fp.write(data)
+        want_unicode = False
+        sep = kwargs.pop("sep", None)
+        if sep is not None:
+            if isinstance(sep, unicode):
+                want_unicode = True
+            elif not isinstance(sep, str):
+                raise TypeError("sep must be None or a string")
+        end = kwargs.pop("end", None)
+        if end is not None:
+            if isinstance(end, unicode):
+                want_unicode = True
+            elif not isinstance(end, str):
+                raise TypeError("end must be None or a string")
+        if kwargs:
+            raise TypeError("invalid keyword arguments to print()")
+        if not want_unicode:
+            for arg in args:
+                if isinstance(arg, unicode):
+                    want_unicode = True
+                    break
+        if want_unicode:
+            newline = unicode("\n")
+            space = unicode(" ")
+        else:
+            newline = "\n"
+            space = " "
+        if sep is None:
+            sep = space
+        if end is None:
+            end = newline
+        for i, arg in enumerate(args):
+            if i:
+                write(sep)
+            write(arg)
+        write(end)
+
+_add_doc(reraise, """Reraise an exception.""")
+
+
+def with_metaclass(meta, base=object):
+    """Create a base class with a metaclass."""
+    return meta("NewBase", (base,), {})
+
+
+### Additional customizations for Django ###
+
+if PY3:
+    _iterlists = "lists"
+    _assertRaisesRegex = "assertRaisesRegex"
+else:
+    _iterlists = "iterlists"
+    _assertRaisesRegex = "assertRaisesRegexp"
+
+
+def iterlists(d):
+    """Return an iterator over the values of a MultiValueDict."""
+    return getattr(d, _iterlists)()
+
+
+def assertRaisesRegex(self, *args, **kwargs):
+    return getattr(self, _assertRaisesRegex)(*args, **kwargs)
+
+
+add_move(MovedModule("_dummy_thread", "dummy_thread"))
+add_move(MovedModule("_thread", "thread"))
diff --git a/rest_framework/static/rest_framework/css/default.css b/rest_framework/static/rest_framework/css/default.css
index b2e41b994..d806267bc 100644
--- a/rest_framework/static/rest_framework/css/default.css
+++ b/rest_framework/static/rest_framework/css/default.css
@@ -150,6 +150,49 @@ html, body {
   margin: 0 auto -60px;
 }
 
+.form-switcher {
+    margin-bottom: 0;
+}
+
+.well {
+    -webkit-box-shadow: none;
+       -moz-box-shadow: none;
+            box-shadow: none;
+}
+
+.well .form-actions {
+    padding-bottom: 0;
+    margin-bottom: 0;
+}
+
+.well form {
+    margin-bottom: 0;
+}
+
+.nav-tabs {
+    border: 0;
+}
+
+.nav-tabs > li {
+    float: right;
+}
+
+.nav-tabs li a {
+    margin-right: 0;
+}
+
+.nav-tabs > .active > a {
+    background: #f5f5f5;
+}
+
+.nav-tabs > .active > a:hover {
+    background: #f5f5f5;
+}
+
+.tabbable.first-tab-active .tab-content
+{
+    border-top-right-radius: 0;
+}
 
 #footer, #push {
   height: 60px; /* .push must be the same height as .footer */
diff --git a/rest_framework/static/rest_framework/js/default.js b/rest_framework/static/rest_framework/js/default.js
index ecaccc0f0..c74829d7d 100644
--- a/rest_framework/static/rest_framework/js/default.js
+++ b/rest_framework/static/rest_framework/js/default.js
@@ -3,3 +3,11 @@ prettyPrint();
 $('.js-tooltip').tooltip({
     delay: 1000
 });
+
+$('a[data-toggle="tab"]:first').on('shown', function (e) {
+    $(e.target).parents('.tabbable').addClass('first-tab-active');
+});
+$('a[data-toggle="tab"]:not(:first)').on('shown', function (e) {
+    $(e.target).parents('.tabbable').removeClass('first-tab-active');
+});
+$('.form-switcher a:first').tab('show');
diff --git a/rest_framework/status.py b/rest_framework/status.py
index a1eb48dae..b9f249f9f 100644
--- a/rest_framework/status.py
+++ b/rest_framework/status.py
@@ -4,6 +4,7 @@ Descriptive HTTP status codes, for code readability.
 See RFC 2616 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
 And RFC 6585 - http://tools.ietf.org/html/rfc6585
 """
+from __future__ import unicode_literals
 
 HTTP_100_CONTINUE = 100
 HTTP_101_SWITCHING_PROTOCOLS = 101
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
index 092bf2e47..44633f5ab 100644
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -13,7 +13,7 @@
         {% block title %}Django REST framework{% endblock %}
 
         {% block style %}
-        
+        {% block bootstrap_theme %}{% endblock %}
         
         
         
@@ -123,56 +123,88 @@
 
             {% if response.status_code != 403 %}
 
-                {% if post_form %}
-                
    
-                    
    
-                        
    
-                            {% csrf_token %}
-                            {{ post_form.non_field_errors }}
-                            {% for field in post_form %}
-                                
     
-                                    {{ field.label_tag|add_class:"control-label" }}
-                                    
    
-                                        {{ field }}
-                                        {{ field.help_text }}
-                                        
+                {% if post_form or raw_data_post_form %}
+                
    
+                    {% if post_form %}
+                    
+                    {% endif %}
+                    
    
+                        {% if post_form %}
+                        
    
+                            {% with form=post_form %}
+                            
+                                
    
+                                    {% include "rest_framework/form.html" %}
+                                    
    
+                                        
                                     
    
-                                
    
-                            {% endfor %}
-                            
    
-                                
-                            
    
-                        
    
-                    
    
+                                
+                            
+                            {% endwith %}
+                        
    
+                        {% endif %}
+                        
    
+                            {% with form=raw_data_post_form %}
+                            
    
+                                
    
+                                    {% include "rest_framework/form.html" %}
+                                    
    
+                                        
+                                    
    
+                                
    
+                            
    
+                            {% endwith %}
+                        
    
+                    
                 
                 {% endif %}
 
-                {% if put_form %}
-                
    
-                    
    
-                        
    
-                            
-                            {% csrf_token %}
-                            {{ put_form.non_field_errors }}
-                            {% for field in put_form %}
-                                
     
-                                    {{ field.label_tag|add_class:"control-label" }}
-                                    
    
-                                        {{ field }}
-                                        {{ field.help_text }}
-                                        
+                {% if put_form or raw_data_put_form or raw_data_patch_form %}
+                
    
+                    {% if put_form %}
+                    
+                    {% endif %}
+                    
    
+                        {% if put_form %}
+                        
    
+                            {% with form=put_form %}
+                            
+                                
    
+                                    {% include "rest_framework/form.html" %}
+                                    
    
+                                        
                                     
    
-                                
    
-                            {% endfor %}
-                            
    
-                                
-                            
    
-
-                        
    
-                    
    
+                                
+                            
+                            {% endwith %}
+                        
    
+                        {% endif %}
+                        
    
+                            {% with form=raw_data_put_or_patch_form %}
+                            
    
+                                
    
+                                    {% include "rest_framework/form.html" %}
+                                    
    
+                                        {% if raw_data_put_form %}
+                                        
+                                        {% endif %}
+                                        {% if raw_data_patch_form %}
+                                        
+                                        {% endif %}
+                                    
    
+                                
    
+                            
    
+                            {% endwith %}
+                        
    
+                    
                 
                 {% endif %}
-
             {% endif %}
 
         
diff --git a/rest_framework/templates/rest_framework/form.html b/rest_framework/templates/rest_framework/form.html
new file mode 100644
index 000000000..dc7acc708
--- /dev/null
+++ b/rest_framework/templates/rest_framework/form.html
@@ -0,0 +1,13 @@
+{% load rest_framework %}
+{% csrf_token %}
+{{ form.non_field_errors }}
+{% for field in form %}
+    
     
+        {{ field.label_tag|add_class:"control-label" }}
+        
    
+            {{ field }}
+            {{ field.help_text }}
+            
+        
    
+    
    
+{% endfor %}
diff --git a/rest_framework/templates/rest_framework/login.html b/rest_framework/templates/rest_framework/login.html
index 6e2bd8d4d..e10ce20f3 100644
--- a/rest_framework/templates/rest_framework/login.html
+++ b/rest_framework/templates/rest_framework/login.html
@@ -25,14 +25,14 @@
                     
    
                         {% csrf_token %}
                         
    
-                            
    
-                                
+                            
    
+                                
                                 
                             
    
                         
    
                         
    
-                            
    
-                                
+                            
    
+                                
                                 
                             
    
                         
    
diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 82fcdfe74..c21ddcd7b 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -1,10 +1,12 @@
+from __future__ import unicode_literals, absolute_import
 from django import template
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict
-from django.utils.encoding import force_unicode
 from django.utils.html import escape
 from django.utils.safestring import SafeData, mark_safe
-from urlparse import urlsplit, urlunsplit
+from rest_framework.compat import urlparse
+from rest_framework.compat import force_text
+from rest_framework.compat import six
 import re
 import string
 
@@ -29,7 +31,7 @@ try:  # Django 1.5+
     def do_static(parser, token):
         return StaticFilesNode.handle_token(parser, token)
 
-except:
+except ImportError:
     try:  # Django 1.4
         from django.contrib.staticfiles.storage import staticfiles_storage
 
@@ -41,7 +43,7 @@ except:
             """
             return staticfiles_storage.url(path)
 
-    except:  # Django 1.3
+    except ImportError:  # Django 1.3
         from urlparse import urljoin
         from django import template
         from django.templatetags.static import PrefixNode
@@ -99,11 +101,11 @@ def replace_query_param(url, key, val):
     Given a URL and a key/val pair, set or replace an item in the query
     parameters of the URL, and return the new URL.
     """
-    (scheme, netloc, path, query, fragment) = urlsplit(url)
+    (scheme, netloc, path, query, fragment) = urlparse.urlsplit(url)
     query_dict = QueryDict(query).copy()
     query_dict[key] = val
     query = query_dict.urlencode()
-    return urlunsplit((scheme, netloc, path, query, fragment))
+    return urlparse.urlunsplit((scheme, netloc, path, query, fragment))
 
 
 # Regex for adding classes to html snippets
@@ -135,7 +137,7 @@ def optional_login(request):
     """
     try:
         login_url = reverse('rest_framework:login')
-    except:
+    except NoReverseMatch:
         return ''
 
     snippet = "Log in" % (login_url, request.path)
@@ -149,7 +151,7 @@ def optional_logout(request):
     """
     try:
         logout_url = reverse('rest_framework:logout')
-    except:
+    except NoReverseMatch:
         return ''
 
     snippet = "Log out" % (logout_url, request.path)
@@ -179,7 +181,7 @@ def add_class(value, css_class):
     In the case of REST Framework, the filter is used to add Bootstrap-specific
     classes to the forms.
     """
-    html = unicode(value)
+    html = six.text_type(value)
     match = class_re.search(html)
     if match:
         m = re.search(r'^%s$|^%s\s|\s%s\s|\s%s$' % (css_class, css_class,
@@ -213,7 +215,7 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
     """
     trim_url = lambda x, limit=trim_url_limit: limit is not None and (len(x) > limit and ('%s...' % x[:max(0, limit - 3)])) or x
     safe_input = isinstance(text, SafeData)
-    words = word_split_re.split(force_unicode(text))
+    words = word_split_re.split(force_text(text))
     nofollow_attr = nofollow and ' rel="nofollow"' or ''
     for i, word in enumerate(words):
         match = None
@@ -249,4 +251,4 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
             words[i] = mark_safe(word)
         elif autoescape:
             words[i] = escape(word)
-    return mark_safe(u''.join(words))
+    return mark_safe(''.join(words))
diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py
index e86041bc4..b663ca48f 100644
--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@@ -1,33 +1,65 @@
+from __future__ import unicode_literals
 from django.contrib.auth.models import User
 from django.http import HttpResponse
 from django.test import Client, TestCase
-
+from django.utils import unittest
+from rest_framework import HTTP_HEADER_ENCODING
+from rest_framework import exceptions
 from rest_framework import permissions
+from rest_framework import status
+from rest_framework.authentication import (
+    BaseAuthentication,
+    TokenAuthentication,
+    BasicAuthentication,
+    SessionAuthentication,
+    OAuthAuthentication,
+    OAuth2Authentication
+)
 from rest_framework.authtoken.models import Token
-from rest_framework.authentication import TokenAuthentication
-from rest_framework.compat import patterns
+from rest_framework.compat import patterns, url, include
+from rest_framework.compat import oauth2_provider, oauth2_provider_models, oauth2_provider_scope
+from rest_framework.compat import oauth, oauth_provider
+from rest_framework.tests.utils import RequestFactory
 from rest_framework.views import APIView
-
 import json
 import base64
+import time
+import datetime
+
+factory = RequestFactory()
 
 
 class MockView(APIView):
     permission_classes = (permissions.IsAuthenticated,)
 
+    def get(self, request):
+        return HttpResponse({'a': 1, 'b': 2, 'c': 3})
+
     def post(self, request):
         return HttpResponse({'a': 1, 'b': 2, 'c': 3})
 
     def put(self, request):
         return HttpResponse({'a': 1, 'b': 2, 'c': 3})
 
-MockView.authentication_classes += (TokenAuthentication,)
 
 urlpatterns = patterns('',
-    (r'^$', MockView.as_view()),
+    (r'^session/$', MockView.as_view(authentication_classes=[SessionAuthentication])),
+    (r'^basic/$', MockView.as_view(authentication_classes=[BasicAuthentication])),
+    (r'^token/$', MockView.as_view(authentication_classes=[TokenAuthentication])),
     (r'^auth-token/$', 'rest_framework.authtoken.views.obtain_auth_token'),
+    (r'^oauth/$', MockView.as_view(authentication_classes=[OAuthAuthentication])),
+    (r'^oauth-with-scope/$', MockView.as_view(authentication_classes=[OAuthAuthentication], 
+        permission_classes=[permissions.TokenHasReadWriteScope]))
 )
 
+if oauth2_provider is not None:
+    urlpatterns += patterns('',
+        url(r'^oauth2/', include('provider.oauth2.urls', namespace='oauth2')),
+        url(r'^oauth2-test/$', MockView.as_view(authentication_classes=[OAuth2Authentication])),
+        url(r'^oauth2-with-scope-test/$', MockView.as_view(authentication_classes=[OAuth2Authentication], 
+            permission_classes=[permissions.TokenHasReadWriteScope])),
+    )
+
 
 class BasicAuthTests(TestCase):
     """Basic authentication"""
@@ -42,25 +74,30 @@ class BasicAuthTests(TestCase):
 
     def test_post_form_passing_basic_auth(self):
         """Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""
-        auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()
-        response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 200)
+        credentials = ('%s:%s' % (self.username, self.password))
+        base64_credentials = base64.b64encode(credentials.encode(HTTP_HEADER_ENCODING)).decode(HTTP_HEADER_ENCODING)
+        auth = 'Basic %s' % base64_credentials
+        response = self.csrf_client.post('/basic/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_post_json_passing_basic_auth(self):
         """Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""
-        auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()
-        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 200)
+        credentials = ('%s:%s' % (self.username, self.password))
+        base64_credentials = base64.b64encode(credentials.encode(HTTP_HEADER_ENCODING)).decode(HTTP_HEADER_ENCODING)
+        auth = 'Basic %s' % base64_credentials
+        response = self.csrf_client.post('/basic/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_post_form_failing_basic_auth(self):
         """Ensure POSTing form over basic auth without correct credentials fails"""
-        response = self.csrf_client.post('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/basic/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
 
     def test_post_json_failing_basic_auth(self):
         """Ensure POSTing json over basic auth without correct credentials fails"""
-        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/basic/', json.dumps({'example': 'example'}), 'application/json')
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response['WWW-Authenticate'], 'Basic realm="api"')
 
 
 class SessionAuthTests(TestCase):
@@ -83,31 +120,31 @@ class SessionAuthTests(TestCase):
         Ensure POSTing form over session authentication without CSRF token fails.
         """
         self.csrf_client.login(username=self.username, password=self.password)
-        response = self.csrf_client.post('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/session/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     def test_post_form_session_auth_passing(self):
         """
         Ensure POSTing form over session authentication with logged in user and CSRF token passes.
         """
         self.non_csrf_client.login(username=self.username, password=self.password)
-        response = self.non_csrf_client.post('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 200)
+        response = self.non_csrf_client.post('/session/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_put_form_session_auth_passing(self):
         """
         Ensure PUTting form over session authentication with logged in user and CSRF token passes.
         """
         self.non_csrf_client.login(username=self.username, password=self.password)
-        response = self.non_csrf_client.put('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 200)
+        response = self.non_csrf_client.put('/session/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_post_form_session_auth_failing(self):
         """
         Ensure POSTing form over session authentication without logged in user fails.
         """
-        response = self.csrf_client.post('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/session/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
 
 class TokenAuthTests(TestCase):
@@ -126,25 +163,25 @@ class TokenAuthTests(TestCase):
 
     def test_post_form_passing_token_auth(self):
         """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF"""
-        auth = "Token " + self.key
-        response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 200)
+        auth = 'Token ' + self.key
+        response = self.csrf_client.post('/token/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_post_json_passing_token_auth(self):
         """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF"""
         auth = "Token " + self.key
-        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 200)
+        response = self.csrf_client.post('/token/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_post_form_failing_token_auth(self):
         """Ensure POSTing form over token auth without correct credentials fails"""
-        response = self.csrf_client.post('/', {'example': 'example'})
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/token/', {'example': 'example'})
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
 
     def test_post_json_failing_token_auth(self):
         """Ensure POSTing json over token auth without correct credentials fails"""
-        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')
-        self.assertEqual(response.status_code, 403)
+        response = self.csrf_client.post('/token/', json.dumps({'example': 'example'}), 'application/json')
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
 
     def test_token_has_auto_assigned_key_if_none_provided(self):
         """Ensure creating a token with no key will auto-assign a key"""
@@ -157,8 +194,8 @@ class TokenAuthTests(TestCase):
         client = Client(enforce_csrf_checks=True)
         response = client.post('/auth-token/',
                                json.dumps({'username': self.username, 'password': self.password}), 'application/json')
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(json.loads(response.content)['token'], self.key)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(json.loads(response.content.decode('ascii'))['token'], self.key)
 
     def test_token_login_json_bad_creds(self):
         """Ensure token login view using JSON POST fails if bad credentials are used."""
@@ -179,5 +216,362 @@ class TokenAuthTests(TestCase):
         client = Client(enforce_csrf_checks=True)
         response = client.post('/auth-token/',
                                {'username': self.username, 'password': self.password})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(json.loads(response.content.decode('ascii'))['token'], self.key)
+
+
+class IncorrectCredentialsTests(TestCase):
+    def test_incorrect_credentials(self):
+        """
+        If a request contains bad authentication credentials, then
+        authentication should run and error, even if no permissions
+        are set on the view.
+        """
+        class IncorrectCredentialsAuth(BaseAuthentication):
+            def authenticate(self, request):
+                raise exceptions.AuthenticationFailed('Bad credentials')
+
+        request = factory.get('/')
+        view = MockView.as_view(
+            authentication_classes=(IncorrectCredentialsAuth,),
+            permission_classes=()
+        )
+        response = view(request)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.data, {'detail': 'Bad credentials'})
+
+
+class OAuthTests(TestCase):
+    """OAuth 1.0a authentication"""
+    urls = 'rest_framework.tests.authentication'
+
+    def setUp(self):
+        # these imports are here because oauth is optional and hiding them in try..except block or compat
+        # could obscure problems if something breaks
+        from oauth_provider.models import Consumer, Resource
+        from oauth_provider.models import Token as OAuthToken
+        from oauth_provider import consts
+
+        self.consts = consts
+
+        self.csrf_client = Client(enforce_csrf_checks=True)
+        self.username = 'john'
+        self.email = 'lennon@thebeatles.com'
+        self.password = 'password'
+        self.user = User.objects.create_user(self.username, self.email, self.password)
+
+        self.CONSUMER_KEY = 'consumer_key'
+        self.CONSUMER_SECRET = 'consumer_secret'
+        self.TOKEN_KEY = "token_key"
+        self.TOKEN_SECRET = "token_secret"
+
+        self.consumer = Consumer.objects.create(key=self.CONSUMER_KEY, secret=self.CONSUMER_SECRET,
+            name='example', user=self.user, status=self.consts.ACCEPTED)
+
+        self.resource = Resource.objects.create(name="resource name", url="api/")
+        self.token = OAuthToken.objects.create(user=self.user, consumer=self.consumer, resource=self.resource,
+            token_type=OAuthToken.ACCESS, key=self.TOKEN_KEY, secret=self.TOKEN_SECRET, is_approved=True
+        )
+
+    def _create_authorization_header(self):
+        params = {
+            'oauth_version': "1.0",
+            'oauth_nonce': oauth.generate_nonce(),
+            'oauth_timestamp': int(time.time()),
+            'oauth_token': self.token.key,
+            'oauth_consumer_key': self.consumer.key
+        }
+
+        req = oauth.Request(method="GET", url="http://example.com", parameters=params)
+
+        signature_method = oauth.SignatureMethod_PLAINTEXT()
+        req.sign_request(signature_method, self.consumer, self.token)
+
+        return req.to_header()["Authorization"]
+
+    def _create_authorization_url_parameters(self):
+        params = {
+            'oauth_version': "1.0",
+            'oauth_nonce': oauth.generate_nonce(),
+            'oauth_timestamp': int(time.time()),
+            'oauth_token': self.token.key,
+            'oauth_consumer_key': self.consumer.key
+        }
+
+        req = oauth.Request(method="GET", url="http://example.com", parameters=params)
+
+        signature_method = oauth.SignatureMethod_PLAINTEXT()
+        req.sign_request(signature_method, self.consumer, self.token)
+        return dict(req)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_passing_oauth(self):
+        """Ensure POSTing form over OAuth with correct credentials passes and does not require CSRF"""
+        auth = self._create_authorization_header()
+        response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_repeated_nonce_failing_oauth(self):
+        """Ensure POSTing form over OAuth with repeated auth (same nonces and timestamp) credentials fails"""
+        auth = self._create_authorization_header()
+        response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+        # simulate reply attack auth header containes already used (nonce, timestamp) pair
+        response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_token_removed_failing_oauth(self):
+        """Ensure POSTing when there is no OAuth access token in db fails"""
+        self.token.delete()
+        auth = self._create_authorization_header()
+        response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_consumer_status_not_accepted_failing_oauth(self):
+        """Ensure POSTing when consumer status is anything other than ACCEPTED fails"""
+        for consumer_status in (self.consts.CANCELED, self.consts.PENDING, self.consts.REJECTED):
+            self.consumer.status = consumer_status
+            self.consumer.save()
+
+            auth = self._create_authorization_header()
+            response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+            self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_with_request_token_failing_oauth(self):
+        """Ensure POSTing with unauthorized request token instead of access token fails"""
+        self.token.token_type = self.token.REQUEST
+        self.token.save()
+
+        auth = self._create_authorization_header()
+        response = self.csrf_client.post('/oauth/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_with_urlencoded_parameters(self):
+        """Ensure POSTing with x-www-form-urlencoded auth parameters passes"""
+        params = self._create_authorization_url_parameters()
+        response = self.csrf_client.post('/oauth/', params)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_get_form_with_url_parameters(self):
+        """Ensure GETing with auth in url parameters passes"""
+        params = self._create_authorization_url_parameters()
+        response = self.csrf_client.get('/oauth/', params)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_hmac_sha1_signature_passes(self):
+        """Ensure POSTing using HMAC_SHA1 signature method passes"""
+        params = {
+            'oauth_version': "1.0",
+            'oauth_nonce': oauth.generate_nonce(),
+            'oauth_timestamp': int(time.time()),
+            'oauth_token': self.token.key,
+            'oauth_consumer_key': self.consumer.key
+        }
+
+        req = oauth.Request(method="POST", url="http://testserver/oauth/", parameters=params)
+
+        signature_method = oauth.SignatureMethod_HMAC_SHA1()
+        req.sign_request(signature_method, self.consumer, self.token)
+        auth = req.to_header()["Authorization"]
+
+        response = self.csrf_client.post('/oauth/', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_get_form_with_readonly_resource_passing_auth(self):
+        """Ensure POSTing with a readonly resource instead of a write scope fails"""
+        read_only_access_token = self.token
+        read_only_access_token.resource.is_readonly = True
+        read_only_access_token.resource.save()
+        params = self._create_authorization_url_parameters()
+        response = self.csrf_client.get('/oauth-with-scope/', params)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_with_readonly_resource_failing_auth(self):
+        """Ensure POSTing with a readonly resource instead of a write scope fails"""
+        read_only_access_token = self.token
+        read_only_access_token.resource.is_readonly = True
+        read_only_access_token.resource.save()
+        params = self._create_authorization_url_parameters()
+        response = self.csrf_client.post('/oauth-with-scope/', params)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth_provider, 'django-oauth-plus not installed')
+    @unittest.skipUnless(oauth, 'oauth2 not installed')
+    def test_post_form_with_write_resource_passing_auth(self):
+        """Ensure POSTing with a write resource succeed"""
+        read_write_access_token = self.token
+        read_write_access_token.resource.is_readonly = False
+        read_write_access_token.resource.save()
+        params = self._create_authorization_url_parameters()
+        response = self.csrf_client.post('/oauth-with-scope/', params)
+        self.assertEqual(response.status_code, 200)
+
+
+class OAuth2Tests(TestCase):
+    """OAuth 2.0 authentication"""
+    urls = 'rest_framework.tests.authentication'
+
+    def setUp(self):
+        self.csrf_client = Client(enforce_csrf_checks=True)
+        self.username = 'john'
+        self.email = 'lennon@thebeatles.com'
+        self.password = 'password'
+        self.user = User.objects.create_user(self.username, self.email, self.password)
+
+        self.CLIENT_ID = 'client_key'
+        self.CLIENT_SECRET = 'client_secret'
+        self.ACCESS_TOKEN = "access_token"
+        self.REFRESH_TOKEN = "refresh_token"
+
+        self.oauth2_client = oauth2_provider_models.Client.objects.create(
+                client_id=self.CLIENT_ID,
+                client_secret=self.CLIENT_SECRET,
+                redirect_uri='',
+                client_type=0,
+                name='example',
+                user=None,
+            )
+
+        self.access_token = oauth2_provider_models.AccessToken.objects.create(
+                token=self.ACCESS_TOKEN,
+                client=self.oauth2_client,
+                user=self.user,
+            )
+        self.refresh_token = oauth2_provider_models.RefreshToken.objects.create(
+                user=self.user,
+                access_token=self.access_token,
+                client=self.oauth2_client
+            )
+
+    def _create_authorization_header(self, token=None):
+        return "Bearer {0}".format(token or self.access_token.token)
+
+    def _client_credentials_params(self):
+        return {'client_id': self.CLIENT_ID, 'client_secret': self.CLIENT_SECRET}
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_with_wrong_authorization_header_token_type_failing(self):
+        """Ensure that a wrong token type lead to the correct HTTP error status code"""
+        auth = "Wrong token-type-obsviously"
+        response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+        params = self._client_credentials_params()
+        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_with_wrong_authorization_header_token_format_failing(self):
+        """Ensure that a wrong token format lead to the correct HTTP error status code"""
+        auth = "Bearer wrong token format"
+        response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+        params = self._client_credentials_params()
+        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_with_wrong_authorization_header_token_failing(self):
+        """Ensure that a wrong token lead to the correct HTTP error status code"""
+        auth = "Bearer wrong-token"
+        response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+        params = self._client_credentials_params()
+        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_with_wrong_client_data_failing_auth(self):
+        """Ensure GETing form over OAuth with incorrect client credentials fails"""
+        auth = self._create_authorization_header()
+        params = self._client_credentials_params()
+        params['client_id'] += 'a'
+        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_passing_auth(self):
+        """Ensure GETing form over OAuth with correct client credentials succeed"""
+        auth = self._create_authorization_header()
+        params = self._client_credentials_params()
+        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_passing_auth(self):
+        """Ensure POSTing form over OAuth with correct credentials passes and does not require CSRF"""
+        auth = self._create_authorization_header()
+        params = self._client_credentials_params()
+        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_token_removed_failing_auth(self):
+        """Ensure POSTing when there is no OAuth access token in db fails"""
+        self.access_token.delete()
+        auth = self._create_authorization_header()
+        params = self._client_credentials_params()
+        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_with_refresh_token_failing_auth(self):
+        """Ensure POSTing with refresh token instead of access token fails"""
+        auth = self._create_authorization_header(token=self.refresh_token.token)
+        params = self._client_credentials_params()
+        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_with_expired_access_token_failing_auth(self):
+        """Ensure POSTing with expired access token fails with an 'Invalid token' error"""
+        self.access_token.expires = datetime.datetime.now() - datetime.timedelta(seconds=10)  # 10 seconds late
+        self.access_token.save()
+        auth = self._create_authorization_header()
+        params = self._client_credentials_params()
+        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
+        self.assertIn('Invalid token', response.content)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_with_invalid_scope_failing_auth(self):
+        """Ensure POSTing with a readonly scope instead of a write scope fails"""
+        read_only_access_token = self.access_token
+        read_only_access_token.scope = oauth2_provider_scope.SCOPE_NAME_DICT['read']
+        read_only_access_token.save()
+        auth = self._create_authorization_header(token=read_only_access_token.token)
+        params = self._client_credentials_params()
+        response = self.csrf_client.get('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+        response = self.csrf_client.post('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_post_form_with_valid_scope_passing_auth(self):
+        """Ensure POSTing with a write scope succeed"""
+        read_write_access_token = self.access_token
+        read_write_access_token.scope = oauth2_provider_scope.SCOPE_NAME_DICT['write']
+        read_write_access_token.save()
+        auth = self._create_authorization_header(token=read_write_access_token.token)
+        params = self._client_credentials_params()
+        response = self.csrf_client.post('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(json.loads(response.content)['token'], self.key)
diff --git a/rest_framework/tests/breadcrumbs.py b/rest_framework/tests/breadcrumbs.py
index df8916832..d9ed647e2 100644
--- a/rest_framework/tests/breadcrumbs.py
+++ b/rest_framework/tests/breadcrumbs.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework.compat import patterns, url
 from rest_framework.utils.breadcrumbs import get_breadcrumbs
diff --git a/rest_framework/tests/decorators.py b/rest_framework/tests/decorators.py
index 5e6bce4ef..1016fed3f 100644
--- a/rest_framework/tests/decorators.py
+++ b/rest_framework/tests/decorators.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework import status
 from rest_framework.response import Response
@@ -28,13 +29,27 @@ class DecoratorTestCase(TestCase):
         response.request = request
         return APIView.finalize_response(self, request, response, *args, **kwargs)
 
-    def test_wrap_view(self):
+    def test_api_view_incorrect(self):
+        """
+        If @api_view is not applied correct, we should raise an assertion.
+        """
 
-        @api_view(['GET'])
+        @api_view
         def view(request):
-            return Response({})
+            return Response()
 
-        self.assertTrue(isinstance(view.cls_instance, APIView))
+        request = self.factory.get('/')
+        self.assertRaises(AssertionError, view, request)
+
+    def test_api_view_incorrect_arguments(self):
+        """
+        If @api_view is missing arguments, we should raise an assertion.
+        """
+
+        with self.assertRaises(AssertionError):
+            @api_view('GET')
+            def view(request):
+                return Response()
 
     def test_calling_method(self):
 
@@ -44,11 +59,11 @@ class DecoratorTestCase(TestCase):
 
         request = self.factory.get('/')
         response = view(request)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         request = self.factory.post('/')
         response = view(request)
-        self.assertEqual(response.status_code, 405)
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
 
     def test_calling_put_method(self):
 
@@ -58,11 +73,11 @@ class DecoratorTestCase(TestCase):
 
         request = self.factory.put('/')
         response = view(request)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         request = self.factory.post('/')
         response = view(request)
-        self.assertEqual(response.status_code, 405)
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
 
     def test_calling_patch_method(self):
 
@@ -72,11 +87,11 @@ class DecoratorTestCase(TestCase):
 
         request = self.factory.patch('/')
         response = view(request)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         request = self.factory.post('/')
         response = view(request)
-        self.assertEqual(response.status_code, 405)
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
 
     def test_renderer_classes(self):
 
@@ -124,7 +139,7 @@ class DecoratorTestCase(TestCase):
 
         request = self.factory.get('/')
         response = view(request)
-        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     def test_throttle_classes(self):
         class OncePerDayUserThrottle(UserRateThrottle):
@@ -137,7 +152,7 @@ class DecoratorTestCase(TestCase):
 
         request = self.factory.get('/')
         response = view(request)
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         response = view(request)
-        self.assertEquals(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+        self.assertEqual(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
diff --git a/rest_framework/tests/description.py b/rest_framework/tests/description.py
index d958b8405..5b3315bcf 100644
--- a/rest_framework/tests/description.py
+++ b/rest_framework/tests/description.py
@@ -1,3 +1,6 @@
+# -- coding: utf-8 --
+
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework.views import APIView
 from rest_framework.compat import apply_markdown
@@ -50,7 +53,7 @@ class TestViewNamesAndDescriptions(TestCase):
         """Ensure Resource names are based on the classname by default."""
         class MockView(APIView):
             pass
-        self.assertEquals(MockView().get_name(), 'Mock')
+        self.assertEqual(MockView().get_name(), 'Mock')
 
     def test_resource_name_can_be_set_explicitly(self):
         """Ensure Resource names can be set using the 'get_name' method."""
@@ -58,7 +61,7 @@ class TestViewNamesAndDescriptions(TestCase):
         class MockView(APIView):
             def get_name(self):
                 return example
-        self.assertEquals(MockView().get_name(), example)
+        self.assertEqual(MockView().get_name(), example)
 
     def test_resource_description_uses_docstring_by_default(self):
         """Ensure Resource names are based on the docstring by default."""
@@ -78,7 +81,7 @@ class TestViewNamesAndDescriptions(TestCase):
 
             # hash style header #"""
 
-        self.assertEquals(MockView().get_description(), DESCRIPTION)
+        self.assertEqual(MockView().get_description(), DESCRIPTION)
 
     def test_resource_description_can_be_set_explicitly(self):
         """Ensure Resource descriptions can be set using the 'get_description' method."""
@@ -88,7 +91,16 @@ class TestViewNamesAndDescriptions(TestCase):
             """docstring"""
             def get_description(self):
                 return example
-        self.assertEquals(MockView().get_description(), example)
+        self.assertEqual(MockView().get_description(), example)
+
+    def test_resource_description_supports_unicode(self):
+
+        class MockView(APIView):
+            """Проверка"""
+            pass
+
+        self.assertEqual(MockView().get_description(), "Проверка")
+
 
     def test_resource_description_does_not_require_docstring(self):
         """Ensure that empty docstrings do not affect the Resource's description if it has been set using the 'get_description' method."""
@@ -97,13 +109,13 @@ class TestViewNamesAndDescriptions(TestCase):
         class MockView(APIView):
             def get_description(self):
                 return example
-        self.assertEquals(MockView().get_description(), example)
+        self.assertEqual(MockView().get_description(), example)
 
     def test_resource_description_can_be_empty(self):
         """Ensure that if a resource has no doctring or 'description' class attribute, then it's description is the empty string."""
         class MockView(APIView):
             pass
-        self.assertEquals(MockView().get_description(), '')
+        self.assertEqual(MockView().get_description(), '')
 
     def test_markdown(self):
         """Ensure markdown to HTML works as expected"""
diff --git a/rest_framework/tests/fields.py b/rest_framework/tests/fields.py
index 8068272d4..fd6de7797 100644
--- a/rest_framework/tests/fields.py
+++ b/rest_framework/tests/fields.py
@@ -1,9 +1,13 @@
 """
 General serializer field tests.
 """
+from __future__ import unicode_literals
+import datetime
 
 from django.db import models
 from django.test import TestCase
+from django.core import validators
+
 from rest_framework import serializers
 
 
@@ -26,24 +30,415 @@ class CharPrimaryKeyModelSerializer(serializers.ModelSerializer):
         model = CharPrimaryKeyModel
 
 
-class ReadOnlyFieldTests(TestCase):
+class TimeFieldModel(models.Model):
+    clock = models.TimeField()
+
+
+class TimeFieldModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = TimeFieldModel
+
+
+class BasicFieldTests(TestCase):
     def test_auto_now_fields_read_only(self):
         """
         auto_now and auto_now_add fields should be read_only by default.
         """
         serializer = TimestampedModelSerializer()
-        self.assertEquals(serializer.fields['added'].read_only, True)
+        self.assertEqual(serializer.fields['added'].read_only, True)
 
     def test_auto_pk_fields_read_only(self):
         """
         AutoField fields should be read_only by default.
         """
         serializer = TimestampedModelSerializer()
-        self.assertEquals(serializer.fields['id'].read_only, True)
+        self.assertEqual(serializer.fields['id'].read_only, True)
 
     def test_non_auto_pk_fields_not_read_only(self):
         """
         PK fields other than AutoField fields should not be read_only by default.
         """
         serializer = CharPrimaryKeyModelSerializer()
-        self.assertEquals(serializer.fields['id'].read_only, False)
+        self.assertEqual(serializer.fields['id'].read_only, False)
+
+
+class DateFieldTest(TestCase):
+    """
+    Tests for the DateFieldTest from_native() and to_native() behavior
+    """
+
+    def test_from_native_string(self):
+        """
+        Make sure from_native() accepts default iso input formats.
+        """
+        f = serializers.DateField()
+        result_1 = f.from_native('1984-07-31')
+
+        self.assertEqual(datetime.date(1984, 7, 31), result_1)
+
+    def test_from_native_datetime_date(self):
+        """
+        Make sure from_native() accepts a datetime.date instance.
+        """
+        f = serializers.DateField()
+        result_1 = f.from_native(datetime.date(1984, 7, 31))
+
+        self.assertEqual(result_1, datetime.date(1984, 7, 31))
+
+    def test_from_native_custom_format(self):
+        """
+        Make sure from_native() accepts custom input formats.
+        """
+        f = serializers.DateField(input_formats=['%Y -- %d'])
+        result = f.from_native('1984 -- 31')
+
+        self.assertEqual(datetime.date(1984, 1, 31), result)
+
+    def test_from_native_invalid_default_on_custom_format(self):
+        """
+        Make sure from_native() don't accept default formats if custom format is preset
+        """
+        f = serializers.DateField(input_formats=['%Y -- %d'])
+
+        try:
+            f.from_native('1984-07-31')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Date has wrong format. Use one of these formats instead: YYYY -- DD"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_empty(self):
+        """
+        Make sure from_native() returns None on empty param.
+        """
+        f = serializers.DateField()
+        result = f.from_native('')
+
+        self.assertEqual(result, None)
+
+    def test_from_native_none(self):
+        """
+        Make sure from_native() returns None on None param.
+        """
+        f = serializers.DateField()
+        result = f.from_native(None)
+
+        self.assertEqual(result, None)
+
+    def test_from_native_invalid_date(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid date.
+        """
+        f = serializers.DateField()
+
+        try:
+            f.from_native('1984-13-31')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Date has wrong format. Use one of these formats instead: YYYY[-MM[-DD]]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_invalid_format(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid format.
+        """
+        f = serializers.DateField()
+
+        try:
+            f.from_native('1984 -- 31')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Date has wrong format. Use one of these formats instead: YYYY[-MM[-DD]]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_to_native(self):
+        """
+        Make sure to_native() returns isoformat as default.
+        """
+        f = serializers.DateField()
+
+        result_1 = f.to_native(datetime.date(1984, 7, 31))
+
+        self.assertEqual('1984-07-31', result_1)
+
+    def test_to_native_custom_format(self):
+        """
+        Make sure to_native() returns correct custom format.
+        """
+        f = serializers.DateField(format="%Y - %m.%d")
+
+        result_1 = f.to_native(datetime.date(1984, 7, 31))
+
+        self.assertEqual('1984 - 07.31', result_1)
+
+    def test_to_native_none(self):
+        """
+        Make sure from_native() returns None on None param.
+        """
+        f = serializers.DateField(required=False)
+        self.assertEqual(None, f.to_native(None))
+
+
+class DateTimeFieldTest(TestCase):
+    """
+    Tests for the DateTimeField from_native() and to_native() behavior
+    """
+
+    def test_from_native_string(self):
+        """
+        Make sure from_native() accepts default iso input formats.
+        """
+        f = serializers.DateTimeField()
+        result_1 = f.from_native('1984-07-31 04:31')
+        result_2 = f.from_native('1984-07-31 04:31:59')
+        result_3 = f.from_native('1984-07-31 04:31:59.000200')
+
+        self.assertEqual(datetime.datetime(1984, 7, 31, 4, 31), result_1)
+        self.assertEqual(datetime.datetime(1984, 7, 31, 4, 31, 59), result_2)
+        self.assertEqual(datetime.datetime(1984, 7, 31, 4, 31, 59, 200), result_3)
+
+    def test_from_native_datetime_datetime(self):
+        """
+        Make sure from_native() accepts a datetime.datetime instance.
+        """
+        f = serializers.DateTimeField()
+        result_1 = f.from_native(datetime.datetime(1984, 7, 31, 4, 31))
+        result_2 = f.from_native(datetime.datetime(1984, 7, 31, 4, 31, 59))
+        result_3 = f.from_native(datetime.datetime(1984, 7, 31, 4, 31, 59, 200))
+
+        self.assertEqual(result_1, datetime.datetime(1984, 7, 31, 4, 31))
+        self.assertEqual(result_2, datetime.datetime(1984, 7, 31, 4, 31, 59))
+        self.assertEqual(result_3, datetime.datetime(1984, 7, 31, 4, 31, 59, 200))
+
+    def test_from_native_custom_format(self):
+        """
+        Make sure from_native() accepts custom input formats.
+        """
+        f = serializers.DateTimeField(input_formats=['%Y -- %H:%M'])
+        result = f.from_native('1984 -- 04:59')
+
+        self.assertEqual(datetime.datetime(1984, 1, 1, 4, 59), result)
+
+    def test_from_native_invalid_default_on_custom_format(self):
+        """
+        Make sure from_native() don't accept default formats if custom format is preset
+        """
+        f = serializers.DateTimeField(input_formats=['%Y -- %H:%M'])
+
+        try:
+            f.from_native('1984-07-31 04:31:59')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Datetime has wrong format. Use one of these formats instead: YYYY -- hh:mm"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_empty(self):
+        """
+        Make sure from_native() returns None on empty param.
+        """
+        f = serializers.DateTimeField()
+        result = f.from_native('')
+
+        self.assertEqual(result, None)
+
+    def test_from_native_none(self):
+        """
+        Make sure from_native() returns None on None param.
+        """
+        f = serializers.DateTimeField()
+        result = f.from_native(None)
+
+        self.assertEqual(result, None)
+
+    def test_from_native_invalid_datetime(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid datetime.
+        """
+        f = serializers.DateTimeField()
+
+        try:
+            f.from_native('04:61:59')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Datetime has wrong format. Use one of these formats instead: "
+                                          "YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HHMM|-HHMM|Z]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_invalid_format(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid format.
+        """
+        f = serializers.DateTimeField()
+
+        try:
+            f.from_native('04 -- 31')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Datetime has wrong format. Use one of these formats instead: "
+                                          "YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HHMM|-HHMM|Z]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_to_native(self):
+        """
+        Make sure to_native() returns isoformat as default.
+        """
+        f = serializers.DateTimeField()
+
+        result_1 = f.to_native(datetime.datetime(1984, 7, 31))
+        result_2 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31))
+        result_3 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31, 59))
+        result_4 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31, 59, 200))
+
+        self.assertEqual('1984-07-31T00:00:00', result_1)
+        self.assertEqual('1984-07-31T04:31:00', result_2)
+        self.assertEqual('1984-07-31T04:31:59', result_3)
+        self.assertEqual('1984-07-31T04:31:59.000200', result_4)
+
+    def test_to_native_custom_format(self):
+        """
+        Make sure to_native() returns correct custom format.
+        """
+        f = serializers.DateTimeField(format="%Y - %H:%M")
+
+        result_1 = f.to_native(datetime.datetime(1984, 7, 31))
+        result_2 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31))
+        result_3 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31, 59))
+        result_4 = f.to_native(datetime.datetime(1984, 7, 31, 4, 31, 59, 200))
+
+        self.assertEqual('1984 - 00:00', result_1)
+        self.assertEqual('1984 - 04:31', result_2)
+        self.assertEqual('1984 - 04:31', result_3)
+        self.assertEqual('1984 - 04:31', result_4)
+
+    def test_to_native_none(self):
+        """
+        Make sure from_native() returns None on None param.
+        """
+        f = serializers.DateTimeField(required=False)
+        self.assertEqual(None, f.to_native(None))
+
+
+class TimeFieldTest(TestCase):
+    """
+    Tests for the TimeField from_native() and to_native() behavior
+    """
+
+    def test_from_native_string(self):
+        """
+        Make sure from_native() accepts default iso input formats.
+        """
+        f = serializers.TimeField()
+        result_1 = f.from_native('04:31')
+        result_2 = f.from_native('04:31:59')
+        result_3 = f.from_native('04:31:59.000200')
+
+        self.assertEqual(datetime.time(4, 31), result_1)
+        self.assertEqual(datetime.time(4, 31, 59), result_2)
+        self.assertEqual(datetime.time(4, 31, 59, 200), result_3)
+
+    def test_from_native_datetime_time(self):
+        """
+        Make sure from_native() accepts a datetime.time instance.
+        """
+        f = serializers.TimeField()
+        result_1 = f.from_native(datetime.time(4, 31))
+        result_2 = f.from_native(datetime.time(4, 31, 59))
+        result_3 = f.from_native(datetime.time(4, 31, 59, 200))
+
+        self.assertEqual(result_1, datetime.time(4, 31))
+        self.assertEqual(result_2, datetime.time(4, 31, 59))
+        self.assertEqual(result_3, datetime.time(4, 31, 59, 200))
+
+    def test_from_native_custom_format(self):
+        """
+        Make sure from_native() accepts custom input formats.
+        """
+        f = serializers.TimeField(input_formats=['%H -- %M'])
+        result = f.from_native('04 -- 31')
+
+        self.assertEqual(datetime.time(4, 31), result)
+
+    def test_from_native_invalid_default_on_custom_format(self):
+        """
+        Make sure from_native() don't accept default formats if custom format is preset
+        """
+        f = serializers.TimeField(input_formats=['%H -- %M'])
+
+        try:
+            f.from_native('04:31:59')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Time has wrong format. Use one of these formats instead: hh -- mm"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_empty(self):
+        """
+        Make sure from_native() returns None on empty param.
+        """
+        f = serializers.TimeField()
+        result = f.from_native('')
+
+        self.assertEqual(result, None)
+
+    def test_from_native_none(self):
+        """
+        Make sure from_native() returns None on None param.
+        """
+        f = serializers.TimeField()
+        result = f.from_native(None)
+
+        self.assertEqual(result, None)
+
+    def test_from_native_invalid_time(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid time.
+        """
+        f = serializers.TimeField()
+
+        try:
+            f.from_native('04:61:59')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Time has wrong format. Use one of these formats instead: "
+                                          "hh:mm[:ss[.uuuuuu]]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_from_native_invalid_format(self):
+        """
+        Make sure from_native() raises a ValidationError on passing an invalid format.
+        """
+        f = serializers.TimeField()
+
+        try:
+            f.from_native('04 -- 31')
+        except validators.ValidationError as e:
+            self.assertEqual(e.messages, ["Time has wrong format. Use one of these formats instead: "
+                                          "hh:mm[:ss[.uuuuuu]]"])
+        else:
+            self.fail("ValidationError was not properly raised")
+
+    def test_to_native(self):
+        """
+        Make sure to_native() returns isoformat as default.
+        """
+        f = serializers.TimeField()
+        result_1 = f.to_native(datetime.time(4, 31))
+        result_2 = f.to_native(datetime.time(4, 31, 59))
+        result_3 = f.to_native(datetime.time(4, 31, 59, 200))
+
+        self.assertEqual('04:31:00', result_1)
+        self.assertEqual('04:31:59', result_2)
+        self.assertEqual('04:31:59.000200', result_3)
+
+    def test_to_native_custom_format(self):
+        """
+        Make sure to_native() returns correct custom format.
+        """
+        f = serializers.TimeField(format="%H - %S [%f]")
+        result_1 = f.to_native(datetime.time(4, 31))
+        result_2 = f.to_native(datetime.time(4, 31, 59))
+        result_3 = f.to_native(datetime.time(4, 31, 59, 200))
+
+        self.assertEqual('04 - 00 [000000]', result_1)
+        self.assertEqual('04 - 59 [000000]', result_2)
+        self.assertEqual('04 - 59 [000200]', result_3)
diff --git a/rest_framework/tests/files.py b/rest_framework/tests/files.py
index 446e23c07..487046aca 100644
--- a/rest_framework/tests/files.py
+++ b/rest_framework/tests/files.py
@@ -1,9 +1,9 @@
-import StringIO
-import datetime
-
+from __future__ import unicode_literals
 from django.test import TestCase
-
 from rest_framework import serializers
+from rest_framework.compat import BytesIO
+from rest_framework.compat import six
+import datetime
 
 
 class UploadedFile(object):
@@ -27,14 +27,14 @@ class UploadedFileSerializer(serializers.Serializer):
 class FileSerializerTests(TestCase):
     def test_create(self):
         now = datetime.datetime.now()
-        file = StringIO.StringIO('stuff')
+        file = BytesIO(six.b('stuff'))
         file.name = 'stuff.txt'
-        file.size = file.len
+        file.size = len(file.getvalue())
         serializer = UploadedFileSerializer(data={'created': now}, files={'file': file})
         uploaded_file = UploadedFile(file=file, created=now)
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.object.created, uploaded_file.created)
-        self.assertEquals(serializer.object.file, uploaded_file.file)
+        self.assertEqual(serializer.object.created, uploaded_file.created)
+        self.assertEqual(serializer.object.file, uploaded_file.file)
         self.assertFalse(serializer.object is uploaded_file)
 
     def test_creation_failure(self):
diff --git a/rest_framework/tests/filterset.py b/rest_framework/tests/filterset.py
index af2e6c2e7..fe92e0bcf 100644
--- a/rest_framework/tests/filterset.py
+++ b/rest_framework/tests/filterset.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 import datetime
 from decimal import Decimal
 from django.test import TestCase
@@ -64,8 +65,8 @@ class IntegrationTestFiltering(TestCase):
 
         self.objects = FilterableItem.objects
         self.data = [
-        {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
-        for obj in self.objects.all()
+            {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date.isoformat()}
+            for obj in self.objects.all()
         ]
 
     @unittest.skipUnless(django_filters, 'django-filters not installed')
@@ -78,24 +79,24 @@ class IntegrationTestFiltering(TestCase):
         # Basic test with no filter.
         request = factory.get('/')
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
         # Tests that the decimal filter works.
         search_decimal = Decimal('2.25')
         request = factory.get('/?decimal=%s' % search_decimal)
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
         expected_data = [f for f in self.data if f['decimal'] == search_decimal]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.data, expected_data)
 
         # Tests that the date filter works.
         search_date = datetime.date(2012, 9, 22)
         request = factory.get('/?date=%s' % search_date)  # search_date str: '2012-09-22'
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] == search_date]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        expected_data = [f for f in self.data if datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() == search_date]
+        self.assertEqual(response.data, expected_data)
 
     @unittest.skipUnless(django_filters, 'django-filters not installed')
     def test_get_filtered_class_root_view(self):
@@ -108,42 +109,43 @@ class IntegrationTestFiltering(TestCase):
         # Basic test with no filter.
         request = factory.get('/')
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
         # Tests that the decimal filter set with 'lt' in the filter class works.
         search_decimal = Decimal('4.25')
         request = factory.get('/?decimal=%s' % search_decimal)
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
         expected_data = [f for f in self.data if f['decimal'] < search_decimal]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.data, expected_data)
 
         # Tests that the date filter set with 'gt' in the filter class works.
         search_date = datetime.date(2012, 10, 2)
         request = factory.get('/?date=%s' % search_date)  # search_date str: '2012-10-02'
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] > search_date]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        expected_data = [f for f in self.data if datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() > search_date]
+        self.assertEqual(response.data, expected_data)
 
         # Tests that the text filter set with 'icontains' in the filter class works.
         search_text = 'ff'
         request = factory.get('/?text=%s' % search_text)
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
         expected_data = [f for f in self.data if search_text in f['text'].lower()]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.data, expected_data)
 
         # Tests that multiple filters works.
         search_decimal = Decimal('5.25')
         search_date = datetime.date(2012, 10, 2)
         request = factory.get('/?decimal=%s&date=%s' % (search_decimal, search_date))
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] > search_date and
-                                                  f['decimal'] < search_decimal]
-        self.assertEquals(response.data, expected_data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        expected_data = [f for f in self.data if
+                         datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() > search_date and
+                         f['decimal'] < search_decimal]
+        self.assertEqual(response.data, expected_data)
 
     @unittest.skipUnless(django_filters, 'django-filters not installed')
     def test_incorrectly_configured_filter(self):
@@ -165,4 +167,4 @@ class IntegrationTestFiltering(TestCase):
         search_integer = 10
         request = factory.get('/?integer=%s' % search_integer)
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
diff --git a/rest_framework/tests/genericrelations.py b/rest_framework/tests/genericrelations.py
index bc7378e12..c38bfb9f3 100644
--- a/rest_framework/tests/genericrelations.py
+++ b/rest_framework/tests/genericrelations.py
@@ -1,25 +1,62 @@
+from __future__ import unicode_literals
+from django.contrib.contenttypes.models import ContentType
+from django.contrib.contenttypes.generic import GenericRelation, GenericForeignKey
+from django.db import models
 from django.test import TestCase
 from rest_framework import serializers
-from rest_framework.tests.models import *
+
+
+class Tag(models.Model):
+    """
+    Tags have a descriptive slug, and are attached to an arbitrary object.
+    """
+    tag = models.SlugField()
+    content_type = models.ForeignKey(ContentType)
+    object_id = models.PositiveIntegerField()
+    tagged_item = GenericForeignKey('content_type', 'object_id')
+
+    def __unicode__(self):
+        return self.tag
+
+
+class Bookmark(models.Model):
+    """
+    A URL bookmark that may have multiple tags attached.
+    """
+    url = models.URLField()
+    tags = GenericRelation(Tag)
+
+    def __unicode__(self):
+        return 'Bookmark: %s' % self.url
+
+
+class Note(models.Model):
+    """
+    A textual note that may have multiple tags attached.
+    """
+    text = models.TextField()
+    tags = GenericRelation(Tag)
+
+    def __unicode__(self):
+        return 'Note: %s' % self.text
 
 
 class TestGenericRelations(TestCase):
     def setUp(self):
-        bookmark = Bookmark(url='https://www.djangoproject.com/')
-        bookmark.save()
-        django = Tag(tag_name='django')
-        django.save()
-        python = Tag(tag_name='python')
-        python.save()
-        t1 = TaggedItem(content_object=bookmark, tag=django)
-        t1.save()
-        t2 = TaggedItem(content_object=bookmark, tag=python)
-        t2.save()
-        self.bookmark = bookmark
+        self.bookmark = Bookmark.objects.create(url='https://www.djangoproject.com/')
+        Tag.objects.create(tagged_item=self.bookmark, tag='django')
+        Tag.objects.create(tagged_item=self.bookmark, tag='python')
+        self.note = Note.objects.create(text='Remember the milk')
+        Tag.objects.create(tagged_item=self.note, tag='reminder')
+
+    def test_generic_relation(self):
+        """
+        Test a relationship that spans a GenericRelation field.
+        IE. A reverse generic relationship.
+        """
 
-    def test_reverse_generic_relation(self):
         class BookmarkSerializer(serializers.ModelSerializer):
-            tags = serializers.ManyRelatedField(source='tags')
+            tags = serializers.RelatedField(many=True)
 
             class Meta:
                 model = Bookmark
@@ -27,7 +64,37 @@ class TestGenericRelations(TestCase):
 
         serializer = BookmarkSerializer(self.bookmark)
         expected = {
-            'tags': [u'django', u'python'],
-            'url': u'https://www.djangoproject.com/'
+            'tags': ['django', 'python'],
+            'url': 'https://www.djangoproject.com/'
         }
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
+
+    def test_generic_fk(self):
+        """
+        Test a relationship that spans a GenericForeignKey field.
+        IE. A forward generic relationship.
+        """
+
+        class TagSerializer(serializers.ModelSerializer):
+            tagged_item = serializers.RelatedField()
+
+            class Meta:
+                model = Tag
+                exclude = ('id', 'content_type', 'object_id')
+
+        serializer = TagSerializer(Tag.objects.all(), many=True)
+        expected = [
+        {
+            'tag': 'django',
+            'tagged_item': 'Bookmark: https://www.djangoproject.com/'
+        },
+        {
+            'tag': 'python',
+            'tagged_item': 'Bookmark: https://www.djangoproject.com/'
+        },
+        {
+            'tag': 'reminder',
+            'tagged_item': 'Note: Remember the milk'
+        }
+        ]
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/generics.py b/rest_framework/tests/generics.py
index 4799a04b5..f564890cc 100644
--- a/rest_framework/tests/generics.py
+++ b/rest_framework/tests/generics.py
@@ -1,10 +1,11 @@
-import json
+from __future__ import unicode_literals
 from django.db import models
 from django.test import TestCase
 from rest_framework import generics, serializers, status
 from rest_framework.tests.utils import RequestFactory
 from rest_framework.tests.models import BasicModel, Comment, SlugBasedModel
-
+from rest_framework.compat import six
+import json
 
 factory = RequestFactory()
 
@@ -42,7 +43,7 @@ class SlugBasedInstanceView(InstanceView):
 class TestRootView(TestCase):
     def setUp(self):
         """
-        Create 3 BasicModel intances.
+        Create 3 BasicModel instances.
         """
         items = ['foo', 'bar', 'baz']
         for item in items:
@@ -59,9 +60,10 @@ class TestRootView(TestCase):
         GET requests to ListCreateAPIView should return list of objects.
         """
         request = factory.get('/')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        with self.assertNumQueries(1):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
     def test_post_root_view(self):
         """
@@ -70,11 +72,12 @@ class TestRootView(TestCase):
         content = {'text': 'foobar'}
         request = factory.post('/', json.dumps(content),
                                content_type='application/json')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
-        self.assertEquals(response.data, {'id': 4, 'text': u'foobar'})
+        with self.assertNumQueries(1):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(response.data, {'id': 4, 'text': 'foobar'})
         created = self.objects.get(id=4)
-        self.assertEquals(created.text, 'foobar')
+        self.assertEqual(created.text, 'foobar')
 
     def test_put_root_view(self):
         """
@@ -83,25 +86,28 @@ class TestRootView(TestCase):
         content = {'text': 'foobar'}
         request = factory.put('/', json.dumps(content),
                               content_type='application/json')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
-        self.assertEquals(response.data, {"detail": "Method 'PUT' not allowed."})
+        with self.assertNumQueries(0):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+        self.assertEqual(response.data, {"detail": "Method 'PUT' not allowed."})
 
     def test_delete_root_view(self):
         """
         DELETE requests to ListCreateAPIView should not be allowed
         """
         request = factory.delete('/')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
-        self.assertEquals(response.data, {"detail": "Method 'DELETE' not allowed."})
+        with self.assertNumQueries(0):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+        self.assertEqual(response.data, {"detail": "Method 'DELETE' not allowed."})
 
     def test_options_root_view(self):
         """
         OPTIONS requests to ListCreateAPIView should return metadata
         """
         request = factory.options('/')
-        response = self.view(request).render()
+        with self.assertNumQueries(0):
+            response = self.view(request).render()
         expected = {
             'parses': [
                 'application/json',
@@ -115,8 +121,8 @@ class TestRootView(TestCase):
             'name': 'Root',
             'description': 'Example description for OPTIONS.'
         }
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, expected)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, expected)
 
     def test_post_cannot_set_id(self):
         """
@@ -125,11 +131,12 @@ class TestRootView(TestCase):
         content = {'id': 999, 'text': 'foobar'}
         request = factory.post('/', json.dumps(content),
                                content_type='application/json')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
-        self.assertEquals(response.data, {'id': 4, 'text': u'foobar'})
+        with self.assertNumQueries(1):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(response.data, {'id': 4, 'text': 'foobar'})
         created = self.objects.get(id=4)
-        self.assertEquals(created.text, 'foobar')
+        self.assertEqual(created.text, 'foobar')
 
 
 class TestInstanceView(TestCase):
@@ -153,9 +160,10 @@ class TestInstanceView(TestCase):
         GET requests to RetrieveUpdateDestroyAPIView should return a single object.
         """
         request = factory.get('/1')
-        response = self.view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data[0])
+        with self.assertNumQueries(1):
+            response = self.view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data[0])
 
     def test_post_instance_view(self):
         """
@@ -164,9 +172,10 @@ class TestInstanceView(TestCase):
         content = {'text': 'foobar'}
         request = factory.post('/', json.dumps(content),
                                content_type='application/json')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
-        self.assertEquals(response.data, {"detail": "Method 'POST' not allowed."})
+        with self.assertNumQueries(0):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+        self.assertEqual(response.data, {"detail": "Method 'POST' not allowed."})
 
     def test_put_instance_view(self):
         """
@@ -175,11 +184,12 @@ class TestInstanceView(TestCase):
         content = {'text': 'foobar'}
         request = factory.put('/1', json.dumps(content),
                               content_type='application/json')
-        response = self.view(request, pk='1').render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, {'id': 1, 'text': 'foobar'})
+        with self.assertNumQueries(2):
+            response = self.view(request, pk='1').render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, {'id': 1, 'text': 'foobar'})
         updated = self.objects.get(id=1)
-        self.assertEquals(updated.text, 'foobar')
+        self.assertEqual(updated.text, 'foobar')
 
     def test_patch_instance_view(self):
         """
@@ -189,29 +199,32 @@ class TestInstanceView(TestCase):
         request = factory.patch('/1', json.dumps(content),
                               content_type='application/json')
 
-        response = self.view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, {'id': 1, 'text': 'foobar'})
+        with self.assertNumQueries(2):
+            response = self.view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, {'id': 1, 'text': 'foobar'})
         updated = self.objects.get(id=1)
-        self.assertEquals(updated.text, 'foobar')
+        self.assertEqual(updated.text, 'foobar')
 
     def test_delete_instance_view(self):
         """
         DELETE requests to RetrieveUpdateDestroyAPIView should delete an object.
         """
         request = factory.delete('/1')
-        response = self.view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_204_NO_CONTENT)
-        self.assertEquals(response.content, '')
+        with self.assertNumQueries(2):
+            response = self.view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertEqual(response.content, six.b(''))
         ids = [obj.id for obj in self.objects.all()]
-        self.assertEquals(ids, [2, 3])
+        self.assertEqual(ids, [2, 3])
 
     def test_options_instance_view(self):
         """
         OPTIONS requests to RetrieveUpdateDestroyAPIView should return metadata
         """
         request = factory.options('/')
-        response = self.view(request).render()
+        with self.assertNumQueries(0):
+            response = self.view(request).render()
         expected = {
             'parses': [
                 'application/json',
@@ -225,8 +238,8 @@ class TestInstanceView(TestCase):
             'name': 'Instance',
             'description': 'Example description for OPTIONS.'
         }
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, expected)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, expected)
 
     def test_put_cannot_set_id(self):
         """
@@ -235,11 +248,12 @@ class TestInstanceView(TestCase):
         content = {'id': 999, 'text': 'foobar'}
         request = factory.put('/1', json.dumps(content),
                               content_type='application/json')
-        response = self.view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, {'id': 1, 'text': 'foobar'})
+        with self.assertNumQueries(2):
+            response = self.view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, {'id': 1, 'text': 'foobar'})
         updated = self.objects.get(id=1)
-        self.assertEquals(updated.text, 'foobar')
+        self.assertEqual(updated.text, 'foobar')
 
     def test_put_to_deleted_instance(self):
         """
@@ -250,11 +264,12 @@ class TestInstanceView(TestCase):
         content = {'text': 'foobar'}
         request = factory.put('/1', json.dumps(content),
                               content_type='application/json')
-        response = self.view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
-        self.assertEquals(response.data, {'id': 1, 'text': 'foobar'})
+        with self.assertNumQueries(3):
+            response = self.view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(response.data, {'id': 1, 'text': 'foobar'})
         updated = self.objects.get(id=1)
-        self.assertEquals(updated.text, 'foobar')
+        self.assertEqual(updated.text, 'foobar')
 
     def test_put_as_create_on_id_based_url(self):
         """
@@ -262,13 +277,14 @@ class TestInstanceView(TestCase):
         at the requested url if it doesn't exist.
         """
         content = {'text': 'foobar'}
-        # pk fields can not be created on demand, only the database can set th pk for a new object
+        # pk fields can not be created on demand, only the database can set the pk for a new object
         request = factory.put('/5', json.dumps(content),
                               content_type='application/json')
-        response = self.view(request, pk=5).render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
+        with self.assertNumQueries(3):
+            response = self.view(request, pk=5).render()
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
         new_obj = self.objects.get(pk=5)
-        self.assertEquals(new_obj.text, 'foobar')
+        self.assertEqual(new_obj.text, 'foobar')
 
     def test_put_as_create_on_slug_based_url(self):
         """
@@ -278,11 +294,12 @@ class TestInstanceView(TestCase):
         content = {'text': 'foobar'}
         request = factory.put('/test_slug', json.dumps(content),
                               content_type='application/json')
-        response = self.slug_based_view(request, slug='test_slug').render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
-        self.assertEquals(response.data, {'slug': 'test_slug', 'text': 'foobar'})
+        with self.assertNumQueries(2):
+            response = self.slug_based_view(request, slug='test_slug').render()
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(response.data, {'slug': 'test_slug', 'text': 'foobar'})
         new_obj = SlugBasedModel.objects.get(slug='test_slug')
-        self.assertEquals(new_obj.text, 'foobar')
+        self.assertEqual(new_obj.text, 'foobar')
 
 
 # Regression test for #285
@@ -313,12 +330,12 @@ class TestCreateModelWithAutoNowAddField(TestCase):
         request = factory.post('/', json.dumps(content),
                                content_type='application/json')
         response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
         created = self.objects.get(id=1)
-        self.assertEquals(created.content, 'foobar')
+        self.assertEqual(created.content, 'foobar')
 
 
-# Test for particularly ugly reression with m2m in browseable API
+# Test for particularly ugly regression with m2m in browseable API
 class ClassB(models.Model):
     name = models.CharField(max_length=255)
 
@@ -329,7 +346,7 @@ class ClassA(models.Model):
 
 
 class ClassASerializer(serializers.ModelSerializer):
-    childs = serializers.ManyPrimaryKeyRelatedField(source='childs')
+    childs = serializers.PrimaryKeyRelatedField(many=True, source='childs')
 
     class Meta:
         model = ClassA
@@ -343,9 +360,84 @@ class ExampleView(generics.ListCreateAPIView):
 class TestM2MBrowseableAPI(TestCase):
     def test_m2m_in_browseable_api(self):
         """
-        Test for particularly ugly reression with m2m in browseable API
+        Test for particularly ugly regression with m2m in browseable API
         """
         request = factory.get('/', HTTP_ACCEPT='text/html')
         view = ExampleView().as_view()
         response = view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+class InclusiveFilterBackend(object):
+    def filter_queryset(self, request, queryset, view):
+        return queryset.filter(text='foo')
+
+
+class ExclusiveFilterBackend(object):
+    def filter_queryset(self, request, queryset, view):
+        return queryset.filter(text='other')
+
+
+class TestFilterBackendAppliedToViews(TestCase):
+
+    def setUp(self):
+        """
+        Create 3 BasicModel instances to filter on.
+        """
+        items = ['foo', 'bar', 'baz']
+        for item in items:
+            BasicModel(text=item).save()
+        self.objects = BasicModel.objects
+        self.data = [
+            {'id': obj.id, 'text': obj.text}
+            for obj in self.objects.all()
+        ]
+        self.root_view = RootView.as_view()
+        self.instance_view = InstanceView.as_view()
+        self.original_root_backend = getattr(RootView, 'filter_backend')
+        self.original_instance_backend = getattr(InstanceView, 'filter_backend')
+
+    def tearDown(self):
+        setattr(RootView, 'filter_backend', self.original_root_backend)
+        setattr(InstanceView, 'filter_backend', self.original_instance_backend)
+
+    def test_get_root_view_filters_by_name_with_filter_backend(self):
+        """
+        GET requests to ListCreateAPIView should return filtered list.
+        """
+        setattr(RootView, 'filter_backend', InclusiveFilterBackend)
+        request = factory.get('/')
+        response = self.root_view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data, [{'id': 1, 'text': 'foo'}])
+
+    def test_get_root_view_filters_out_all_models_with_exclusive_filter_backend(self):
+        """
+        GET requests to ListCreateAPIView should return empty list when all models are filtered out.
+        """
+        setattr(RootView, 'filter_backend', ExclusiveFilterBackend)
+        request = factory.get('/')
+        response = self.root_view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, [])
+
+    def test_get_instance_view_filters_out_name_with_filter_backend(self):
+        """
+        GET requests to RetrieveUpdateDestroyAPIView should raise 404 when model filtered out.
+        """
+        setattr(InstanceView, 'filter_backend', ExclusiveFilterBackend)
+        request = factory.get('/1')
+        response = self.instance_view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data, {'detail': 'Not found'})
+
+    def test_get_instance_view_will_return_single_object_when_filter_does_not_exclude_it(self):
+        """
+        GET requests to RetrieveUpdateDestroyAPIView should return a single object when not excluded
+        """
+        setattr(InstanceView, 'filter_backend', InclusiveFilterBackend)
+        request = factory.get('/1')
+        response = self.instance_view(request, pk=1).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, {'id': 1, 'text': 'foo'})
diff --git a/rest_framework/tests/htmlrenderer.py b/rest_framework/tests/htmlrenderer.py
index 54096206d..8f2e2b5a0 100644
--- a/rest_framework/tests/htmlrenderer.py
+++ b/rest_framework/tests/htmlrenderer.py
@@ -1,12 +1,15 @@
+from __future__ import unicode_literals
 from django.core.exceptions import PermissionDenied
 from django.http import Http404
 from django.test import TestCase
 from django.template import TemplateDoesNotExist, Template
 import django.template.loader
+from rest_framework import status
 from rest_framework.compat import patterns, url
 from rest_framework.decorators import api_view, renderer_classes
 from rest_framework.renderers import TemplateHTMLRenderer
 from rest_framework.response import Response
+from rest_framework.compat import six
 
 
 @api_view(('GET',))
@@ -63,19 +66,19 @@ class TemplateHTMLRendererTests(TestCase):
     def test_simple_html_view(self):
         response = self.client.get('/')
         self.assertContains(response, "example: foobar")
-        self.assertEquals(response['Content-Type'], 'text/html')
+        self.assertEqual(response['Content-Type'], 'text/html')
 
     def test_not_found_html_view(self):
         response = self.client.get('/not_found')
-        self.assertEquals(response.status_code, 404)
-        self.assertEquals(response.content, "404 Not Found")
-        self.assertEquals(response['Content-Type'], 'text/html')
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.content, six.b("404 Not Found"))
+        self.assertEqual(response['Content-Type'], 'text/html')
 
     def test_permission_denied_html_view(self):
         response = self.client.get('/permission_denied')
-        self.assertEquals(response.status_code, 403)
-        self.assertEquals(response.content, "403 Forbidden")
-        self.assertEquals(response['Content-Type'], 'text/html')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content, six.b("403 Forbidden"))
+        self.assertEqual(response['Content-Type'], 'text/html')
 
 
 class TemplateHTMLRendererExceptionTests(TestCase):
@@ -104,12 +107,12 @@ class TemplateHTMLRendererExceptionTests(TestCase):
 
     def test_not_found_html_view_with_template(self):
         response = self.client.get('/not_found')
-        self.assertEquals(response.status_code, 404)
-        self.assertEquals(response.content, "404: Not found")
-        self.assertEquals(response['Content-Type'], 'text/html')
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.content, six.b("404: Not found"))
+        self.assertEqual(response['Content-Type'], 'text/html')
 
     def test_permission_denied_html_view_with_template(self):
         response = self.client.get('/permission_denied')
-        self.assertEquals(response.status_code, 403)
-        self.assertEquals(response.content, "403: Permission denied")
-        self.assertEquals(response['Content-Type'], 'text/html')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content, six.b("403: Permission denied"))
+        self.assertEqual(response['Content-Type'], 'text/html')
diff --git a/rest_framework/tests/hyperlinkedserializers.py b/rest_framework/tests/hyperlinkedserializers.py
index c6a8224b1..9a61f299a 100644
--- a/rest_framework/tests/hyperlinkedserializers.py
+++ b/rest_framework/tests/hyperlinkedserializers.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 import json
 from django.test import TestCase
 from django.test.client import RequestFactory
@@ -99,7 +100,7 @@ class TestBasicHyperlinkedView(TestCase):
 
     def setUp(self):
         """
-        Create 3 BasicModel intances.
+        Create 3 BasicModel instances.
         """
         items = ['foo', 'bar', 'baz']
         for item in items:
@@ -118,8 +119,8 @@ class TestBasicHyperlinkedView(TestCase):
         """
         request = factory.get('/basic/')
         response = self.list_view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
     def test_get_detail_view(self):
         """
@@ -127,8 +128,8 @@ class TestBasicHyperlinkedView(TestCase):
         """
         request = factory.get('/basic/1')
         response = self.detail_view(request, pk=1).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data[0])
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data[0])
 
 
 class TestManyToManyHyperlinkedView(TestCase):
@@ -136,7 +137,7 @@ class TestManyToManyHyperlinkedView(TestCase):
 
     def setUp(self):
         """
-        Create 3 BasicModel intances.
+        Create 3 BasicModel instances.
         """
         items = ['foo', 'bar', 'baz']
         anchors = []
@@ -166,8 +167,8 @@ class TestManyToManyHyperlinkedView(TestCase):
         """
         request = factory.get('/manytomany/')
         response = self.list_view(request)
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
     def test_get_detail_view(self):
         """
@@ -175,8 +176,8 @@ class TestManyToManyHyperlinkedView(TestCase):
         """
         request = factory.get('/manytomany/1/')
         response = self.detail_view(request, pk=1)
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data[0])
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data[0])
 
 
 class TestCreateWithForeignKeys(TestCase):
@@ -234,7 +235,7 @@ class TestOptionalRelationHyperlinkedView(TestCase):
 
     def setUp(self):
         """
-        Create 1 OptionalRelationModel intances.
+        Create 1 OptionalRelationModel instances.
         """
         OptionalRelationModel().save()
         self.objects = OptionalRelationModel.objects
@@ -248,8 +249,8 @@ class TestOptionalRelationHyperlinkedView(TestCase):
         """
         request = factory.get('/optionalrelationmodel-detail/1')
         response = self.detail_view(request, pk=1)
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, self.data)
 
     def test_put_detail_view(self):
         """
diff --git a/rest_framework/tests/models.py b/rest_framework/tests/models.py
index 93f097615..f2117538c 100644
--- a/rest_framework/tests/models.py
+++ b/rest_framework/tests/models.py
@@ -1,35 +1,6 @@
+from __future__ import unicode_literals
 from django.db import models
-from django.contrib.contenttypes.models import ContentType
-from django.contrib.contenttypes.generic import GenericForeignKey, GenericRelation
 
-# from django.contrib.auth.models import Group
-
-
-# class CustomUser(models.Model):
-#     """
-#     A custom user model, which uses a 'through' table for the foreign key
-#     """
-#     username = models.CharField(max_length=255, unique=True)
-#     groups = models.ManyToManyField(
-#         to=Group, blank=True, null=True, through='UserGroupMap'
-#     )
-
-#     @models.permalink
-#     def get_absolute_url(self):
-#         return ('custom_user', (), {
-#             'pk': self.id
-#     })
-
-
-# class UserGroupMap(models.Model):
-#     user = models.ForeignKey(to=CustomUser)
-#     group = models.ForeignKey(to=Group)
-
-#     @models.permalink
-#     def get_absolute_url(self):
-#         return ('user_group_map', (), {
-#             'pk': self.id
-#         })
 
 def foobar():
     return 'foobar'
@@ -86,27 +57,6 @@ class ReadOnlyManyToManyModel(RESTFrameworkModel):
     text = models.CharField(max_length=100, default='anchor')
     rel = models.ManyToManyField(Anchor)
 
-# Models to test generic relations
-
-
-class Tag(RESTFrameworkModel):
-    tag_name = models.SlugField()
-
-
-class TaggedItem(RESTFrameworkModel):
-    tag = models.ForeignKey(Tag, related_name='items')
-    content_type = models.ForeignKey(ContentType)
-    object_id = models.PositiveIntegerField()
-    content_object = GenericForeignKey('content_type', 'object_id')
-
-    def __unicode__(self):
-        return self.tag.tag_name
-
-
-class Bookmark(RESTFrameworkModel):
-    url = models.URLField()
-    tags = GenericRelation(TaggedItem)
-
 
 # Model to test filtering.
 class FilterableItem(RESTFrameworkModel):
diff --git a/rest_framework/tests/modelviews.py b/rest_framework/tests/modelviews.py
deleted file mode 100644
index f12e3b979..000000000
--- a/rest_framework/tests/modelviews.py
+++ /dev/null
@@ -1,90 +0,0 @@
-# from rest_framework.compat import patterns, url
-# from django.forms import ModelForm
-# from django.contrib.auth.models import Group, User
-# from rest_framework.resources import ModelResource
-# from rest_framework.views import ListOrCreateModelView, InstanceModelView
-# from rest_framework.tests.models import CustomUser
-# from rest_framework.tests.testcases import TestModelsTestCase
-
-
-# class GroupResource(ModelResource):
-#     model = Group
-
-
-# class UserForm(ModelForm):
-#     class Meta:
-#         model = User
-#         exclude = ('last_login', 'date_joined')
-
-
-# class UserResource(ModelResource):
-#     model = User
-#     form = UserForm
-
-
-# class CustomUserResource(ModelResource):
-#     model = CustomUser
-
-# urlpatterns = patterns('',
-#     url(r'^users/$', ListOrCreateModelView.as_view(resource=UserResource), name='users'),
-#     url(r'^users/(?P[0-9]+)/$', InstanceModelView.as_view(resource=UserResource)),
-#     url(r'^customusers/$', ListOrCreateModelView.as_view(resource=CustomUserResource), name='customusers'),
-#     url(r'^customusers/(?P[0-9]+)/$', InstanceModelView.as_view(resource=CustomUserResource)),
-#     url(r'^groups/$', ListOrCreateModelView.as_view(resource=GroupResource), name='groups'),
-#     url(r'^groups/(?P[0-9]+)/$', InstanceModelView.as_view(resource=GroupResource)),
-# )
-
-
-# class ModelViewTests(TestModelsTestCase):
-#     """Test the model views rest_framework provides"""
-#     urls = 'rest_framework.tests.modelviews'
-
-#     def test_creation(self):
-#         """Ensure that a model object can be created"""
-#         self.assertEqual(0, Group.objects.count())
-
-#         response = self.client.post('/groups/', {'name': 'foo'})
-
-#         self.assertEqual(response.status_code, 201)
-#         self.assertEqual(1, Group.objects.count())
-#         self.assertEqual('foo', Group.objects.all()[0].name)
-
-#     def test_creation_with_m2m_relation(self):
-#         """Ensure that a model object with a m2m relation can be created"""
-#         group = Group(name='foo')
-#         group.save()
-#         self.assertEqual(0, User.objects.count())
-
-#         response = self.client.post('/users/', {'username': 'bar', 'password': 'baz', 'groups': [group.id]})
-
-#         self.assertEqual(response.status_code, 201)
-#         self.assertEqual(1, User.objects.count())
-
-#         user = User.objects.all()[0]
-#         self.assertEqual('bar', user.username)
-#         self.assertEqual('baz', user.password)
-#         self.assertEqual(1, user.groups.count())
-
-#         group = user.groups.all()[0]
-#         self.assertEqual('foo', group.name)
-
-#     def test_creation_with_m2m_relation_through(self):
-#         """
-#         Ensure that a model object with a m2m relation can be created where that
-#         relation uses a through table
-#         """
-#         group = Group(name='foo')
-#         group.save()
-#         self.assertEqual(0, User.objects.count())
-
-#         response = self.client.post('/customusers/', {'username': 'bar', 'groups': [group.id]})
-
-#         self.assertEqual(response.status_code, 201)
-#         self.assertEqual(1, CustomUser.objects.count())
-
-#         user = CustomUser.objects.all()[0]
-#         self.assertEqual('bar', user.username)
-#         self.assertEqual(1, user.groups.count())
-
-#         group = user.groups.all()[0]
-#         self.assertEqual('foo', group.name)
diff --git a/rest_framework/tests/multitable_inheritance.py b/rest_framework/tests/multitable_inheritance.py
new file mode 100644
index 000000000..00c153276
--- /dev/null
+++ b/rest_framework/tests/multitable_inheritance.py
@@ -0,0 +1,67 @@
+from __future__ import unicode_literals
+from django.db import models
+from django.test import TestCase
+from rest_framework import serializers
+from rest_framework.tests.models import RESTFrameworkModel
+
+
+# Models
+class ParentModel(RESTFrameworkModel):
+    name1 = models.CharField(max_length=100)
+
+
+class ChildModel(ParentModel):
+    name2 = models.CharField(max_length=100)
+
+
+class AssociatedModel(RESTFrameworkModel):
+    ref = models.OneToOneField(ParentModel, primary_key=True)
+    name = models.CharField(max_length=100)
+
+
+# Serializers
+class DerivedModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ChildModel
+
+
+class AssociatedModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = AssociatedModel
+
+
+# Tests
+class IneritedModelSerializationTests(TestCase):
+
+    def test_multitable_inherited_model_fields_as_expected(self):
+        """
+        Assert that the parent pointer field is not included in the fields
+        serialized fields
+        """
+        child = ChildModel(name1='parent name', name2='child name')
+        serializer = DerivedModelSerializer(child)
+        self.assertEqual(set(serializer.data.keys()),
+                         set(['name1', 'name2', 'id']))
+
+    def test_onetoone_primary_key_model_fields_as_expected(self):
+        """
+        Assert that a model with a onetoone field that is the primary key is
+        not treated like a derived model
+        """
+        parent = ParentModel(name1='parent name')
+        associate = AssociatedModel(name='hello', ref=parent)
+        serializer = AssociatedModelSerializer(associate)
+        self.assertEqual(set(serializer.data.keys()),
+                         set(['name', 'ref']))
+
+    def test_data_is_valid_without_parent_ptr(self):
+        """
+        Assert that the pointer to the parent table is not a required field
+        for input data
+        """
+        data = {
+            'name1': 'parent name',
+            'name2': 'child name',
+        }
+        serializer = DerivedModelSerializer(data=data)
+        self.assertEqual(serializer.is_valid(), True)
diff --git a/rest_framework/tests/negotiation.py b/rest_framework/tests/negotiation.py
index e06354ead..43721b842 100644
--- a/rest_framework/tests/negotiation.py
+++ b/rest_framework/tests/negotiation.py
@@ -1,6 +1,9 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from django.test.client import RequestFactory
 from rest_framework.negotiation import DefaultContentNegotiation
+from rest_framework.request import Request
+
 
 factory = RequestFactory()
 
@@ -22,16 +25,16 @@ class TestAcceptedMediaType(TestCase):
         return self.negotiator.select_renderer(request, self.renderers)
 
     def test_client_without_accept_use_renderer(self):
-        request = factory.get('/')
+        request = Request(factory.get('/'))
         accepted_renderer, accepted_media_type = self.select_renderer(request)
-        self.assertEquals(accepted_media_type, 'application/json')
+        self.assertEqual(accepted_media_type, 'application/json')
 
     def test_client_underspecifies_accept_use_renderer(self):
-        request = factory.get('/', HTTP_ACCEPT='*/*')
+        request = Request(factory.get('/', HTTP_ACCEPT='*/*'))
         accepted_renderer, accepted_media_type = self.select_renderer(request)
-        self.assertEquals(accepted_media_type, 'application/json')
+        self.assertEqual(accepted_media_type, 'application/json')
 
     def test_client_overspecifies_accept_use_client(self):
-        request = factory.get('/', HTTP_ACCEPT='application/json; indent=8')
+        request = Request(factory.get('/', HTTP_ACCEPT='application/json; indent=8'))
         accepted_renderer, accepted_media_type = self.select_renderer(request)
-        self.assertEquals(accepted_media_type, 'application/json; indent=8')
+        self.assertEqual(accepted_media_type, 'application/json; indent=8')
diff --git a/rest_framework/tests/pagination.py b/rest_framework/tests/pagination.py
index 3b5508779..1a2d68a68 100644
--- a/rest_framework/tests/pagination.py
+++ b/rest_framework/tests/pagination.py
@@ -1,5 +1,7 @@
+from __future__ import unicode_literals
 import datetime
 from decimal import Decimal
+import django
 from django.core.paginator import Paginator
 from django.test import TestCase
 from django.test.client import RequestFactory
@@ -19,21 +21,6 @@ class RootView(generics.ListCreateAPIView):
     paginate_by = 10
 
 
-if django_filters:
-    class DecimalFilter(django_filters.FilterSet):
-        decimal = django_filters.NumberFilter(lookup_type='lt')
-
-        class Meta:
-            model = FilterableItem
-            fields = ['text', 'decimal', 'date']
-
-    class FilterFieldsRootView(generics.ListCreateAPIView):
-        model = FilterableItem
-        paginate_by = 10
-        filter_class = DecimalFilter
-        filter_backend = filters.DjangoFilterBackend
-
-
 class DefaultPageSizeKwargView(generics.ListAPIView):
     """
     View for testing default paginate_by_param usage
@@ -72,28 +59,32 @@ class IntegrationTestPagination(TestCase):
         GET requests to paginated ListCreateAPIView should return paginated results.
         """
         request = factory.get('/')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 26)
-        self.assertEquals(response.data['results'], self.data[:10])
-        self.assertNotEquals(response.data['next'], None)
-        self.assertEquals(response.data['previous'], None)
+        # Note: Database queries are a `SELECT COUNT`, and `SELECT `
+        with self.assertNumQueries(2):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 26)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 26)
-        self.assertEquals(response.data['results'], self.data[10:20])
-        self.assertNotEquals(response.data['next'], None)
-        self.assertNotEquals(response.data['previous'], None)
+        with self.assertNumQueries(2):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 26)
+        self.assertEqual(response.data['results'], self.data[10:20])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertNotEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 26)
-        self.assertEquals(response.data['results'], self.data[20:])
-        self.assertEquals(response.data['next'], None)
-        self.assertNotEquals(response.data['previous'], None)
+        with self.assertNumQueries(2):
+            response = self.view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 26)
+        self.assertEqual(response.data['results'], self.data[20:])
+        self.assertEqual(response.data['next'], None)
+        self.assertNotEqual(response.data['previous'], None)
 
 
 class IntegrationTestPaginationAndFiltering(TestCase):
@@ -111,41 +102,115 @@ class IntegrationTestPaginationAndFiltering(TestCase):
 
         self.objects = FilterableItem.objects
         self.data = [
-        {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
-        for obj in self.objects.all()
+            {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date.isoformat()}
+            for obj in self.objects.all()
         ]
-        self.view = FilterFieldsRootView.as_view()
 
     @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_get_paginated_filtered_root_view(self):
+    def test_get_django_filter_paginated_filtered_root_view(self):
         """
         GET requests to paginated filtered ListCreateAPIView should return
         paginated results. The next and previous links should preserve the
         filtered parameters.
         """
+        class DecimalFilter(django_filters.FilterSet):
+            decimal = django_filters.NumberFilter(lookup_type='lt')
+
+            class Meta:
+                model = FilterableItem
+                fields = ['text', 'decimal', 'date']
+
+        class FilterFieldsRootView(generics.ListCreateAPIView):
+            model = FilterableItem
+            paginate_by = 10
+            filter_class = DecimalFilter
+            filter_backend = filters.DjangoFilterBackend
+
+        view = FilterFieldsRootView.as_view()
+
+        EXPECTED_NUM_QUERIES = 2
+        if django.VERSION < (1, 4):
+            # On Django 1.3 we need to use django-filter 0.5.4
+            #
+            # The filter objects there don't expose a `.count()` method,
+            # which means we only make a single query *but* it's a single
+            # query across *all* of the queryset, instead of a COUNT and then
+            # a SELECT with a LIMIT.
+            #
+            # Although this is fewer queries, it's actually a regression.
+            EXPECTED_NUM_QUERIES = 1
+
         request = factory.get('/?decimal=15.20')
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 15)
-        self.assertEquals(response.data['results'], self.data[:10])
-        self.assertNotEquals(response.data['next'], None)
-        self.assertEquals(response.data['previous'], None)
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 15)
-        self.assertEquals(response.data['results'], self.data[10:15])
-        self.assertEquals(response.data['next'], None)
-        self.assertNotEquals(response.data['previous'], None)
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[10:15])
+        self.assertEqual(response.data['next'], None)
+        self.assertNotEqual(response.data['previous'], None)
 
         request = factory.get(response.data['previous'])
-        response = self.view(request).render()
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
-        self.assertEquals(response.data['count'], 15)
-        self.assertEquals(response.data['results'], self.data[:10])
-        self.assertNotEquals(response.data['next'], None)
-        self.assertEquals(response.data['previous'], None)
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
+
+    def test_get_basic_paginated_filtered_root_view(self):
+        """
+        Same as `test_get_django_filter_paginated_filtered_root_view`,
+        except using a custom filter backend instead of the django-filter
+        backend,
+        """
+
+        class DecimalFilterBackend(filters.BaseFilterBackend):
+            def filter_queryset(self, request, queryset, view):
+                return queryset.filter(decimal__lt=Decimal(request.GET['decimal']))
+
+        class BasicFilterFieldsRootView(generics.ListCreateAPIView):
+            model = FilterableItem
+            paginate_by = 10
+            filter_backend = DecimalFilterBackend
+
+        view = BasicFilterFieldsRootView.as_view()
+
+        request = factory.get('/?decimal=15.20')
+        with self.assertNumQueries(2):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
+
+        request = factory.get(response.data['next'])
+        with self.assertNumQueries(2):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[10:15])
+        self.assertEqual(response.data['next'], None)
+        self.assertNotEqual(response.data['previous'], None)
+
+        request = factory.get(response.data['previous'])
+        with self.assertNumQueries(2):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
 
 
 class PassOnContextPaginationSerializer(pagination.PaginationSerializer):
@@ -166,16 +231,16 @@ class UnitTestPagination(TestCase):
 
     def test_native_pagination(self):
         serializer = pagination.PaginationSerializer(self.first_page)
-        self.assertEquals(serializer.data['count'], 26)
-        self.assertEquals(serializer.data['next'], '?page=2')
-        self.assertEquals(serializer.data['previous'], None)
-        self.assertEquals(serializer.data['results'], self.objects[:10])
+        self.assertEqual(serializer.data['count'], 26)
+        self.assertEqual(serializer.data['next'], '?page=2')
+        self.assertEqual(serializer.data['previous'], None)
+        self.assertEqual(serializer.data['results'], self.objects[:10])
 
         serializer = pagination.PaginationSerializer(self.last_page)
-        self.assertEquals(serializer.data['count'], 26)
-        self.assertEquals(serializer.data['next'], None)
-        self.assertEquals(serializer.data['previous'], '?page=2')
-        self.assertEquals(serializer.data['results'], self.objects[20:])
+        self.assertEqual(serializer.data['count'], 26)
+        self.assertEqual(serializer.data['next'], None)
+        self.assertEqual(serializer.data['previous'], '?page=2')
+        self.assertEqual(serializer.data['results'], self.objects[20:])
 
     def test_context_available_in_result(self):
         """
@@ -184,7 +249,7 @@ class UnitTestPagination(TestCase):
         serializer = PassOnContextPaginationSerializer(self.first_page, context={'foo': 'bar'})
         serializer.data
         results = serializer.fields[serializer.results_field]
-        self.assertEquals(serializer.context, results.context)
+        self.assertEqual(serializer.context, results.context)
 
 
 class TestUnpaginated(TestCase):
@@ -212,7 +277,7 @@ class TestUnpaginated(TestCase):
         """
         request = factory.get('/')
         response = self.view(request)
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.data, self.data)
 
 
 class TestCustomPaginateByParam(TestCase):
@@ -240,7 +305,7 @@ class TestCustomPaginateByParam(TestCase):
         """
         request = factory.get('/')
         response = self.view(request).render()
-        self.assertEquals(response.data, self.data)
+        self.assertEqual(response.data, self.data)
 
     def test_paginate_by_param(self):
         """
@@ -248,10 +313,12 @@ class TestCustomPaginateByParam(TestCase):
         """
         request = factory.get('/?page_size=5')
         response = self.view(request).render()
-        self.assertEquals(response.data['count'], 13)
-        self.assertEquals(response.data['results'], self.data[:5])
+        self.assertEqual(response.data['count'], 13)
+        self.assertEqual(response.data['results'], self.data[:5])
 
 
+### Tests for context in pagination serializers
+
 class CustomField(serializers.Field):
     def to_native(self, value):
         if not 'view' in self.context:
@@ -262,6 +329,11 @@ class CustomField(serializers.Field):
 class BasicModelSerializer(serializers.Serializer):
     text = CustomField()
 
+    def __init__(self, *args, **kwargs):
+        super(BasicModelSerializer, self).__init__(*args, **kwargs)
+        if not 'view' in self.context:
+            raise RuntimeError("context isn't getting passed into serializer init")
+
 
 class TestContextPassedToCustomField(TestCase):
     def setUp(self):
@@ -277,5 +349,41 @@ class TestContextPassedToCustomField(TestCase):
         request = factory.get('/')
         response = self.view(request).render()
 
-        self.assertEquals(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+
+### Tests for custom pagination serializers
+
+class LinksSerializer(serializers.Serializer):
+    next = pagination.NextPageField(source='*')
+    prev = pagination.PreviousPageField(source='*')
+
+
+class CustomPaginationSerializer(pagination.BasePaginationSerializer):
+    links = LinksSerializer(source='*')  # Takes the page object as the source
+    total_results = serializers.Field(source='paginator.count')
+
+    results_field = 'objects'
+
+
+class TestCustomPaginationSerializer(TestCase):
+    def setUp(self):
+        objects = ['john', 'paul', 'george', 'ringo']
+        paginator = Paginator(objects, 2)
+        self.page = paginator.page(1)
+
+    def test_custom_pagination_serializer(self):
+        request = RequestFactory().get('/foobar')
+        serializer = CustomPaginationSerializer(
+            instance=self.page,
+            context={'request': request}
+        )
+        expected = {
+            'links': {
+                'next': 'http://testserver/foobar?page=2',
+                'prev': None
+            },
+            'total_results': 4,
+            'objects': ['john', 'paul']
+        }
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/parsers.py b/rest_framework/tests/parsers.py
index 8ab8a52fb..539c5b44f 100644
--- a/rest_framework/tests/parsers.py
+++ b/rest_framework/tests/parsers.py
@@ -1,139 +1,9 @@
-# """
-# ..
-#     >>> from rest_framework.parsers import FormParser
-#     >>> from django.test.client import RequestFactory
-#     >>> from rest_framework.views import View
-#     >>> from StringIO import StringIO
-#     >>> from urllib import urlencode
-#     >>> req = RequestFactory().get('/')
-#     >>> some_view = View()
-#     >>> some_view.request = req  # Make as if this request had been dispatched
-#
-# FormParser
-# ============
-#
-# Data flatening
-# ----------------
-#
-# Here is some example data, which would eventually be sent along with a post request :
-#
-#     >>> inpt = urlencode([
-#     ...     ('key1', 'bla1'),
-#     ...     ('key2', 'blo1'), ('key2', 'blo2'),
-#     ... ])
-#
-# Default behaviour for :class:`parsers.FormParser`, is to return a single value for each parameter :
-#
-#     >>> (data, files) = FormParser(some_view).parse(StringIO(inpt))
-#     >>> data == {'key1': 'bla1', 'key2': 'blo1'}
-#     True
-#
-# However, you can customize this behaviour by subclassing :class:`parsers.FormParser`, and overriding :meth:`parsers.FormParser.is_a_list` :
-#
-#     >>> class MyFormParser(FormParser):
-#     ...
-#     ...     def is_a_list(self, key, val_list):
-#     ...         return len(val_list) > 1
-#
-# This new parser only flattens the lists of parameters that contain a single value.
-#
-#     >>> (data, files) = MyFormParser(some_view).parse(StringIO(inpt))
-#     >>> data == {'key1': 'bla1', 'key2': ['blo1', 'blo2']}
-#     True
-#
-# .. note:: The same functionality is available for :class:`parsers.MultiPartParser`.
-#
-# Submitting an empty list
-# --------------------------
-#
-# When submitting an empty select multiple, like this one ::
-#
-#     
-#
-# The browsers usually strip the parameter completely. A hack to avoid this, and therefore being able to submit an empty select multiple, is to submit a value that tells the server that the list is empty ::
-#
-#     
-#
-# :class:`parsers.FormParser` provides the server-side implementation for this hack. Considering the following posted data :
-#
-#     >>> inpt = urlencode([
-#     ...     ('key1', 'blo1'), ('key1', '_empty'),
-#     ...     ('key2', '_empty'),
-#     ... ])
-#
-# :class:`parsers.FormParser` strips the values ``_empty`` from all the lists.
-#
-#     >>> (data, files) = MyFormParser(some_view).parse(StringIO(inpt))
-#     >>> data == {'key1': 'blo1'}
-#     True
-#
-# Oh ... but wait a second, the parameter ``key2`` isn't even supposed to be a list, so the parser just stripped it.
-#
-#     >>> class MyFormParser(FormParser):
-#     ...
-#     ...     def is_a_list(self, key, val_list):
-#     ...         return key == 'key2'
-#     ...
-#     >>> (data, files) = MyFormParser(some_view).parse(StringIO(inpt))
-#     >>> data == {'key1': 'blo1', 'key2': []}
-#     True
-#
-# Better like that. Note that you can configure something else than ``_empty`` for the empty value by setting :attr:`parsers.FormParser.EMPTY_VALUE`.
-# """
-# import httplib, mimetypes
-# from tempfile import TemporaryFile
-# from django.test import TestCase
-# from django.test.client import RequestFactory
-# from rest_framework.parsers import MultiPartParser
-# from rest_framework.views import View
-# from StringIO import StringIO
-#
-# def encode_multipart_formdata(fields, files):
-#     """For testing multipart parser.
-#     fields is a sequence of (name, value) elements for regular form fields.
-#     files is a sequence of (name, filename, value) elements for data to be uploaded as files
-#     Return (content_type, body)."""
-#     BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$'
-#     CRLF = '\r\n'
-#     L = []
-#     for (key, value) in fields:
-#         L.append('--' + BOUNDARY)
-#         L.append('Content-Disposition: form-data; name="%s"' % key)
-#         L.append('')
-#         L.append(value)
-#     for (key, filename, value) in files:
-#         L.append('--' + BOUNDARY)
-#         L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
-#         L.append('Content-Type: %s' % get_content_type(filename))
-#         L.append('')
-#         L.append(value)
-#     L.append('--' + BOUNDARY + '--')
-#     L.append('')
-#     body = CRLF.join(L)
-#     content_type = 'multipart/form-data; boundary=%s' % BOUNDARY
-#     return content_type, body
-#
-# def get_content_type(filename):
-#     return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
-#
-#class TestMultiPartParser(TestCase):
-#    def setUp(self):
-#        self.req = RequestFactory()
-#        self.content_type, self.body = encode_multipart_formdata([('key1', 'val1'), ('key1', 'val2')],
-#        [('file1', 'pic.jpg', 'blablabla'), ('file1', 't.txt', 'blobloblo')])
-#
-#    def test_multipartparser(self):
-#        """Ensure that MultiPartParser can parse multipart/form-data that contains a mix of several files and parameters."""
-#        post_req = RequestFactory().post('/', self.body, content_type=self.content_type)
-#        view = View()
-#        view.request = post_req
-#        (data, files) = MultiPartParser(view).parse(StringIO(self.body))
-#        self.assertEqual(data['key1'], 'val1')
-#        self.assertEqual(files['file1'].read(), 'blablabla')
-
-from StringIO import StringIO
+from __future__ import unicode_literals
+from rest_framework.compat import StringIO
 from django import forms
 from django.test import TestCase
+from django.utils import unittest
+from rest_framework.compat import etree
 from rest_framework.parsers import FormParser
 from rest_framework.parsers import XMLParser
 import datetime
@@ -201,11 +71,13 @@ class TestXMLParser(TestCase):
             ]
         }
 
+    @unittest.skipUnless(etree, 'defusedxml not installed')
     def test_parse(self):
         parser = XMLParser()
         data = parser.parse(self._input)
         self.assertEqual(data, self._data)
 
+    @unittest.skipUnless(etree, 'defusedxml not installed')
     def test_complex_data_parse(self):
         parser = XMLParser()
         data = parser.parse(self._complex_data_input)
diff --git a/rest_framework/tests/permissions.py b/rest_framework/tests/permissions.py
new file mode 100644
index 000000000..b3993be58
--- /dev/null
+++ b/rest_framework/tests/permissions.py
@@ -0,0 +1,153 @@
+from __future__ import unicode_literals
+from django.contrib.auth.models import User, Permission
+from django.db import models
+from django.test import TestCase
+from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
+from rest_framework.tests.utils import RequestFactory
+import base64
+import json
+
+factory = RequestFactory()
+
+
+class BasicModel(models.Model):
+    text = models.CharField(max_length=100)
+
+
+class RootView(generics.ListCreateAPIView):
+    model = BasicModel
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [permissions.DjangoModelPermissions]
+
+
+class InstanceView(generics.RetrieveUpdateDestroyAPIView):
+    model = BasicModel
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [permissions.DjangoModelPermissions]
+
+root_view = RootView.as_view()
+instance_view = InstanceView.as_view()
+
+
+def basic_auth_header(username, password):
+    credentials = ('%s:%s' % (username, password))
+    base64_credentials = base64.b64encode(credentials.encode(HTTP_HEADER_ENCODING)).decode(HTTP_HEADER_ENCODING)
+    return 'Basic %s' % base64_credentials
+
+
+class ModelPermissionsIntegrationTests(TestCase):
+    def setUp(self):
+        User.objects.create_user('disallowed', 'disallowed@example.com', 'password')
+        user = User.objects.create_user('permitted', 'permitted@example.com', 'password')
+        user.user_permissions = [
+            Permission.objects.get(codename='add_basicmodel'),
+            Permission.objects.get(codename='change_basicmodel'),
+            Permission.objects.get(codename='delete_basicmodel')
+        ]
+        user = User.objects.create_user('updateonly', 'updateonly@example.com', 'password')
+        user.user_permissions = [
+            Permission.objects.get(codename='change_basicmodel'),
+        ]
+
+        self.permitted_credentials = basic_auth_header('permitted', 'password')
+        self.disallowed_credentials = basic_auth_header('disallowed', 'password')
+        self.updateonly_credentials = basic_auth_header('updateonly', 'password')
+
+        BasicModel(text='foo').save()
+
+    def test_has_create_permissions(self):
+        request = factory.post('/', json.dumps({'text': 'foobar'}),
+                               content_type='application/json',
+                               HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = root_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+
+    def test_has_put_permissions(self):
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_has_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = instance_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+
+    def test_does_not_have_create_permissions(self):
+        request = factory.post('/', json.dumps({'text': 'foobar'}),
+                               content_type='application/json',
+                               HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = root_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_does_not_have_put_permissions(self):
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_does_not_have_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = instance_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_has_put_as_create_permissions(self):
+        # User only has update permissions - should be able to update an entity.
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.updateonly_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # But if PUTing to a new entity, permission should be denied.
+        request = factory.put('/2', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.updateonly_credentials)
+        response = instance_view(request, pk='2')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+
+class OwnerModel(models.Model):
+    text = models.CharField(max_length=100)
+    owner = models.ForeignKey(User)
+
+
+class IsOwnerPermission(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        return request.user == obj.owner
+
+
+class OwnerInstanceView(generics.RetrieveUpdateDestroyAPIView):
+    model = OwnerModel
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [IsOwnerPermission]
+
+
+owner_instance_view = OwnerInstanceView.as_view()
+
+
+class ObjectPermissionsIntegrationTests(TestCase):
+    """
+    Integration tests for the object level permissions API.
+    """
+
+    def setUp(self):
+        User.objects.create_user('not_owner', 'not_owner@example.com', 'password')
+        user = User.objects.create_user('owner', 'owner@example.com', 'password')
+
+        self.not_owner_credentials = basic_auth_header('not_owner', 'password')
+        self.owner_credentials = basic_auth_header('owner', 'password')
+
+        OwnerModel(text='foo', owner=user).save()
+
+    def test_owner_has_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.owner_credentials)
+        response = owner_instance_view(request, pk='1')
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+
+    def test_non_owner_does_not_have_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.not_owner_credentials)
+        response = owner_instance_view(request, pk='1')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/rest_framework/tests/relations.py b/rest_framework/tests/relations.py
index 91daea8a6..cbf93c65e 100644
--- a/rest_framework/tests/relations.py
+++ b/rest_framework/tests/relations.py
@@ -1,7 +1,7 @@
 """
 General tests for relational fields.
 """
-
+from __future__ import unicode_literals
 from django.db import models
 from django.test import TestCase
 from rest_framework import serializers
@@ -31,3 +31,17 @@ class FieldTests(TestCase):
         field = serializers.SlugRelatedField(queryset=NullModel.objects.all(), slug_field='pk')
         self.assertRaises(serializers.ValidationError, field.from_native, '')
         self.assertRaises(serializers.ValidationError, field.from_native, [])
+
+
+class TestManyRelateMixin(TestCase):
+    def test_missing_many_to_many_related_field(self):
+        '''
+        Regression test for #632
+
+        https://github.com/tomchristie/django-rest-framework/pull/632
+        '''
+        field = serializers.RelatedField(many=True, read_only=False)
+
+        into = {}
+        field.field_from_native({}, None, 'field_name', into)
+        self.assertEqual(into['field_name'], [])
diff --git a/rest_framework/tests/relations_hyperlink.py b/rest_framework/tests/relations_hyperlink.py
index 579136704..b5702a483 100644
--- a/rest_framework/tests/relations_hyperlink.py
+++ b/rest_framework/tests/relations_hyperlink.py
@@ -1,7 +1,16 @@
+from __future__ import unicode_literals
 from django.test import TestCase
+from django.test.client import RequestFactory
 from rest_framework import serializers
 from rest_framework.compat import patterns, url
-from rest_framework.tests.models import ManyToManyTarget, ManyToManySource, ForeignKeyTarget, ForeignKeySource, NullableForeignKeySource, OneToOneTarget, NullableOneToOneSource
+from rest_framework.tests.models import (
+    ManyToManyTarget, ManyToManySource, ForeignKeyTarget, ForeignKeySource,
+    NullableForeignKeySource, OneToOneTarget, NullableOneToOneSource
+)
+
+factory = RequestFactory()
+request = factory.get('/')  # Just to ensure we have a request in the serializer context
+
 
 def dummy_view(request, pk):
     pass
@@ -16,8 +25,9 @@ urlpatterns = patterns('',
     url(r'^nullableonetoonesource/(?P[0-9]+)/$', dummy_view, name='nullableonetoonesource-detail'),
 )
 
+
 class ManyToManyTargetSerializer(serializers.HyperlinkedModelSerializer):
-    sources = serializers.ManyHyperlinkedRelatedField(view_name='manytomanysource-detail')
+    sources = serializers.HyperlinkedRelatedField(many=True, view_name='manytomanysource-detail')
 
     class Meta:
         model = ManyToManyTarget
@@ -29,7 +39,7 @@ class ManyToManySourceSerializer(serializers.HyperlinkedModelSerializer):
 
 
 class ForeignKeyTargetSerializer(serializers.HyperlinkedModelSerializer):
-    sources = serializers.ManyHyperlinkedRelatedField(view_name='foreignkeysource-detail')
+    sources = serializers.HyperlinkedRelatedField(many=True, view_name='foreignkeysource-detail')
 
     class Meta:
         model = ForeignKeyTarget
@@ -70,98 +80,98 @@ class HyperlinkedManyToManyTests(TestCase):
 
     def test_many_to_many_retrieve(self):
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-                {'url': '/manytomanysource/1/', 'name': u'source-1', 'targets': ['/manytomanytarget/1/']},
-                {'url': '/manytomanysource/2/', 'name': u'source-2', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/']},
-                {'url': '/manytomanysource/3/', 'name': u'source-3', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/', '/manytomanytarget/3/']}
+                {'url': 'http://testserver/manytomanysource/1/', 'name': 'source-1', 'targets': ['http://testserver/manytomanytarget/1/']},
+                {'url': 'http://testserver/manytomanysource/2/', 'name': 'source-2', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/']},
+                {'url': 'http://testserver/manytomanysource/3/', 'name': 'source-3', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/', 'http://testserver/manytomanytarget/3/']}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_retrieve(self):
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/manytomanytarget/1/', 'name': u'target-1', 'sources': ['/manytomanysource/1/', '/manytomanysource/2/', '/manytomanysource/3/']},
-            {'url': '/manytomanytarget/2/', 'name': u'target-2', 'sources': ['/manytomanysource/2/', '/manytomanysource/3/']},
-            {'url': '/manytomanytarget/3/', 'name': u'target-3', 'sources': ['/manytomanysource/3/']}
+            {'url': 'http://testserver/manytomanytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/manytomanysource/1/', 'http://testserver/manytomanysource/2/', 'http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/2/', 'name': 'target-2', 'sources': ['http://testserver/manytomanysource/2/', 'http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/3/', 'name': 'target-3', 'sources': ['http://testserver/manytomanysource/3/']}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_many_to_many_update(self):
-        data = {'url': '/manytomanysource/1/', 'name': u'source-1', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/', '/manytomanytarget/3/']}
+        data = {'url': 'http://testserver/manytomanysource/1/', 'name': 'source-1', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/', 'http://testserver/manytomanytarget/3/']}
         instance = ManyToManySource.objects.get(pk=1)
-        serializer = ManyToManySourceSerializer(instance, data=data)
+        serializer = ManyToManySourceSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-                {'url': '/manytomanysource/1/', 'name': u'source-1', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/', '/manytomanytarget/3/']},
-                {'url': '/manytomanysource/2/', 'name': u'source-2', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/']},
-                {'url': '/manytomanysource/3/', 'name': u'source-3', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/', '/manytomanytarget/3/']}
+                {'url': 'http://testserver/manytomanysource/1/', 'name': 'source-1', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/', 'http://testserver/manytomanytarget/3/']},
+                {'url': 'http://testserver/manytomanysource/2/', 'name': 'source-2', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/']},
+                {'url': 'http://testserver/manytomanysource/3/', 'name': 'source-3', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/', 'http://testserver/manytomanytarget/3/']}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_update(self):
-        data = {'url': '/manytomanytarget/1/', 'name': u'target-1', 'sources': ['/manytomanysource/1/']}
+        data = {'url': 'http://testserver/manytomanytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/manytomanysource/1/']}
         instance = ManyToManyTarget.objects.get(pk=1)
-        serializer = ManyToManyTargetSerializer(instance, data=data)
+        serializer = ManyToManyTargetSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure target 1 is updated, and everything else is as expected
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/manytomanytarget/1/', 'name': u'target-1', 'sources': ['/manytomanysource/1/']},
-            {'url': '/manytomanytarget/2/', 'name': u'target-2', 'sources': ['/manytomanysource/2/', '/manytomanysource/3/']},
-            {'url': '/manytomanytarget/3/', 'name': u'target-3', 'sources': ['/manytomanysource/3/']}
+            {'url': 'http://testserver/manytomanytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/manytomanysource/1/']},
+            {'url': 'http://testserver/manytomanytarget/2/', 'name': 'target-2', 'sources': ['http://testserver/manytomanysource/2/', 'http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/3/', 'name': 'target-3', 'sources': ['http://testserver/manytomanysource/3/']}
 
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_many_to_many_create(self):
-        data = {'url': '/manytomanysource/4/', 'name': u'source-4', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/3/']}
-        serializer = ManyToManySourceSerializer(data=data)
+        data = {'url': 'http://testserver/manytomanysource/4/', 'name': 'source-4', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/3/']}
+        serializer = ManyToManySourceSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is added, and everything else is as expected
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/manytomanysource/1/', 'name': u'source-1', 'targets': ['/manytomanytarget/1/']},
-            {'url': '/manytomanysource/2/', 'name': u'source-2', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/']},
-            {'url': '/manytomanysource/3/', 'name': u'source-3', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/2/', '/manytomanytarget/3/']},
-            {'url': '/manytomanysource/4/', 'name': u'source-4', 'targets': ['/manytomanytarget/1/', '/manytomanytarget/3/']}
+            {'url': 'http://testserver/manytomanysource/1/', 'name': 'source-1', 'targets': ['http://testserver/manytomanytarget/1/']},
+            {'url': 'http://testserver/manytomanysource/2/', 'name': 'source-2', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/']},
+            {'url': 'http://testserver/manytomanysource/3/', 'name': 'source-3', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/2/', 'http://testserver/manytomanytarget/3/']},
+            {'url': 'http://testserver/manytomanysource/4/', 'name': 'source-4', 'targets': ['http://testserver/manytomanytarget/1/', 'http://testserver/manytomanytarget/3/']}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_create(self):
-        data = {'url': '/manytomanytarget/4/', 'name': u'target-4', 'sources': ['/manytomanysource/1/', '/manytomanysource/3/']}
-        serializer = ManyToManyTargetSerializer(data=data)
+        data = {'url': 'http://testserver/manytomanytarget/4/', 'name': 'target-4', 'sources': ['http://testserver/manytomanysource/1/', 'http://testserver/manytomanysource/3/']}
+        serializer = ManyToManyTargetSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'target-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'target-4')
 
         # Ensure target 4 is added, and everything else is as expected
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/manytomanytarget/1/', 'name': u'target-1', 'sources': ['/manytomanysource/1/', '/manytomanysource/2/', '/manytomanysource/3/']},
-            {'url': '/manytomanytarget/2/', 'name': u'target-2', 'sources': ['/manytomanysource/2/', '/manytomanysource/3/']},
-            {'url': '/manytomanytarget/3/', 'name': u'target-3', 'sources': ['/manytomanysource/3/']},
-            {'url': '/manytomanytarget/4/', 'name': u'target-4', 'sources': ['/manytomanysource/1/', '/manytomanysource/3/']}
+            {'url': 'http://testserver/manytomanytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/manytomanysource/1/', 'http://testserver/manytomanysource/2/', 'http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/2/', 'name': 'target-2', 'sources': ['http://testserver/manytomanysource/2/', 'http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/3/', 'name': 'target-3', 'sources': ['http://testserver/manytomanysource/3/']},
+            {'url': 'http://testserver/manytomanytarget/4/', 'name': 'target-4', 'sources': ['http://testserver/manytomanysource/1/', 'http://testserver/manytomanysource/3/']}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
 
 class HyperlinkedForeignKeyTests(TestCase):
@@ -178,111 +188,118 @@ class HyperlinkedForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve(self):
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/3/', 'name': u'source-3', 'target': '/foreignkeytarget/1/'}
+            {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/3/', 'name': 'source-3', 'target': 'http://testserver/foreignkeytarget/1/'}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_foreign_key_retrieve(self):
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeytarget/1/', 'name': u'target-1', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/2/', '/foreignkeysource/3/']},
-            {'url': '/foreignkeytarget/2/', 'name': u'target-2', 'sources': []},
+            {'url': 'http://testserver/foreignkeytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/2/', 'http://testserver/foreignkeysource/3/']},
+            {'url': 'http://testserver/foreignkeytarget/2/', 'name': 'target-2', 'sources': []},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update(self):
-        data = {'url': '/foreignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/2/'}
+        data = {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/2/'}
         instance = ForeignKeySource.objects.get(pk=1)
-        serializer = ForeignKeySourceSerializer(instance, data=data)
+        serializer = ForeignKeySourceSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/2/'},
-            {'url': '/foreignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/3/', 'name': u'source-3', 'target': '/foreignkeytarget/1/'}
+            {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/2/'},
+            {'url': 'http://testserver/foreignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/3/', 'name': 'source-3', 'target': 'http://testserver/foreignkeytarget/1/'}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_incorrect_type(self):
+        data = {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': 2}
+        instance = ForeignKeySource.objects.get(pk=1)
+        serializer = ForeignKeySourceSerializer(instance, data=data, context={'request': request})
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'target': ['Incorrect type.  Expected url string, received int.']})
 
     def test_reverse_foreign_key_update(self):
-        data = {'url': '/foreignkeytarget/2/', 'name': u'target-2', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/3/']}
+        data = {'url': 'http://testserver/foreignkeytarget/2/', 'name': 'target-2', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/3/']}
         instance = ForeignKeyTarget.objects.get(pk=2)
-        serializer = ForeignKeyTargetSerializer(instance, data=data)
+        serializer = ForeignKeyTargetSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         # We shouldn't have saved anything to the db yet since save
         # hasn't been called.
         queryset = ForeignKeyTarget.objects.all()
-        new_serializer = ForeignKeyTargetSerializer(queryset)
+        new_serializer = ForeignKeyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeytarget/1/', 'name': u'target-1', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/2/', '/foreignkeysource/3/']},
-            {'url': '/foreignkeytarget/2/', 'name': u'target-2', 'sources': []},
-        ]        
-        self.assertEquals(new_serializer.data, expected)
+            {'url': 'http://testserver/foreignkeytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/2/', 'http://testserver/foreignkeysource/3/']},
+            {'url': 'http://testserver/foreignkeytarget/2/', 'name': 'target-2', 'sources': []},
+        ]
+        self.assertEqual(new_serializer.data, expected)
 
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure target 2 is update, and everything else is as expected
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeytarget/1/', 'name': u'target-1', 'sources': ['/foreignkeysource/2/']},
-            {'url': '/foreignkeytarget/2/', 'name': u'target-2', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/3/']},
+            {'url': 'http://testserver/foreignkeytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/foreignkeysource/2/']},
+            {'url': 'http://testserver/foreignkeytarget/2/', 'name': 'target-2', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/3/']},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create(self):
-        data = {'url': '/foreignkeysource/4/', 'name': u'source-4', 'target': '/foreignkeytarget/2/'}
-        serializer = ForeignKeySourceSerializer(data=data)
+        data = {'url': 'http://testserver/foreignkeysource/4/', 'name': 'source-4', 'target': 'http://testserver/foreignkeytarget/2/'}
+        serializer = ForeignKeySourceSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/3/', 'name': u'source-3', 'target': '/foreignkeytarget/1/'},
-            {'url': '/foreignkeysource/4/', 'name': u'source-4', 'target': '/foreignkeytarget/2/'},
+            {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/3/', 'name': 'source-3', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/foreignkeysource/4/', 'name': 'source-4', 'target': 'http://testserver/foreignkeytarget/2/'},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_foreign_key_create(self):
-        data = {'url': '/foreignkeytarget/3/', 'name': u'target-3', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/3/']}
-        serializer = ForeignKeyTargetSerializer(data=data)
+        data = {'url': 'http://testserver/foreignkeytarget/3/', 'name': 'target-3', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/3/']}
+        serializer = ForeignKeyTargetSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'target-3')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'target-3')
 
         # Ensure target 4 is added, and everything else is as expected
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/foreignkeytarget/1/', 'name': u'target-1', 'sources': ['/foreignkeysource/2/']},
-            {'url': '/foreignkeytarget/2/', 'name': u'target-2', 'sources': []},
-            {'url': '/foreignkeytarget/3/', 'name': u'target-3', 'sources': ['/foreignkeysource/1/', '/foreignkeysource/3/']},
+            {'url': 'http://testserver/foreignkeytarget/1/', 'name': 'target-1', 'sources': ['http://testserver/foreignkeysource/2/']},
+            {'url': 'http://testserver/foreignkeytarget/2/', 'name': 'target-2', 'sources': []},
+            {'url': 'http://testserver/foreignkeytarget/3/', 'name': 'target-3', 'sources': ['http://testserver/foreignkeysource/1/', 'http://testserver/foreignkeysource/3/']},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_invalid_null(self):
-        data = {'url': '/foreignkeysource/1/', 'name': u'source-1', 'target': None}
+        data = {'url': 'http://testserver/foreignkeysource/1/', 'name': 'source-1', 'target': None}
         instance = ForeignKeySource.objects.get(pk=1)
-        serializer = ForeignKeySourceSerializer(instance, data=data)
+        serializer = ForeignKeySourceSerializer(instance, data=data, context={'request': request})
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'target': [u'Value may not be null']})
+        self.assertEqual(serializer.errors, {'target': ['This field is required.']})
 
 
 class HyperlinkedNullableForeignKeyTests(TestCase):
@@ -299,118 +316,118 @@ class HyperlinkedNullableForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve_with_null(self):
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/3/', 'name': u'source-3', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/3/', 'name': 'source-3', 'target': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create_with_valid_null(self):
-        data = {'url': '/nullableforeignkeysource/4/', 'name': u'source-4', 'target': None}
-        serializer = NullableForeignKeySourceSerializer(data=data)
+        data = {'url': 'http://testserver/nullableforeignkeysource/4/', 'name': 'source-4', 'target': None}
+        serializer = NullableForeignKeySourceSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is created, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/3/', 'name': u'source-3', 'target': None},
-            {'url': '/nullableforeignkeysource/4/', 'name': u'source-4', 'target': None}
+            {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/3/', 'name': 'source-3', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/4/', 'name': 'source-4', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create_with_valid_emptystring(self):
         """
         The emptystring should be interpreted as null in the context
         of relationships.
         """
-        data = {'url': '/nullableforeignkeysource/4/', 'name': u'source-4', 'target': ''}
-        expected_data = {'url': '/nullableforeignkeysource/4/', 'name': u'source-4', 'target': None}
-        serializer = NullableForeignKeySourceSerializer(data=data)
+        data = {'url': 'http://testserver/nullableforeignkeysource/4/', 'name': 'source-4', 'target': ''}
+        expected_data = {'url': 'http://testserver/nullableforeignkeysource/4/', 'name': 'source-4', 'target': None}
+        serializer = NullableForeignKeySourceSerializer(data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, expected_data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, expected_data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is created, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/3/', 'name': u'source-3', 'target': None},
-            {'url': '/nullableforeignkeysource/4/', 'name': u'source-4', 'target': None}
+            {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/3/', 'name': 'source-3', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/4/', 'name': 'source-4', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_valid_null(self):
-        data = {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': None}
+        data = {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': None}
         instance = NullableForeignKeySource.objects.get(pk=1)
-        serializer = NullableForeignKeySourceSerializer(instance, data=data)
+        serializer = NullableForeignKeySourceSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': None},
-            {'url': '/nullableforeignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/3/', 'name': u'source-3', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/3/', 'name': 'source-3', 'target': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_valid_emptystring(self):
         """
         The emptystring should be interpreted as null in the context
         of relationships.
         """
-        data = {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': ''}
-        expected_data = {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': None}
+        data = {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': ''}
+        expected_data = {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': None}
         instance = NullableForeignKeySource.objects.get(pk=1)
-        serializer = NullableForeignKeySourceSerializer(instance, data=data)
+        serializer = NullableForeignKeySourceSerializer(instance, data=data, context={'request': request})
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, expected_data)
+        self.assertEqual(serializer.data, expected_data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/nullableforeignkeysource/1/', 'name': u'source-1', 'target': None},
-            {'url': '/nullableforeignkeysource/2/', 'name': u'source-2', 'target': '/foreignkeytarget/1/'},
-            {'url': '/nullableforeignkeysource/3/', 'name': u'source-3', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/1/', 'name': 'source-1', 'target': None},
+            {'url': 'http://testserver/nullableforeignkeysource/2/', 'name': 'source-2', 'target': 'http://testserver/foreignkeytarget/1/'},
+            {'url': 'http://testserver/nullableforeignkeysource/3/', 'name': 'source-3', 'target': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     # reverse foreign keys MUST be read_only
     # In the general case they do not provide .remove() or .clear()
     # and cannot be arbitrarily set.
 
     # def test_reverse_foreign_key_update(self):
-    #     data = {'id': 1, 'name': u'target-1', 'sources': [1]}
+    #     data = {'id': 1, 'name': 'target-1', 'sources': [1]}
     #     instance = ForeignKeyTarget.objects.get(pk=1)
     #     serializer = ForeignKeyTargetSerializer(instance, data=data)
     #     self.assertTrue(serializer.is_valid())
-    #     self.assertEquals(serializer.data, data)
+    #     self.assertEqual(serializer.data, data)
     #     serializer.save()
 
     #     # Ensure target 1 is updated, and everything else is as expected
     #     queryset = ForeignKeyTarget.objects.all()
-    #     serializer = ForeignKeyTargetSerializer(queryset)
+    #     serializer = ForeignKeyTargetSerializer(queryset, many=True)
     #     expected = [
-    #         {'id': 1, 'name': u'target-1', 'sources': [1]},
-    #         {'id': 2, 'name': u'target-2', 'sources': []},
+    #         {'id': 1, 'name': 'target-1', 'sources': [1]},
+    #         {'id': 2, 'name': 'target-2', 'sources': []},
     #     ]
-    #     self.assertEquals(serializer.data, expected)
+    #     self.assertEqual(serializer.data, expected)
 
 
 class HyperlinkedNullableOneToOneTests(TestCase):
@@ -426,9 +443,9 @@ class HyperlinkedNullableOneToOneTests(TestCase):
 
     def test_reverse_foreign_key_retrieve_with_null(self):
         queryset = OneToOneTarget.objects.all()
-        serializer = NullableOneToOneTargetSerializer(queryset)
+        serializer = NullableOneToOneTargetSerializer(queryset, many=True, context={'request': request})
         expected = [
-            {'url': '/onetoonetarget/1/', 'name': u'target-1', 'nullable_source': '/nullableonetoonesource/1/'},
-            {'url': '/onetoonetarget/2/', 'name': u'target-2', 'nullable_source': None},
+            {'url': 'http://testserver/onetoonetarget/1/', 'name': 'target-1', 'nullable_source': 'http://testserver/nullableonetoonesource/1/'},
+            {'url': 'http://testserver/onetoonetarget/2/', 'name': 'target-2', 'nullable_source': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/relations_nested.py b/rest_framework/tests/relations_nested.py
index 0e129fae2..a125ba656 100644
--- a/rest_framework/tests/relations_nested.py
+++ b/rest_framework/tests/relations_nested.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework import serializers
 from rest_framework.tests.models import ForeignKeyTarget, ForeignKeySource, NullableForeignKeySource, OneToOneTarget, NullableOneToOneSource
@@ -15,7 +16,7 @@ class FlatForeignKeySourceSerializer(serializers.ModelSerializer):
 
 
 class ForeignKeyTargetSerializer(serializers.ModelSerializer):
-    sources = FlatForeignKeySourceSerializer()
+    sources = FlatForeignKeySourceSerializer(many=True)
 
     class Meta:
         model = ForeignKeyTarget
@@ -51,27 +52,27 @@ class ReverseForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve(self):
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': {'id': 1, 'name': u'target-1'}},
-            {'id': 2, 'name': u'source-2', 'target': {'id': 1, 'name': u'target-1'}},
-            {'id': 3, 'name': u'source-3', 'target': {'id': 1, 'name': u'target-1'}},
+            {'id': 1, 'name': 'source-1', 'target': {'id': 1, 'name': 'target-1'}},
+            {'id': 2, 'name': 'source-2', 'target': {'id': 1, 'name': 'target-1'}},
+            {'id': 3, 'name': 'source-3', 'target': {'id': 1, 'name': 'target-1'}},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_foreign_key_retrieve(self):
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [
-                {'id': 1, 'name': u'source-1', 'target': 1},
-                {'id': 2, 'name': u'source-2', 'target': 1},
-                {'id': 3, 'name': u'source-3', 'target': 1},
+            {'id': 1, 'name': 'target-1', 'sources': [
+                {'id': 1, 'name': 'source-1', 'target': 1},
+                {'id': 2, 'name': 'source-2', 'target': 1},
+                {'id': 3, 'name': 'source-3', 'target': 1},
             ]},
-            {'id': 2, 'name': u'target-2', 'sources': [
+            {'id': 2, 'name': 'target-2', 'sources': [
             ]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
 
 class NestedNullableForeignKeyTests(TestCase):
@@ -86,13 +87,13 @@ class NestedNullableForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve_with_null(self):
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': {'id': 1, 'name': u'target-1'}},
-            {'id': 2, 'name': u'source-2', 'target': {'id': 1, 'name': u'target-1'}},
-            {'id': 3, 'name': u'source-3', 'target': None},
+            {'id': 1, 'name': 'source-1', 'target': {'id': 1, 'name': 'target-1'}},
+            {'id': 2, 'name': 'source-2', 'target': {'id': 1, 'name': 'target-1'}},
+            {'id': 3, 'name': 'source-3', 'target': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
 
 class NestedNullableOneToOneTests(TestCase):
@@ -106,9 +107,9 @@ class NestedNullableOneToOneTests(TestCase):
 
     def test_reverse_foreign_key_retrieve_with_null(self):
         queryset = OneToOneTarget.objects.all()
-        serializer = NullableOneToOneTargetSerializer(queryset)
+        serializer = NullableOneToOneTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'nullable_source': {'id': 1, 'name': u'source-1', 'target': 1}},
-            {'id': 2, 'name': u'target-2', 'nullable_source': None},
+            {'id': 1, 'name': 'target-1', 'nullable_source': {'id': 1, 'name': 'source-1', 'target': 1}},
+            {'id': 2, 'name': 'target-2', 'nullable_source': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/relations_pk.py b/rest_framework/tests/relations_pk.py
index 548358603..f08e18086 100644
--- a/rest_framework/tests/relations_pk.py
+++ b/rest_framework/tests/relations_pk.py
@@ -1,10 +1,12 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework import serializers
 from rest_framework.tests.models import ManyToManyTarget, ManyToManySource, ForeignKeyTarget, ForeignKeySource, NullableForeignKeySource, OneToOneTarget, NullableOneToOneSource
+from rest_framework.compat import six
 
 
 class ManyToManyTargetSerializer(serializers.ModelSerializer):
-    sources = serializers.ManyPrimaryKeyRelatedField()
+    sources = serializers.PrimaryKeyRelatedField(many=True)
 
     class Meta:
         model = ManyToManyTarget
@@ -16,7 +18,7 @@ class ManyToManySourceSerializer(serializers.ModelSerializer):
 
 
 class ForeignKeyTargetSerializer(serializers.ModelSerializer):
-    sources = serializers.ManyPrimaryKeyRelatedField()
+    sources = serializers.PrimaryKeyRelatedField(many=True)
 
     class Meta:
         model = ForeignKeyTarget
@@ -54,97 +56,97 @@ class PKManyToManyTests(TestCase):
 
     def test_many_to_many_retrieve(self):
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True)
         expected = [
-                {'id': 1, 'name': u'source-1', 'targets': [1]},
-                {'id': 2, 'name': u'source-2', 'targets': [1, 2]},
-                {'id': 3, 'name': u'source-3', 'targets': [1, 2, 3]}
+                {'id': 1, 'name': 'source-1', 'targets': [1]},
+                {'id': 2, 'name': 'source-2', 'targets': [1, 2]},
+                {'id': 3, 'name': 'source-3', 'targets': [1, 2, 3]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_retrieve(self):
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [1, 2, 3]},
-            {'id': 2, 'name': u'target-2', 'sources': [2, 3]},
-            {'id': 3, 'name': u'target-3', 'sources': [3]}
+            {'id': 1, 'name': 'target-1', 'sources': [1, 2, 3]},
+            {'id': 2, 'name': 'target-2', 'sources': [2, 3]},
+            {'id': 3, 'name': 'target-3', 'sources': [3]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_many_to_many_update(self):
-        data = {'id': 1, 'name': u'source-1', 'targets': [1, 2, 3]}
+        data = {'id': 1, 'name': 'source-1', 'targets': [1, 2, 3]}
         instance = ManyToManySource.objects.get(pk=1)
         serializer = ManyToManySourceSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True)
         expected = [
-                {'id': 1, 'name': u'source-1', 'targets': [1, 2, 3]},
-                {'id': 2, 'name': u'source-2', 'targets': [1, 2]},
-                {'id': 3, 'name': u'source-3', 'targets': [1, 2, 3]}
+                {'id': 1, 'name': 'source-1', 'targets': [1, 2, 3]},
+                {'id': 2, 'name': 'source-2', 'targets': [1, 2]},
+                {'id': 3, 'name': 'source-3', 'targets': [1, 2, 3]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_update(self):
-        data = {'id': 1, 'name': u'target-1', 'sources': [1]}
+        data = {'id': 1, 'name': 'target-1', 'sources': [1]}
         instance = ManyToManyTarget.objects.get(pk=1)
         serializer = ManyToManyTargetSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure target 1 is updated, and everything else is as expected
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [1]},
-            {'id': 2, 'name': u'target-2', 'sources': [2, 3]},
-            {'id': 3, 'name': u'target-3', 'sources': [3]}
+            {'id': 1, 'name': 'target-1', 'sources': [1]},
+            {'id': 2, 'name': 'target-2', 'sources': [2, 3]},
+            {'id': 3, 'name': 'target-3', 'sources': [3]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_many_to_many_create(self):
-        data = {'id': 4, 'name': u'source-4', 'targets': [1, 3]}
+        data = {'id': 4, 'name': 'source-4', 'targets': [1, 3]}
         serializer = ManyToManySourceSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is added, and everything else is as expected
         queryset = ManyToManySource.objects.all()
-        serializer = ManyToManySourceSerializer(queryset)
+        serializer = ManyToManySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'targets': [1]},
-            {'id': 2, 'name': u'source-2', 'targets': [1, 2]},
-            {'id': 3, 'name': u'source-3', 'targets': [1, 2, 3]},
-            {'id': 4, 'name': u'source-4', 'targets': [1, 3]},
+            {'id': 1, 'name': 'source-1', 'targets': [1]},
+            {'id': 2, 'name': 'source-2', 'targets': [1, 2]},
+            {'id': 3, 'name': 'source-3', 'targets': [1, 2, 3]},
+            {'id': 4, 'name': 'source-4', 'targets': [1, 3]},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_many_to_many_create(self):
-        data = {'id': 4, 'name': u'target-4', 'sources': [1, 3]}
+        data = {'id': 4, 'name': 'target-4', 'sources': [1, 3]}
         serializer = ManyToManyTargetSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'target-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'target-4')
 
         # Ensure target 4 is added, and everything else is as expected
         queryset = ManyToManyTarget.objects.all()
-        serializer = ManyToManyTargetSerializer(queryset)
+        serializer = ManyToManyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [1, 2, 3]},
-            {'id': 2, 'name': u'target-2', 'sources': [2, 3]},
-            {'id': 3, 'name': u'target-3', 'sources': [3]},
-            {'id': 4, 'name': u'target-4', 'sources': [1, 3]}
+            {'id': 1, 'name': 'target-1', 'sources': [1, 2, 3]},
+            {'id': 2, 'name': 'target-2', 'sources': [2, 3]},
+            {'id': 3, 'name': 'target-3', 'sources': [3]},
+            {'id': 4, 'name': 'target-4', 'sources': [1, 3]}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
 
 class PKForeignKeyTests(TestCase):
@@ -159,111 +161,118 @@ class PKForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve(self):
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 1},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': 1}
+            {'id': 1, 'name': 'source-1', 'target': 1},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': 1}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_foreign_key_retrieve(self):
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [1, 2, 3]},
-            {'id': 2, 'name': u'target-2', 'sources': []},
+            {'id': 1, 'name': 'target-1', 'sources': [1, 2, 3]},
+            {'id': 2, 'name': 'target-2', 'sources': []},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update(self):
-        data = {'id': 1, 'name': u'source-1', 'target': 2}
+        data = {'id': 1, 'name': 'source-1', 'target': 2}
         instance = ForeignKeySource.objects.get(pk=1)
         serializer = ForeignKeySourceSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 2},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': 1}
+            {'id': 1, 'name': 'source-1', 'target': 2},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': 1}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_incorrect_type(self):
+        data = {'id': 1, 'name': 'source-1', 'target': 'foo'}
+        instance = ForeignKeySource.objects.get(pk=1)
+        serializer = ForeignKeySourceSerializer(instance, data=data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'target': ['Incorrect type.  Expected pk value, received %s.' % six.text_type.__name__]})
 
     def test_reverse_foreign_key_update(self):
-        data = {'id': 2, 'name': u'target-2', 'sources': [1, 3]}
+        data = {'id': 2, 'name': 'target-2', 'sources': [1, 3]}
         instance = ForeignKeyTarget.objects.get(pk=2)
         serializer = ForeignKeyTargetSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
         # We shouldn't have saved anything to the db yet since save
         # hasn't been called.
         queryset = ForeignKeyTarget.objects.all()
-        new_serializer = ForeignKeyTargetSerializer(queryset)
+        new_serializer = ForeignKeyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [1, 2, 3]},
-            {'id': 2, 'name': u'target-2', 'sources': []},
-        ]        
-        self.assertEquals(new_serializer.data, expected)
+            {'id': 1, 'name': 'target-1', 'sources': [1, 2, 3]},
+            {'id': 2, 'name': 'target-2', 'sources': []},
+        ]
+        self.assertEqual(new_serializer.data, expected)
 
         serializer.save()
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
 
         # Ensure target 2 is update, and everything else is as expected
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [2]},
-            {'id': 2, 'name': u'target-2', 'sources': [1, 3]},
+            {'id': 1, 'name': 'target-1', 'sources': [2]},
+            {'id': 2, 'name': 'target-2', 'sources': [1, 3]},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create(self):
-        data = {'id': 4, 'name': u'source-4', 'target': 2}
+        data = {'id': 4, 'name': 'source-4', 'target': 2}
         serializer = ForeignKeySourceSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is added, and everything else is as expected
         queryset = ForeignKeySource.objects.all()
-        serializer = ForeignKeySourceSerializer(queryset)
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 1},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': 1},
-            {'id': 4, 'name': u'source-4', 'target': 2},
+            {'id': 1, 'name': 'source-1', 'target': 1},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': 1},
+            {'id': 4, 'name': 'source-4', 'target': 2},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_reverse_foreign_key_create(self):
-        data = {'id': 3, 'name': u'target-3', 'sources': [1, 3]}
+        data = {'id': 3, 'name': 'target-3', 'sources': [1, 3]}
         serializer = ForeignKeyTargetSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'target-3')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'target-3')
 
         # Ensure target 3 is added, and everything else is as expected
         queryset = ForeignKeyTarget.objects.all()
-        serializer = ForeignKeyTargetSerializer(queryset)
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'sources': [2]},
-            {'id': 2, 'name': u'target-2', 'sources': []},
-            {'id': 3, 'name': u'target-3', 'sources': [1, 3]},
+            {'id': 1, 'name': 'target-1', 'sources': [2]},
+            {'id': 2, 'name': 'target-2', 'sources': []},
+            {'id': 3, 'name': 'target-3', 'sources': [1, 3]},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_invalid_null(self):
-        data = {'id': 1, 'name': u'source-1', 'target': None}
+        data = {'id': 1, 'name': 'source-1', 'target': None}
         instance = ForeignKeySource.objects.get(pk=1)
         serializer = ForeignKeySourceSerializer(instance, data=data)
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'target': [u'Value may not be null']})
+        self.assertEqual(serializer.errors, {'target': ['This field is required.']})
 
 
 class PKNullableForeignKeyTests(TestCase):
@@ -278,118 +287,118 @@ class PKNullableForeignKeyTests(TestCase):
 
     def test_foreign_key_retrieve_with_null(self):
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 1},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': None},
+            {'id': 1, 'name': 'source-1', 'target': 1},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': None},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create_with_valid_null(self):
-        data = {'id': 4, 'name': u'source-4', 'target': None}
+        data = {'id': 4, 'name': 'source-4', 'target': None}
         serializer = NullableForeignKeySourceSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is created, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 1},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': None},
-            {'id': 4, 'name': u'source-4', 'target': None}
+            {'id': 1, 'name': 'source-1', 'target': 1},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': None},
+            {'id': 4, 'name': 'source-4', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_create_with_valid_emptystring(self):
         """
         The emptystring should be interpreted as null in the context
         of relationships.
         """
-        data = {'id': 4, 'name': u'source-4', 'target': ''}
-        expected_data = {'id': 4, 'name': u'source-4', 'target': None}
+        data = {'id': 4, 'name': 'source-4', 'target': ''}
+        expected_data = {'id': 4, 'name': 'source-4', 'target': None}
         serializer = NullableForeignKeySourceSerializer(data=data)
         self.assertTrue(serializer.is_valid())
         obj = serializer.save()
-        self.assertEquals(serializer.data, expected_data)
-        self.assertEqual(obj.name, u'source-4')
+        self.assertEqual(serializer.data, expected_data)
+        self.assertEqual(obj.name, 'source-4')
 
         # Ensure source 4 is created, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': 1},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': None},
-            {'id': 4, 'name': u'source-4', 'target': None}
+            {'id': 1, 'name': 'source-1', 'target': 1},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': None},
+            {'id': 4, 'name': 'source-4', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_valid_null(self):
-        data = {'id': 1, 'name': u'source-1', 'target': None}
+        data = {'id': 1, 'name': 'source-1', 'target': None}
         instance = NullableForeignKeySource.objects.get(pk=1)
         serializer = NullableForeignKeySourceSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, data)
+        self.assertEqual(serializer.data, data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': None},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': None}
+            {'id': 1, 'name': 'source-1', 'target': None},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_foreign_key_update_with_valid_emptystring(self):
         """
         The emptystring should be interpreted as null in the context
         of relationships.
         """
-        data = {'id': 1, 'name': u'source-1', 'target': ''}
-        expected_data = {'id': 1, 'name': u'source-1', 'target': None}
+        data = {'id': 1, 'name': 'source-1', 'target': ''}
+        expected_data = {'id': 1, 'name': 'source-1', 'target': None}
         instance = NullableForeignKeySource.objects.get(pk=1)
         serializer = NullableForeignKeySourceSerializer(instance, data=data)
         self.assertTrue(serializer.is_valid())
-        self.assertEquals(serializer.data, expected_data)
+        self.assertEqual(serializer.data, expected_data)
         serializer.save()
 
         # Ensure source 1 is updated, and everything else is as expected
         queryset = NullableForeignKeySource.objects.all()
-        serializer = NullableForeignKeySourceSerializer(queryset)
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'source-1', 'target': None},
-            {'id': 2, 'name': u'source-2', 'target': 1},
-            {'id': 3, 'name': u'source-3', 'target': None}
+            {'id': 1, 'name': 'source-1', 'target': None},
+            {'id': 2, 'name': 'source-2', 'target': 1},
+            {'id': 3, 'name': 'source-3', 'target': None}
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     # reverse foreign keys MUST be read_only
     # In the general case they do not provide .remove() or .clear()
     # and cannot be arbitrarily set.
 
     # def test_reverse_foreign_key_update(self):
-    #     data = {'id': 1, 'name': u'target-1', 'sources': [1]}
+    #     data = {'id': 1, 'name': 'target-1', 'sources': [1]}
     #     instance = ForeignKeyTarget.objects.get(pk=1)
     #     serializer = ForeignKeyTargetSerializer(instance, data=data)
     #     self.assertTrue(serializer.is_valid())
-    #     self.assertEquals(serializer.data, data)
+    #     self.assertEqual(serializer.data, data)
     #     serializer.save()
 
     #     # Ensure target 1 is updated, and everything else is as expected
     #     queryset = ForeignKeyTarget.objects.all()
-    #     serializer = ForeignKeyTargetSerializer(queryset)
+    #     serializer = ForeignKeyTargetSerializer(queryset, many=True)
     #     expected = [
-    #         {'id': 1, 'name': u'target-1', 'sources': [1]},
-    #         {'id': 2, 'name': u'target-2', 'sources': []},
+    #         {'id': 1, 'name': 'target-1', 'sources': [1]},
+    #         {'id': 2, 'name': 'target-2', 'sources': []},
     #     ]
-    #     self.assertEquals(serializer.data, expected)
+    #     self.assertEqual(serializer.data, expected)
 
 
 class PKNullableOneToOneTests(TestCase):
@@ -398,14 +407,14 @@ class PKNullableOneToOneTests(TestCase):
         target.save()
         new_target = OneToOneTarget(name='target-2')
         new_target.save()
-        source = NullableOneToOneSource(name='source-1', target=target)
+        source = NullableOneToOneSource(name='source-1', target=new_target)
         source.save()
 
     def test_reverse_foreign_key_retrieve_with_null(self):
         queryset = OneToOneTarget.objects.all()
-        serializer = NullableOneToOneTargetSerializer(queryset)
+        serializer = NullableOneToOneTargetSerializer(queryset, many=True)
         expected = [
-            {'id': 1, 'name': u'target-1', 'nullable_source': 1},
-            {'id': 2, 'name': u'target-2', 'nullable_source': None},
+            {'id': 1, 'name': 'target-1', 'nullable_source': None},
+            {'id': 2, 'name': 'target-2', 'nullable_source': 1},
         ]
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/relations_slug.py b/rest_framework/tests/relations_slug.py
new file mode 100644
index 000000000..435c821cf
--- /dev/null
+++ b/rest_framework/tests/relations_slug.py
@@ -0,0 +1,257 @@
+from django.test import TestCase
+from rest_framework import serializers
+from rest_framework.tests.models import NullableForeignKeySource, ForeignKeySource, ForeignKeyTarget
+
+
+class ForeignKeyTargetSerializer(serializers.ModelSerializer):
+    sources = serializers.SlugRelatedField(many=True, slug_field='name')
+
+    class Meta:
+        model = ForeignKeyTarget
+
+
+class ForeignKeySourceSerializer(serializers.ModelSerializer):
+    target = serializers.SlugRelatedField(slug_field='name')
+
+    class Meta:
+        model = ForeignKeySource
+
+
+class NullableForeignKeySourceSerializer(serializers.ModelSerializer):
+    target = serializers.SlugRelatedField(slug_field='name', required=False)
+
+    class Meta:
+        model = NullableForeignKeySource
+
+
+# TODO: M2M Tests, FKTests (Non-nullable), One2One
+class SlugForeignKeyTests(TestCase):
+    def setUp(self):
+        target = ForeignKeyTarget(name='target-1')
+        target.save()
+        new_target = ForeignKeyTarget(name='target-2')
+        new_target.save()
+        for idx in range(1, 4):
+            source = ForeignKeySource(name='source-%d' % idx, target=target)
+            source.save()
+
+    def test_foreign_key_retrieve(self):
+        queryset = ForeignKeySource.objects.all()
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-1'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': 'target-1'}
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_reverse_foreign_key_retrieve(self):
+        queryset = ForeignKeyTarget.objects.all()
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'target-1', 'sources': ['source-1', 'source-2', 'source-3']},
+            {'id': 2, 'name': 'target-2', 'sources': []},
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update(self):
+        data = {'id': 1, 'name': 'source-1', 'target': 'target-2'}
+        instance = ForeignKeySource.objects.get(pk=1)
+        serializer = ForeignKeySourceSerializer(instance, data=data)
+        self.assertTrue(serializer.is_valid())
+        self.assertEqual(serializer.data, data)
+        serializer.save()
+
+        # Ensure source 1 is updated, and everything else is as expected
+        queryset = ForeignKeySource.objects.all()
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-2'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': 'target-1'}
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_incorrect_type(self):
+        data = {'id': 1, 'name': 'source-1', 'target': 123}
+        instance = ForeignKeySource.objects.get(pk=1)
+        serializer = ForeignKeySourceSerializer(instance, data=data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'target': ['Object with name=123 does not exist.']})
+
+    def test_reverse_foreign_key_update(self):
+        data = {'id': 2, 'name': 'target-2', 'sources': ['source-1', 'source-3']}
+        instance = ForeignKeyTarget.objects.get(pk=2)
+        serializer = ForeignKeyTargetSerializer(instance, data=data)
+        self.assertTrue(serializer.is_valid())
+        # We shouldn't have saved anything to the db yet since save
+        # hasn't been called.
+        queryset = ForeignKeyTarget.objects.all()
+        new_serializer = ForeignKeyTargetSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'target-1', 'sources': ['source-1', 'source-2', 'source-3']},
+            {'id': 2, 'name': 'target-2', 'sources': []},
+        ]
+        self.assertEqual(new_serializer.data, expected)
+
+        serializer.save()
+        self.assertEqual(serializer.data, data)
+
+        # Ensure target 2 is update, and everything else is as expected
+        queryset = ForeignKeyTarget.objects.all()
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'target-1', 'sources': ['source-2']},
+            {'id': 2, 'name': 'target-2', 'sources': ['source-1', 'source-3']},
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_create(self):
+        data = {'id': 4, 'name': 'source-4', 'target': 'target-2'}
+        serializer = ForeignKeySourceSerializer(data=data)
+        serializer.is_valid()
+        self.assertTrue(serializer.is_valid())
+        obj = serializer.save()
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
+
+        # Ensure source 4 is added, and everything else is as expected
+        queryset = ForeignKeySource.objects.all()
+        serializer = ForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-1'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': 'target-1'},
+            {'id': 4, 'name': 'source-4', 'target': 'target-2'},
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_reverse_foreign_key_create(self):
+        data = {'id': 3, 'name': 'target-3', 'sources': ['source-1', 'source-3']}
+        serializer = ForeignKeyTargetSerializer(data=data)
+        self.assertTrue(serializer.is_valid())
+        obj = serializer.save()
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'target-3')
+
+        # Ensure target 3 is added, and everything else is as expected
+        queryset = ForeignKeyTarget.objects.all()
+        serializer = ForeignKeyTargetSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'target-1', 'sources': ['source-2']},
+            {'id': 2, 'name': 'target-2', 'sources': []},
+            {'id': 3, 'name': 'target-3', 'sources': ['source-1', 'source-3']},
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_with_invalid_null(self):
+        data = {'id': 1, 'name': 'source-1', 'target': None}
+        instance = ForeignKeySource.objects.get(pk=1)
+        serializer = ForeignKeySourceSerializer(instance, data=data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'target': ['This field is required.']})
+
+
+class SlugNullableForeignKeyTests(TestCase):
+    def setUp(self):
+        target = ForeignKeyTarget(name='target-1')
+        target.save()
+        for idx in range(1, 4):
+            if idx == 3:
+                target = None
+            source = NullableForeignKeySource(name='source-%d' % idx, target=target)
+            source.save()
+
+    def test_foreign_key_retrieve_with_null(self):
+        queryset = NullableForeignKeySource.objects.all()
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-1'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': None},
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_create_with_valid_null(self):
+        data = {'id': 4, 'name': 'source-4', 'target': None}
+        serializer = NullableForeignKeySourceSerializer(data=data)
+        self.assertTrue(serializer.is_valid())
+        obj = serializer.save()
+        self.assertEqual(serializer.data, data)
+        self.assertEqual(obj.name, 'source-4')
+
+        # Ensure source 4 is created, and everything else is as expected
+        queryset = NullableForeignKeySource.objects.all()
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-1'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': None},
+            {'id': 4, 'name': 'source-4', 'target': None}
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_create_with_valid_emptystring(self):
+        """
+        The emptystring should be interpreted as null in the context
+        of relationships.
+        """
+        data = {'id': 4, 'name': 'source-4', 'target': ''}
+        expected_data = {'id': 4, 'name': 'source-4', 'target': None}
+        serializer = NullableForeignKeySourceSerializer(data=data)
+        self.assertTrue(serializer.is_valid())
+        obj = serializer.save()
+        self.assertEqual(serializer.data, expected_data)
+        self.assertEqual(obj.name, 'source-4')
+
+        # Ensure source 4 is created, and everything else is as expected
+        queryset = NullableForeignKeySource.objects.all()
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': 'target-1'},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': None},
+            {'id': 4, 'name': 'source-4', 'target': None}
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_with_valid_null(self):
+        data = {'id': 1, 'name': 'source-1', 'target': None}
+        instance = NullableForeignKeySource.objects.get(pk=1)
+        serializer = NullableForeignKeySourceSerializer(instance, data=data)
+        self.assertTrue(serializer.is_valid())
+        self.assertEqual(serializer.data, data)
+        serializer.save()
+
+        # Ensure source 1 is updated, and everything else is as expected
+        queryset = NullableForeignKeySource.objects.all()
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': None},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': None}
+        ]
+        self.assertEqual(serializer.data, expected)
+
+    def test_foreign_key_update_with_valid_emptystring(self):
+        """
+        The emptystring should be interpreted as null in the context
+        of relationships.
+        """
+        data = {'id': 1, 'name': 'source-1', 'target': ''}
+        expected_data = {'id': 1, 'name': 'source-1', 'target': None}
+        instance = NullableForeignKeySource.objects.get(pk=1)
+        serializer = NullableForeignKeySourceSerializer(instance, data=data)
+        self.assertTrue(serializer.is_valid())
+        self.assertEqual(serializer.data, expected_data)
+        serializer.save()
+
+        # Ensure source 1 is updated, and everything else is as expected
+        queryset = NullableForeignKeySource.objects.all()
+        serializer = NullableForeignKeySourceSerializer(queryset, many=True)
+        expected = [
+            {'id': 1, 'name': 'source-1', 'target': None},
+            {'id': 2, 'name': 'source-2', 'target': 'target-1'},
+            {'id': 3, 'name': 'source-3', 'target': None}
+        ]
+        self.assertEqual(serializer.data, expected)
diff --git a/rest_framework/tests/renderers.py b/rest_framework/tests/renderers.py
index c1b4e624b..40bac9cb3 100644
--- a/rest_framework/tests/renderers.py
+++ b/rest_framework/tests/renderers.py
@@ -1,29 +1,28 @@
-import pickle
-import re
-
+from decimal import Decimal
 from django.core.cache import cache
 from django.test import TestCase
 from django.test.client import RequestFactory
-
+from django.utils import unittest
 from rest_framework import status, permissions
-from rest_framework.compat import yaml, patterns, url, include
+from rest_framework.compat import yaml, etree, patterns, url, include
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from rest_framework.renderers import BaseRenderer, JSONRenderer, YAMLRenderer, \
     XMLRenderer, JSONPRenderer, BrowsableAPIRenderer
 from rest_framework.parsers import YAMLParser, XMLParser
 from rest_framework.settings import api_settings
-
-from StringIO import StringIO
+from rest_framework.compat import StringIO
+from rest_framework.compat import six
 import datetime
-from decimal import Decimal
+import pickle
+import re
 
 
 DUMMYSTATUS = status.HTTP_200_OK
 DUMMYCONTENT = 'dummycontent'
 
-RENDERER_A_SERIALIZER = lambda x: 'Renderer A: %s' % x
-RENDERER_B_SERIALIZER = lambda x: 'Renderer B: %s' % x
+RENDERER_A_SERIALIZER = lambda x: ('Renderer A: %s' % x).encode('ascii')
+RENDERER_B_SERIALIZER = lambda x: ('Renderer B: %s' % x).encode('ascii')
 
 
 expected_results = [
@@ -35,7 +34,7 @@ class BasicRendererTests(TestCase):
     def test_expected_results(self):
         for value, renderer_cls, expected in expected_results:
             output = renderer_cls().render(value)
-            self.assertEquals(output, expected)
+            self.assertEqual(output, expected)
 
 
 class RendererA(BaseRenderer):
@@ -94,7 +93,7 @@ urlpatterns = patterns('',
 
 
 class POSTDeniedPermission(permissions.BasePermission):
-    def has_permission(self, request, view, obj=None):
+    def has_permission(self, request, view):
         return request.method != 'POST'
 
 
@@ -111,6 +110,9 @@ class POSTDeniedView(APIView):
     def put(self, request):
         return Response()
 
+    def patch(self, request):
+        return Response()
+
 
 class DocumentingRendererTests(TestCase):
     def test_only_permitted_forms_are_displayed(self):
@@ -119,6 +121,7 @@ class DocumentingRendererTests(TestCase):
         response = view(request).render()
         self.assertNotContains(response, '>POST<')
         self.assertContains(response, '>PUT<')
+        self.assertContains(response, '>PATCH<')
 
 
 class RendererEndToEndTests(TestCase):
@@ -131,39 +134,39 @@ class RendererEndToEndTests(TestCase):
     def test_default_renderer_serializes_content(self):
         """If the Accept header is not set the default renderer should serialize the response."""
         resp = self.client.get('/')
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_head_method_serializes_no_content(self):
         """No response must be included in HEAD requests."""
         resp = self.client.head('/')
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, '')
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, six.b(''))
 
     def test_default_renderer_serializes_content_on_accept_any(self):
         """If the Accept header is set to */* the default renderer should serialize the response."""
         resp = self.client.get('/', HTTP_ACCEPT='*/*')
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_default_case(self):
         """If the Accept header is set the specified renderer should serialize the response.
         (In this case we check that works for the default renderer)"""
         resp = self.client.get('/', HTTP_ACCEPT=RendererA.media_type)
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_non_default_case(self):
         """If the Accept header is set the specified renderer should serialize the response.
         (In this case we check that works for a non-default renderer)"""
         resp = self.client.get('/', HTTP_ACCEPT=RendererB.media_type)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_on_accept_query(self):
         """The '_accept' query string should behave in the same way as the Accept header."""
@@ -172,14 +175,14 @@ class RendererEndToEndTests(TestCase):
             RendererB.media_type
         )
         resp = self.client.get('/' + param)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_unsatisfiable_accept_header_on_request_returns_406_status(self):
         """If the Accept header is unsatisfiable we should return a 406 Not Acceptable response."""
         resp = self.client.get('/', HTTP_ACCEPT='foo/bar')
-        self.assertEquals(resp.status_code, status.HTTP_406_NOT_ACCEPTABLE)
+        self.assertEqual(resp.status_code, status.HTTP_406_NOT_ACCEPTABLE)
 
     def test_specified_renderer_serializes_content_on_format_query(self):
         """If a 'format' query is specified, the renderer with the matching
@@ -189,17 +192,17 @@ class RendererEndToEndTests(TestCase):
             RendererB.format
         )
         resp = self.client.get('/' + param)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_on_format_kwargs(self):
         """If a 'format' keyword arg is specified, the renderer with the matching
         format attribute should serialize the response."""
         resp = self.client.get('/something.formatb')
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_is_used_on_format_query_with_matching_accept(self):
         """If both a 'format' query and a matching Accept header specified,
@@ -210,9 +213,9 @@ class RendererEndToEndTests(TestCase):
         )
         resp = self.client.get('/' + param,
                                HTTP_ACCEPT=RendererB.media_type)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
 
 _flat_repr = '{"foo": ["bar", "baz"]}'
@@ -240,7 +243,7 @@ class JSONRendererTests(TestCase):
         renderer = JSONRenderer()
         content = renderer.render(obj, 'application/json')
         # Fix failing test case which depends on version of JSON library.
-        self.assertEquals(content, _flat_repr)
+        self.assertEqual(content, _flat_repr)
 
     def test_with_content_type_args(self):
         """
@@ -249,7 +252,7 @@ class JSONRendererTests(TestCase):
         obj = {'foo': ['bar', 'baz']}
         renderer = JSONRenderer()
         content = renderer.render(obj, 'application/json; indent=2')
-        self.assertEquals(strip_trailing_whitespace(content), _indented_repr)
+        self.assertEqual(strip_trailing_whitespace(content), _indented_repr)
 
 
 class JSONPRendererTests(TestCase):
@@ -265,9 +268,10 @@ class JSONPRendererTests(TestCase):
         """
         resp = self.client.get('/jsonp/jsonrenderer',
                                HTTP_ACCEPT='application/javascript')
-        self.assertEquals(resp.status_code, 200)
-        self.assertEquals(resp['Content-Type'], 'application/javascript')
-        self.assertEquals(resp.content, 'callback(%s);' % _flat_repr)
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+        self.assertEqual(resp['Content-Type'], 'application/javascript')
+        self.assertEqual(resp.content,
+            ('callback(%s);' % _flat_repr).encode('ascii'))
 
     def test_without_callback_without_json_renderer(self):
         """
@@ -275,9 +279,10 @@ class JSONPRendererTests(TestCase):
         """
         resp = self.client.get('/jsonp/nojsonrenderer',
                                HTTP_ACCEPT='application/javascript')
-        self.assertEquals(resp.status_code, 200)
-        self.assertEquals(resp['Content-Type'], 'application/javascript')
-        self.assertEquals(resp.content, 'callback(%s);' % _flat_repr)
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+        self.assertEqual(resp['Content-Type'], 'application/javascript')
+        self.assertEqual(resp.content,
+            ('callback(%s);' % _flat_repr).encode('ascii'))
 
     def test_with_callback(self):
         """
@@ -286,9 +291,10 @@ class JSONPRendererTests(TestCase):
         callback_func = 'myjsonpcallback'
         resp = self.client.get('/jsonp/nojsonrenderer?callback=' + callback_func,
                                HTTP_ACCEPT='application/javascript')
-        self.assertEquals(resp.status_code, 200)
-        self.assertEquals(resp['Content-Type'], 'application/javascript')
-        self.assertEquals(resp.content, '%s(%s);' % (callback_func, _flat_repr))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+        self.assertEqual(resp['Content-Type'], 'application/javascript')
+        self.assertEqual(resp.content,
+            ('%s(%s);' % (callback_func, _flat_repr)).encode('ascii'))
 
 
 if yaml:
@@ -306,7 +312,7 @@ if yaml:
             obj = {'foo': ['bar', 'baz']}
             renderer = YAMLRenderer()
             content = renderer.render(obj, 'application/yaml')
-            self.assertEquals(content, _yaml_repr)
+            self.assertEqual(content, _yaml_repr)
 
         def test_render_and_parse(self):
             """
@@ -320,7 +326,7 @@ if yaml:
 
             content = renderer.render(obj, 'application/yaml')
             data = parser.parse(StringIO(content))
-            self.assertEquals(obj, data)
+            self.assertEqual(obj, data)
 
 
 class XMLRendererTestCase(TestCase):
@@ -402,6 +408,7 @@ class XMLRendererTestCase(TestCase):
         self.assertXMLContains(content, 'first')
         self.assertXMLContains(content, 'second')
 
+    @unittest.skipUnless(etree, 'defusedxml not installed')
     def test_render_and_parse_complex_data(self):
         """
         Test XML rendering.
diff --git a/rest_framework/tests/request.py b/rest_framework/tests/request.py
index 4b0324056..97e5af207 100644
--- a/rest_framework/tests/request.py
+++ b/rest_framework/tests/request.py
@@ -1,7 +1,7 @@
 """
 Tests for content parsing, and form-overloaded content parsing.
 """
-import json
+from __future__ import unicode_literals
 from django.contrib.auth.models import User
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.sessions.middleware import SessionMiddleware
@@ -20,6 +20,8 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.settings import api_settings
 from rest_framework.views import APIView
+from rest_framework.compat import six
+import json
 
 
 factory = RequestFactory()
@@ -56,21 +58,29 @@ class TestMethodOverloading(TestCase):
         request = Request(factory.post('/', {api_settings.FORM_METHOD_OVERRIDE: 'DELETE'}))
         self.assertEqual(request.method, 'DELETE')
 
+    def test_x_http_method_override_header(self):
+        """
+        POST requests can also be overloaded to another method by setting
+        the X-HTTP-Method-Override header.
+        """
+        request = Request(factory.post('/', {'foo': 'bar'}, HTTP_X_HTTP_METHOD_OVERRIDE='DELETE'))
+        self.assertEqual(request.method, 'DELETE')
+
 
 class TestContentParsing(TestCase):
     def test_standard_behaviour_determines_no_content_GET(self):
         """
-        Ensure request.DATA returns None for GET request with no content.
+        Ensure request.DATA returns empty QueryDict for GET request.
         """
         request = Request(factory.get('/'))
-        self.assertEqual(request.DATA, None)
+        self.assertEqual(request.DATA, {})
 
     def test_standard_behaviour_determines_no_content_HEAD(self):
         """
-        Ensure request.DATA returns None for HEAD request.
+        Ensure request.DATA returns empty QueryDict for HEAD request.
         """
         request = Request(factory.head('/'))
-        self.assertEqual(request.DATA, None)
+        self.assertEqual(request.DATA, {})
 
     def test_request_DATA_with_form_content(self):
         """
@@ -79,14 +89,14 @@ class TestContentParsing(TestCase):
         data = {'qwerty': 'uiop'}
         request = Request(factory.post('/', data))
         request.parsers = (FormParser(), MultiPartParser())
-        self.assertEqual(request.DATA.items(), data.items())
+        self.assertEqual(list(request.DATA.items()), list(data.items()))
 
     def test_request_DATA_with_text_content(self):
         """
         Ensure request.DATA returns content for POST request with
         non-form content.
         """
-        content = 'qwerty'
+        content = six.b('qwerty')
         content_type = 'text/plain'
         request = Request(factory.post('/', content, content_type=content_type))
         request.parsers = (PlainTextParser(),)
@@ -99,7 +109,7 @@ class TestContentParsing(TestCase):
         data = {'qwerty': 'uiop'}
         request = Request(factory.post('/', data))
         request.parsers = (FormParser(), MultiPartParser())
-        self.assertEqual(request.POST.items(), data.items())
+        self.assertEqual(list(request.POST.items()), list(data.items()))
 
     def test_standard_behaviour_determines_form_content_PUT(self):
         """
@@ -117,14 +127,14 @@ class TestContentParsing(TestCase):
             request = Request(factory.put('/', data))
 
         request.parsers = (FormParser(), MultiPartParser())
-        self.assertEqual(request.DATA.items(), data.items())
+        self.assertEqual(list(request.DATA.items()), list(data.items()))
 
     def test_standard_behaviour_determines_non_form_content_PUT(self):
         """
         Ensure request.DATA returns content for PUT request with
         non-form content.
         """
-        content = 'qwerty'
+        content = six.b('qwerty')
         content_type = 'text/plain'
         request = Request(factory.put('/', content, content_type=content_type))
         request.parsers = (PlainTextParser(), )
diff --git a/rest_framework/tests/response.py b/rest_framework/tests/response.py
index 875f4d422..aecf83f4e 100644
--- a/rest_framework/tests/response.py
+++ b/rest_framework/tests/response.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework.compat import patterns, url, include
 from rest_framework.response import Response
@@ -9,6 +10,7 @@ from rest_framework.renderers import (
     BrowsableAPIRenderer
 )
 from rest_framework.settings import api_settings
+from rest_framework.compat import six
 
 
 class MockPickleRenderer(BaseRenderer):
@@ -22,8 +24,8 @@ class MockJsonRenderer(BaseRenderer):
 DUMMYSTATUS = status.HTTP_200_OK
 DUMMYCONTENT = 'dummycontent'
 
-RENDERER_A_SERIALIZER = lambda x: 'Renderer A: %s' % x
-RENDERER_B_SERIALIZER = lambda x: 'Renderer B: %s' % x
+RENDERER_A_SERIALIZER = lambda x: ('Renderer A: %s' % x).encode('ascii')
+RENDERER_B_SERIALIZER = lambda x: ('Renderer B: %s' % x).encode('ascii')
 
 
 class RendererA(BaseRenderer):
@@ -83,39 +85,39 @@ class RendererIntegrationTests(TestCase):
     def test_default_renderer_serializes_content(self):
         """If the Accept header is not set the default renderer should serialize the response."""
         resp = self.client.get('/')
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_head_method_serializes_no_content(self):
         """No response must be included in HEAD requests."""
         resp = self.client.head('/')
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, '')
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, six.b(''))
 
     def test_default_renderer_serializes_content_on_accept_any(self):
         """If the Accept header is set to */* the default renderer should serialize the response."""
         resp = self.client.get('/', HTTP_ACCEPT='*/*')
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_default_case(self):
         """If the Accept header is set the specified renderer should serialize the response.
         (In this case we check that works for the default renderer)"""
         resp = self.client.get('/', HTTP_ACCEPT=RendererA.media_type)
-        self.assertEquals(resp['Content-Type'], RendererA.media_type)
-        self.assertEquals(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererA.media_type)
+        self.assertEqual(resp.content, RENDERER_A_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_non_default_case(self):
         """If the Accept header is set the specified renderer should serialize the response.
         (In this case we check that works for a non-default renderer)"""
         resp = self.client.get('/', HTTP_ACCEPT=RendererB.media_type)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_on_accept_query(self):
         """The '_accept' query string should behave in the same way as the Accept header."""
@@ -124,34 +126,34 @@ class RendererIntegrationTests(TestCase):
             RendererB.media_type
         )
         resp = self.client.get('/' + param)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_on_format_query(self):
         """If a 'format' query is specified, the renderer with the matching
         format attribute should serialize the response."""
         resp = self.client.get('/?format=%s' % RendererB.format)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_serializes_content_on_format_kwargs(self):
         """If a 'format' keyword arg is specified, the renderer with the matching
         format attribute should serialize the response."""
         resp = self.client.get('/something.formatb')
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
     def test_specified_renderer_is_used_on_format_query_with_matching_accept(self):
         """If both a 'format' query and a matching Accept header specified,
         the renderer with the matching format attribute should serialize the response."""
         resp = self.client.get('/?format=%s' % RendererB.format,
                                HTTP_ACCEPT=RendererB.media_type)
-        self.assertEquals(resp['Content-Type'], RendererB.media_type)
-        self.assertEquals(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
-        self.assertEquals(resp.status_code, DUMMYSTATUS)
+        self.assertEqual(resp['Content-Type'], RendererB.media_type)
+        self.assertEqual(resp.content, RENDERER_B_SERIALIZER(DUMMYCONTENT))
+        self.assertEqual(resp.status_code, DUMMYSTATUS)
 
 
 class Issue122Tests(TestCase):
diff --git a/rest_framework/tests/reverse.py b/rest_framework/tests/reverse.py
index 8c86e1fbe..cb8d81325 100644
--- a/rest_framework/tests/reverse.py
+++ b/rest_framework/tests/reverse.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.test import TestCase
 from django.test.client import RequestFactory
 from rest_framework.compat import patterns, url
@@ -16,7 +17,7 @@ urlpatterns = patterns('',
 
 class ReverseTests(TestCase):
     """
-    Tests for fully qualifed URLs when using `reverse`.
+    Tests for fully qualified URLs when using `reverse`.
     """
     urls = 'rest_framework.tests.reverse'
 
diff --git a/rest_framework/tests/serializer.py b/rest_framework/tests/serializer.py
index bd96ba23e..beb372c2b 100644
--- a/rest_framework/tests/serializer.py
+++ b/rest_framework/tests/serializer.py
@@ -1,10 +1,12 @@
-import datetime
-import pickle
+from __future__ import unicode_literals
+from django.utils.datastructures import MultiValueDict
 from django.test import TestCase
 from rest_framework import serializers
 from rest_framework.tests.models import (HasPositiveIntegerAsChoice, Album, ActionItem, Anchor, BasicModel,
     BlankFieldModel, BlogPost, Book, CallableDefaultValueModel, DefaultValueModel,
     ManyToManyModel, Person, ReadOnlyManyToManyModel, Photo)
+import datetime
+import pickle
 
 
 class SubComment(object):
@@ -54,6 +56,19 @@ class ActionItemSerializer(serializers.ModelSerializer):
         model = ActionItem
 
 
+class ActionItemSerializerCustomRestore(serializers.ModelSerializer):
+
+    class Meta:
+        model = ActionItem
+
+    def restore_object(self, data, instance=None):
+        if instance is None:
+            return ActionItem(**data)
+        for key, val in data.items():
+            setattr(instance, key, val)
+        return instance
+
+
 class PersonSerializer(serializers.ModelSerializer):
     info = serializers.Field(source='info')
 
@@ -76,6 +91,11 @@ class PositiveIntegerAsChoiceSerializer(serializers.ModelSerializer):
         fields = ['some_integer']
 
 
+class BrokenModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        fields = ['some_field']
+
+
 class BasicTests(TestCase):
     def setUp(self):
         self.comment = Comment(
@@ -92,7 +112,7 @@ class BasicTests(TestCase):
         self.expected = {
             'email': 'tom@example.com',
             'content': 'Happy new year!',
-            'created': datetime.datetime(2012, 1, 1),
+            'created': '2012-01-01T00:00:00',
             'sub_comment': 'And Merry Christmas!'
         }
         self.person_data = {'name': 'dwight', 'age': 35}
@@ -107,39 +127,39 @@ class BasicTests(TestCase):
             'created': None,
             'sub_comment': ''
         }
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_retrieve(self):
         serializer = CommentSerializer(self.comment)
-        self.assertEquals(serializer.data, self.expected)
+        self.assertEqual(serializer.data, self.expected)
 
     def test_create(self):
         serializer = CommentSerializer(data=self.data)
         expected = self.comment
-        self.assertEquals(serializer.is_valid(), True)
-        self.assertEquals(serializer.object, expected)
+        self.assertEqual(serializer.is_valid(), True)
+        self.assertEqual(serializer.object, expected)
         self.assertFalse(serializer.object is expected)
-        self.assertEquals(serializer.data['sub_comment'], 'And Merry Christmas!')
+        self.assertEqual(serializer.data['sub_comment'], 'And Merry Christmas!')
 
     def test_update(self):
         serializer = CommentSerializer(self.comment, data=self.data)
         expected = self.comment
-        self.assertEquals(serializer.is_valid(), True)
-        self.assertEquals(serializer.object, expected)
+        self.assertEqual(serializer.is_valid(), True)
+        self.assertEqual(serializer.object, expected)
         self.assertTrue(serializer.object is expected)
-        self.assertEquals(serializer.data['sub_comment'], 'And Merry Christmas!')
+        self.assertEqual(serializer.data['sub_comment'], 'And Merry Christmas!')
 
     def test_partial_update(self):
         msg = 'Merry New Year!'
         partial_data = {'content': msg}
         serializer = CommentSerializer(self.comment, data=partial_data)
-        self.assertEquals(serializer.is_valid(), False)
+        self.assertEqual(serializer.is_valid(), False)
         serializer = CommentSerializer(self.comment, data=partial_data, partial=True)
         expected = self.comment
         self.assertEqual(serializer.is_valid(), True)
-        self.assertEquals(serializer.object, expected)
+        self.assertEqual(serializer.object, expected)
         self.assertTrue(serializer.object is expected)
-        self.assertEquals(serializer.data['content'], msg)
+        self.assertEqual(serializer.data['content'], msg)
 
     def test_model_fields_as_expected(self):
         """
@@ -147,7 +167,7 @@ class BasicTests(TestCase):
         in the Meta data
         """
         serializer = PersonSerializer(self.person)
-        self.assertEquals(set(serializer.data.keys()),
+        self.assertEqual(set(serializer.data.keys()),
                           set(['name', 'age', 'info']))
 
     def test_field_with_dictionary(self):
@@ -156,19 +176,45 @@ class BasicTests(TestCase):
         """
         serializer = PersonSerializer(self.person)
         expected = self.person_data
-        self.assertEquals(serializer.data['info'], expected)
+        self.assertEqual(serializer.data['info'], expected)
 
     def test_read_only_fields(self):
         """
         Attempting to update fields set as read_only should have no effect.
         """
-
         serializer = PersonSerializer(self.person, data={'name': 'dwight', 'age': 99})
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(serializer.errors, {})
+        self.assertEqual(serializer.errors, {})
         # Assert age is unchanged (35)
-        self.assertEquals(instance.age, self.person_data['age'])
+        self.assertEqual(instance.age, self.person_data['age'])
+
+
+class DictStyleSerializer(serializers.Serializer):
+    """
+    Note that we don't have any `restore_object` method, so the default
+    case of simply returning a dict will apply.
+    """
+    email = serializers.EmailField()
+
+
+class DictStyleSerializerTests(TestCase):
+    def test_dict_style_deserialize(self):
+        """
+        Ensure serializers can deserialize into a dict.
+        """
+        data = {'email': 'foo@example.com'}
+        serializer = DictStyleSerializer(data=data)
+        self.assertTrue(serializer.is_valid())
+        self.assertEqual(serializer.data, data)
+
+    def test_dict_style_serialize(self):
+        """
+        Ensure serializers can serialize dict objects.
+        """
+        data = {'email': 'foo@example.com'}
+        serializer = DictStyleSerializer(data)
+        self.assertEqual(serializer.data, data)
 
 
 class ValidationTests(TestCase):
@@ -183,18 +229,17 @@ class ValidationTests(TestCase):
             'content': 'x' * 1001,
             'created': datetime.datetime(2012, 1, 1)
         }
-        self.actionitem = ActionItem(title='Some to do item',
-        )
+        self.actionitem = ActionItem(title='Some to do item',)
 
     def test_create(self):
         serializer = CommentSerializer(data=self.data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'content': [u'Ensure this value has at most 1000 characters (it has 1001).']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'content': ['Ensure this value has at most 1000 characters (it has 1001).']})
 
     def test_update(self):
         serializer = CommentSerializer(self.comment, data=self.data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'content': [u'Ensure this value has at most 1000 characters (it has 1001).']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'content': ['Ensure this value has at most 1000 characters (it has 1001).']})
 
     def test_update_missing_field(self):
         data = {
@@ -202,8 +247,8 @@ class ValidationTests(TestCase):
             'created': datetime.datetime(2012, 1, 1)
         }
         serializer = CommentSerializer(self.comment, data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'email': [u'This field is required.']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'email': ['This field is required.']})
 
     def test_missing_bool_with_default(self):
         """Make sure that a boolean value with a 'False' value is not
@@ -213,52 +258,36 @@ class ValidationTests(TestCase):
             #No 'done' value.
         }
         serializer = ActionItemSerializer(self.actionitem, data=data)
-        self.assertEquals(serializer.is_valid(), True)
-        self.assertEquals(serializer.errors, {})
-
-    def test_field_validation(self):
-
-        class CommentSerializerWithFieldValidator(CommentSerializer):
-
-            def validate_content(self, attrs, source):
-                value = attrs[source]
-                if "test" not in value:
-                    raise serializers.ValidationError("Test not in value")
-                return attrs
-
-        data = {
-            'email': 'tom@example.com',
-            'content': 'A test comment',
-            'created': datetime.datetime(2012, 1, 1)
-        }
-
-        serializer = CommentSerializerWithFieldValidator(data=data)
-        self.assertTrue(serializer.is_valid())
-
-        data['content'] = 'This should not validate'
-
-        serializer = CommentSerializerWithFieldValidator(data=data)
-        self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'content': [u'Test not in value']})
+        self.assertEqual(serializer.is_valid(), True)
+        self.assertEqual(serializer.errors, {})
 
     def test_bad_type_data_is_false(self):
         """
         Data of the wrong type is not valid.
         """
         data = ['i am', 'a', 'list']
-        serializer = CommentSerializer(self.comment, data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'non_field_errors': [u'Invalid data']})
+        serializer = CommentSerializer(self.comment, data=data, many=True)
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertTrue(isinstance(serializer.errors, list))
+
+        self.assertEqual(
+            serializer.errors,
+            [
+                {'non_field_errors': ['Invalid data']},
+                {'non_field_errors': ['Invalid data']},
+                {'non_field_errors': ['Invalid data']}
+            ]
+        )
 
         data = 'and i am a string'
         serializer = CommentSerializer(self.comment, data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'non_field_errors': [u'Invalid data']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'non_field_errors': ['Invalid data']})
 
         data = 42
         serializer = CommentSerializer(self.comment, data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'non_field_errors': [u'Invalid data']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'non_field_errors': ['Invalid data']})
 
     def test_cross_field_validation(self):
 
@@ -282,23 +311,37 @@ class ValidationTests(TestCase):
 
         serializer = CommentSerializerWithCrossFieldValidator(data=data)
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'non_field_errors': [u'Email address not in content']})
+        self.assertEqual(serializer.errors, {'non_field_errors': ['Email address not in content']})
 
     def test_null_is_true_fields(self):
         """
         Omitting a value for null-field should validate.
         """
         serializer = PersonSerializer(data={'name': 'marko'})
-        self.assertEquals(serializer.is_valid(), True)
-        self.assertEquals(serializer.errors, {})
+        self.assertEqual(serializer.is_valid(), True)
+        self.assertEqual(serializer.errors, {})
 
     def test_modelserializer_max_length_exceeded(self):
         data = {
             'title': 'x' * 201,
         }
         serializer = ActionItemSerializer(data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'title': [u'Ensure this value has at most 200 characters (it has 201).']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'title': ['Ensure this value has at most 200 characters (it has 201).']})
+
+    def test_modelserializer_max_length_exceeded_with_custom_restore(self):
+        """
+        When overriding ModelSerializer.restore_object, validation tests should still apply.
+        Regression test for #623.
+
+        https://github.com/tomchristie/django-rest-framework/pull/623
+        """
+        data = {
+            'title': 'x' * 201,
+        }
+        serializer = ActionItemSerializerCustomRestore(data=data)
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'title': ['Ensure this value has at most 200 characters (it has 201).']})
 
     def test_default_modelfield_max_length_exceeded(self):
         data = {
@@ -306,15 +349,99 @@ class ValidationTests(TestCase):
             'info': 'x' * 13,
         }
         serializer = ActionItemSerializer(data=data)
-        self.assertEquals(serializer.is_valid(), False)
-        self.assertEquals(serializer.errors, {'info': [u'Ensure this value has at most 12 characters (it has 13).']})
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, {'info': ['Ensure this value has at most 12 characters (it has 13).']})
+
+    def test_datetime_validation_failure(self):
+        """
+        Test DateTimeField validation errors on non-str values.
+        Regression test for #669.
+
+        https://github.com/tomchristie/django-rest-framework/issues/669
+        """
+        data = self.data
+        data['created'] = 0
+
+        serializer = CommentSerializer(data=data)
+        self.assertEqual(serializer.is_valid(), False)
+
+        self.assertIn('created', serializer.errors)
+
+    def test_missing_model_field_exception_msg(self):
+        """
+        Assert that a meaningful exception message is outputted when the model
+        field is missing (e.g. when mistyping ``model``).
+        """
+        try:
+            serializer = BrokenModelSerializer()
+        except AssertionError as e:
+            self.assertEqual(e.args[0], "Serializer class 'BrokenModelSerializer' is missing 'model' Meta option")
+        except:
+            self.fail('Wrong exception type thrown.')
+
+
+class CustomValidationTests(TestCase):
+    class CommentSerializerWithFieldValidator(CommentSerializer):
+
+        def validate_email(self, attrs, source):
+            value = attrs[source]
+
+            return attrs
+
+        def validate_content(self, attrs, source):
+            value = attrs[source]
+            if "test" not in value:
+                raise serializers.ValidationError("Test not in value")
+            return attrs
+
+    def test_field_validation(self):
+        data = {
+            'email': 'tom@example.com',
+            'content': 'A test comment',
+            'created': datetime.datetime(2012, 1, 1)
+        }
+
+        serializer = self.CommentSerializerWithFieldValidator(data=data)
+        self.assertTrue(serializer.is_valid())
+
+        data['content'] = 'This should not validate'
+
+        serializer = self.CommentSerializerWithFieldValidator(data=data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'content': ['Test not in value']})
+
+    def test_missing_data(self):
+        """
+        Make sure that validate_content isn't called if the field is missing
+        """
+        incomplete_data = {
+            'email': 'tom@example.com',
+            'created': datetime.datetime(2012, 1, 1)
+        }
+        serializer = self.CommentSerializerWithFieldValidator(data=incomplete_data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'content': ['This field is required.']})
+
+    def test_wrong_data(self):
+        """
+        Make sure that validate_content isn't called if the field input is wrong
+        """
+        wrong_data = {
+            'email': 'not an email',
+            'content': 'A test comment',
+            'created': datetime.datetime(2012, 1, 1)
+        }
+        serializer = self.CommentSerializerWithFieldValidator(data=wrong_data)
+        self.assertFalse(serializer.is_valid())
+        self.assertEqual(serializer.errors, {'email': ['Enter a valid e-mail address.']})
 
 
 class PositiveIntegerAsChoiceTests(TestCase):
     def test_positive_integer_in_json_is_correctly_parsed(self):
-        data = {'some_integer':1}
+        data = {'some_integer': 1}
         serializer = PositiveIntegerAsChoiceSerializer(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
+
 
 class ModelValidationTests(TestCase):
     def test_validate_unique(self):
@@ -326,7 +453,7 @@ class ModelValidationTests(TestCase):
         serializer.save()
         second_serializer = AlbumsSerializer(data={'title': 'a'})
         self.assertFalse(second_serializer.is_valid())
-        self.assertEqual(second_serializer.errors,  {'title': [u'Album with this Title already exists.']})
+        self.assertEqual(second_serializer.errors,  {'title': ['Album with this Title already exists.']})
 
     def test_foreign_key_with_partial(self):
         """
@@ -364,15 +491,15 @@ class RegexValidationTest(TestCase):
     def test_create_failed(self):
         serializer = BookSerializer(data={'isbn': '1234567890'})
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'isbn': [u'isbn has to be exact 13 numbers']})
+        self.assertEqual(serializer.errors, {'isbn': ['isbn has to be exact 13 numbers']})
 
         serializer = BookSerializer(data={'isbn': '12345678901234'})
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'isbn': [u'isbn has to be exact 13 numbers']})
+        self.assertEqual(serializer.errors, {'isbn': ['isbn has to be exact 13 numbers']})
 
         serializer = BookSerializer(data={'isbn': 'abcdefghijklm'})
         self.assertFalse(serializer.is_valid())
-        self.assertEquals(serializer.errors, {'isbn': [u'isbn has to be exact 13 numbers']})
+        self.assertEqual(serializer.errors, {'isbn': ['isbn has to be exact 13 numbers']})
 
     def test_create_success(self):
         serializer = BookSerializer(data={'isbn': '1234567890123'})
@@ -417,7 +544,7 @@ class ManyToManyTests(TestCase):
         """
         serializer = self.serializer_class(instance=self.instance)
         expected = self.data
-        self.assertEquals(serializer.data, expected)
+        self.assertEqual(serializer.data, expected)
 
     def test_create(self):
         """
@@ -425,11 +552,11 @@ class ManyToManyTests(TestCase):
         """
         data = {'rel': [self.anchor.id]}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ManyToManyModel.objects.all()), 2)
-        self.assertEquals(instance.pk, 2)
-        self.assertEquals(list(instance.rel.all()), [self.anchor])
+        self.assertEqual(len(ManyToManyModel.objects.all()), 2)
+        self.assertEqual(instance.pk, 2)
+        self.assertEqual(list(instance.rel.all()), [self.anchor])
 
     def test_update(self):
         """
@@ -439,11 +566,11 @@ class ManyToManyTests(TestCase):
         new_anchor.save()
         data = {'rel': [self.anchor.id, new_anchor.id]}
         serializer = self.serializer_class(self.instance, data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ManyToManyModel.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(list(instance.rel.all()), [self.anchor, new_anchor])
+        self.assertEqual(len(ManyToManyModel.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(list(instance.rel.all()), [self.anchor, new_anchor])
 
     def test_create_empty_relationship(self):
         """
@@ -452,11 +579,11 @@ class ManyToManyTests(TestCase):
         """
         data = {'rel': []}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ManyToManyModel.objects.all()), 2)
-        self.assertEquals(instance.pk, 2)
-        self.assertEquals(list(instance.rel.all()), [])
+        self.assertEqual(len(ManyToManyModel.objects.all()), 2)
+        self.assertEqual(instance.pk, 2)
+        self.assertEqual(list(instance.rel.all()), [])
 
     def test_update_empty_relationship(self):
         """
@@ -467,11 +594,11 @@ class ManyToManyTests(TestCase):
         new_anchor.save()
         data = {'rel': []}
         serializer = self.serializer_class(self.instance, data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ManyToManyModel.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(list(instance.rel.all()), [])
+        self.assertEqual(len(ManyToManyModel.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(list(instance.rel.all()), [])
 
     def test_create_empty_relationship_flat_data(self):
         """
@@ -479,19 +606,20 @@ class ManyToManyTests(TestCase):
         containing no items, using a representation that does not support
         lists (eg form data).
         """
-        data = {'rel': ''}
+        data = MultiValueDict()
+        data.setlist('rel', [''])
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ManyToManyModel.objects.all()), 2)
-        self.assertEquals(instance.pk, 2)
-        self.assertEquals(list(instance.rel.all()), [])
+        self.assertEqual(len(ManyToManyModel.objects.all()), 2)
+        self.assertEqual(instance.pk, 2)
+        self.assertEqual(list(instance.rel.all()), [])
 
 
 class ReadOnlyManyToManyTests(TestCase):
     def setUp(self):
         class ReadOnlyManyToManySerializer(serializers.ModelSerializer):
-            rel = serializers.ManyRelatedField(read_only=True)
+            rel = serializers.RelatedField(many=True, read_only=True)
 
             class Meta:
                 model = ReadOnlyManyToManyModel
@@ -519,12 +647,12 @@ class ReadOnlyManyToManyTests(TestCase):
         new_anchor.save()
         data = {'rel': [self.anchor.id, new_anchor.id]}
         serializer = self.serializer_class(self.instance, data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ReadOnlyManyToManyModel.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
+        self.assertEqual(len(ReadOnlyManyToManyModel.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
         # rel is still as original (1 entry)
-        self.assertEquals(list(instance.rel.all()), [self.anchor])
+        self.assertEqual(list(instance.rel.all()), [self.anchor])
 
     def test_update_without_relationship(self):
         """
@@ -535,12 +663,12 @@ class ReadOnlyManyToManyTests(TestCase):
         new_anchor.save()
         data = {}
         serializer = self.serializer_class(self.instance, data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(ReadOnlyManyToManyModel.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
+        self.assertEqual(len(ReadOnlyManyToManyModel.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
         # rel is still as original (1 entry)
-        self.assertEquals(list(instance.rel.all()), [self.anchor])
+        self.assertEqual(list(instance.rel.all()), [self.anchor])
 
 
 class DefaultValueTests(TestCase):
@@ -555,35 +683,35 @@ class DefaultValueTests(TestCase):
     def test_create_using_default(self):
         data = {}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(self.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(instance.text, 'foobar')
+        self.assertEqual(len(self.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(instance.text, 'foobar')
 
     def test_create_overriding_default(self):
         data = {'text': 'overridden'}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(self.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(instance.text, 'overridden')
+        self.assertEqual(len(self.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(instance.text, 'overridden')
 
     def test_partial_update_default(self):
         """ Regression test for issue #532 """
         data = {'text': 'overridden'}
         serializer = self.serializer_class(data=data, partial=True)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
 
         data = {'extra': 'extra_value'}
         serializer = self.serializer_class(instance=instance, data=data, partial=True)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
 
-        self.assertEquals(instance.extra, 'extra_value')
-        self.assertEquals(instance.text, 'overridden')
+        self.assertEqual(instance.extra, 'extra_value')
+        self.assertEqual(instance.text, 'overridden')
 
 
 class CallableDefaultValueTests(TestCase):
@@ -598,20 +726,20 @@ class CallableDefaultValueTests(TestCase):
     def test_create_using_default(self):
         data = {}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(self.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(instance.text, 'foobar')
+        self.assertEqual(len(self.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(instance.text, 'foobar')
 
     def test_create_overriding_default(self):
         data = {'text': 'overridden'}
         serializer = self.serializer_class(data=data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
         instance = serializer.save()
-        self.assertEquals(len(self.objects.all()), 1)
-        self.assertEquals(instance.pk, 1)
-        self.assertEquals(instance.text, 'overridden')
+        self.assertEqual(len(self.objects.all()), 1)
+        self.assertEqual(instance.pk, 1)
+        self.assertEqual(instance.text, 'overridden')
 
 
 class ManyRelatedTests(TestCase):
@@ -660,6 +788,9 @@ class ManyRelatedTests(TestCase):
 
 class RelatedTraversalTest(TestCase):
     def test_nested_traversal(self):
+        """
+        Source argument should support dotted.source notation.
+        """
         user = Person.objects.create(name="django")
         post = BlogPost.objects.create(title="Test blog post", writer=user)
         post.blogpostcomment_set.create(text="I love this blog post")
@@ -686,11 +817,11 @@ class RelatedTraversalTest(TestCase):
         serializer = BlogPostSerializer(instance=post)
 
         expected = {
-            'title': u'Test blog post',
+            'title': 'Test blog post',
             'comments': [{
-                'text': u'I love this blog post',
+                'text': 'I love this blog post',
                 'post_owner': {
-                    "name": u"django",
+                    "name": "django",
                     "age": None
                 }
             }]
@@ -698,6 +829,41 @@ class RelatedTraversalTest(TestCase):
 
         self.assertEqual(serializer.data, expected)
 
+    def test_nested_traversal_with_none(self):
+        """
+        If a component of the dotted.source is None, return None for the field.
+        """
+        from rest_framework.tests.models import NullableForeignKeySource
+        instance = NullableForeignKeySource.objects.create(name='Source with null FK')
+
+        class NullableSourceSerializer(serializers.Serializer):
+            target_name = serializers.Field(source='target.name')
+
+        serializer = NullableSourceSerializer(instance=instance)
+
+        expected = {
+            'target_name': None,
+        }
+
+        self.assertEqual(serializer.data, expected)
+
+    def test_queryset_nested_traversal(self):
+        """
+        Relational fields should be able to use methods as their source.
+        """
+        BlogPost.objects.create(title='blah')
+
+        class QuerysetMethodSerializer(serializers.Serializer):
+            blogposts = serializers.RelatedField(many=True, source='get_all_blogposts')
+
+        class ClassWithQuerysetMethod(object):
+            def get_all_blogposts(self):
+                return BlogPost.objects
+
+        obj = ClassWithQuerysetMethod()
+        serializer = QuerysetMethodSerializer(obj)
+        self.assertEqual(serializer.data, {'blogposts': ['BlogPost object']})
+
 
 class SerializerMethodFieldTests(TestCase):
     def setUp(self):
@@ -725,8 +891,8 @@ class SerializerMethodFieldTests(TestCase):
         serializer = self.serializer_class(source_data)
 
         expected = {
-            'beep': u'hello!',
-            'boop': [u'a', u'b', u'c'],
+            'beep': 'hello!',
+            'boop': ['a', 'b', 'c'],
             'boop_count': 3,
         }
 
@@ -742,7 +908,7 @@ class BlankFieldTests(TestCase):
                 model = BlankFieldModel
 
         class BlankFieldSerializer(serializers.Serializer):
-            title = serializers.CharField(blank=True)
+            title = serializers.CharField(required=False)
 
         class NotBlankFieldModelSerializer(serializers.ModelSerializer):
             class Meta:
@@ -759,15 +925,15 @@ class BlankFieldTests(TestCase):
 
     def test_create_blank_field(self):
         serializer = self.serializer_class(data=self.data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
 
     def test_create_model_blank_field(self):
         serializer = self.model_serializer_class(data=self.data)
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
 
     def test_create_model_null_field(self):
         serializer = self.model_serializer_class(data={'title': None})
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
 
     def test_create_not_blank_field(self):
         """
@@ -775,7 +941,7 @@ class BlankFieldTests(TestCase):
         is considered invalid in a non-model serializer
         """
         serializer = self.not_blank_serializer_class(data=self.data)
-        self.assertEquals(serializer.is_valid(), False)
+        self.assertEqual(serializer.is_valid(), False)
 
     def test_create_model_not_blank_field(self):
         """
@@ -783,11 +949,11 @@ class BlankFieldTests(TestCase):
         is considered invalid in a model serializer
         """
         serializer = self.not_blank_model_serializer_class(data=self.data)
-        self.assertEquals(serializer.is_valid(), False)
+        self.assertEqual(serializer.is_valid(), False)
 
-    def test_create_model_null_field(self):
+    def test_create_model_empty_field(self):
         serializer = self.model_serializer_class(data={})
-        self.assertEquals(serializer.is_valid(), True)
+        self.assertEqual(serializer.is_valid(), True)
 
 
 #test for issue #460
@@ -811,7 +977,21 @@ class SerializerPickleTests(TestCase):
             class Meta:
                 model = Person
                 fields = ('name', 'age')
-        pickle.dumps(InnerPersonSerializer(Person(name="Noah", age=950)).data)
+        pickle.dumps(InnerPersonSerializer(Person(name="Noah", age=950)).data, 0)
+
+    def test_getstate_method_should_not_return_none(self):
+        """
+        Regression test for #645.
+        """
+        data = serializers.DictWithMetadata({1: 1})
+        self.assertEqual(data.__getstate__(), serializers.SortedDict({1: 1}))
+
+    def test_serializer_data_is_pickleable(self):
+        """
+        Another regression test for #645.
+        """
+        data = serializers.SortedDictWithMetadata({1: 1})
+        repr(pickle.loads(pickle.dumps(data, 0)))
 
 
 class DepthTest(TestCase):
@@ -825,8 +1005,8 @@ class DepthTest(TestCase):
                 depth = 1
 
         serializer = BlogPostSerializer(instance=post)
-        expected = {'id': 1, 'title': u'Test blog post',
-                    'writer': {'id': 1, 'name': u'django', 'age': 1}}
+        expected = {'id': 1, 'title': 'Test blog post',
+                    'writer': {'id': 1, 'name': 'django', 'age': 1}}
 
         self.assertEqual(serializer.data, expected)
 
@@ -845,8 +1025,8 @@ class DepthTest(TestCase):
                 model = BlogPost
 
         serializer = BlogPostSerializer(instance=post)
-        expected = {'id': 1, 'title': u'Test blog post',
-                    'writer': {'id': 1, 'name': u'django', 'age': 1}}
+        expected = {'id': 1, 'title': 'Test blog post',
+                    'writer': {'id': 1, 'name': 'django', 'age': 1}}
 
         self.assertEqual(serializer.data, expected)
 
@@ -901,3 +1081,32 @@ class NestedSerializerContextTests(TestCase):
 
         # This will raise RuntimeError if context doesn't get passed correctly to the nested Serializers
         AlbumCollectionSerializer(album_collection, context={'context_item': 'album context'}).data
+
+
+class DeserializeListTestCase(TestCase):
+
+    def setUp(self):
+        self.data = {
+            'email': 'nobody@nowhere.com',
+            'content': 'This is some test content',
+            'created': datetime.datetime(2013, 3, 7),
+        }
+
+    def test_no_errors(self):
+        data = [self.data.copy() for x in range(0, 3)]
+        serializer = CommentSerializer(data=data)
+        self.assertTrue(serializer.is_valid())
+        self.assertTrue(isinstance(serializer.object, list))
+        self.assertTrue(
+            all((isinstance(item, Comment) for item in serializer.object))
+        )
+
+    def test_errors_return_as_list(self):
+        invalid_item = self.data.copy()
+        invalid_item['email'] = ''
+        data = [self.data.copy(), invalid_item, self.data.copy()]
+
+        serializer = CommentSerializer(data=data)
+        self.assertFalse(serializer.is_valid())
+        expected = [{}, {'email': ['This field is required.']}, {}]
+        self.assertEqual(serializer.errors, expected)
diff --git a/rest_framework/tests/settings.py b/rest_framework/tests/settings.py
index 0293fdc3e..857375c21 100644
--- a/rest_framework/tests/settings.py
+++ b/rest_framework/tests/settings.py
@@ -1,4 +1,5 @@
 """Tests for the settings module"""
+from __future__ import unicode_literals
 from django.test import TestCase
 
 from rest_framework.settings import APISettings, DEFAULTS, IMPORT_STRINGS
diff --git a/rest_framework/tests/status.py b/rest_framework/tests/status.py
index 30df5cef3..e1644a6b4 100644
--- a/rest_framework/tests/status.py
+++ b/rest_framework/tests/status.py
@@ -1,4 +1,5 @@
 """Tests for the status module"""
+from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework import status
 
@@ -8,5 +9,5 @@ class TestStatus(TestCase):
 
     def test_status(self):
         """Ensure the status module is present and correct."""
-        self.assertEquals(200, status.HTTP_200_OK)
-        self.assertEquals(404, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(200, status.HTTP_200_OK)
+        self.assertEqual(404, status.HTTP_404_NOT_FOUND)
diff --git a/rest_framework/tests/testcases.py b/rest_framework/tests/testcases.py
index 97f492ff4..f8c2579e6 100644
--- a/rest_framework/tests/testcases.py
+++ b/rest_framework/tests/testcases.py
@@ -1,4 +1,5 @@
 # http://djangosnippets.org/snippets/1011/
+from __future__ import unicode_literals
 from django.conf import settings
 from django.core.management import call_command
 from django.db.models import loading
diff --git a/rest_framework/tests/tests.py b/rest_framework/tests/tests.py
index adeaf6da3..08f88e113 100644
--- a/rest_framework/tests/tests.py
+++ b/rest_framework/tests/tests.py
@@ -2,6 +2,7 @@
 Force import of all modules in this package in order to get the standard test
 runner to pick up the tests.  Yowzers.
 """
+from __future__ import unicode_literals
 import os
 
 modules = [filename.rsplit('.', 1)[0]
diff --git a/rest_framework/tests/throttling.py b/rest_framework/tests/throttling.py
index 4b98b9414..11cbd8eba 100644
--- a/rest_framework/tests/throttling.py
+++ b/rest_framework/tests/throttling.py
@@ -1,11 +1,10 @@
 """
 Tests for the throttling implementations in the permissions module.
 """
-
+from __future__ import unicode_literals
 from django.test import TestCase
 from django.contrib.auth.models import User
 from django.core.cache import cache
-
 from django.test.client import RequestFactory
 from rest_framework.views import APIView
 from rest_framework.throttling import UserRateThrottle
@@ -104,7 +103,7 @@ class ThrottlingTests(TestCase):
             self.set_throttle_timer(view, timer)
             response = view.as_view()(request)
             if expect is not None:
-                self.assertEquals(response['X-Throttle-Wait-Seconds'], expect)
+                self.assertEqual(response['X-Throttle-Wait-Seconds'], expect)
             else:
                 self.assertFalse('X-Throttle-Wait-Seconds' in response)
 
diff --git a/rest_framework/tests/urlpatterns.py b/rest_framework/tests/urlpatterns.py
new file mode 100644
index 000000000..29ed4a961
--- /dev/null
+++ b/rest_framework/tests/urlpatterns.py
@@ -0,0 +1,76 @@
+from __future__ import unicode_literals
+from collections import namedtuple
+from django.core import urlresolvers
+from django.test import TestCase
+from django.test.client import RequestFactory
+from rest_framework.compat import patterns, url, include
+from rest_framework.urlpatterns import format_suffix_patterns
+
+
+# A container class for test paths for the test case
+URLTestPath = namedtuple('URLTestPath', ['path', 'args', 'kwargs'])
+
+
+def dummy_view(request, *args, **kwargs):
+    pass
+
+
+class FormatSuffixTests(TestCase):
+    """
+    Tests `format_suffix_patterns` against different URLPatterns to ensure the URLs still resolve properly, including any captured parameters.
+    """
+    def _resolve_urlpatterns(self, urlpatterns, test_paths):
+        factory = RequestFactory()
+        try:
+            urlpatterns = format_suffix_patterns(urlpatterns)
+        except Exception:
+            self.fail("Failed to apply `format_suffix_patterns` on  the supplied urlpatterns")
+        resolver = urlresolvers.RegexURLResolver(r'^/', urlpatterns)
+        for test_path in test_paths:
+            request = factory.get(test_path.path)
+            try:
+                callback, callback_args, callback_kwargs = resolver.resolve(request.path_info)
+            except Exception:
+                self.fail("Failed to resolve URL: %s" % request.path_info)
+            self.assertEqual(callback_args, test_path.args)
+            self.assertEqual(callback_kwargs, test_path.kwargs)
+
+    def test_format_suffix(self):
+        urlpatterns = patterns(
+            '',
+            url(r'^test$', dummy_view),
+        )
+        test_paths = [
+            URLTestPath('/test', (), {}),
+            URLTestPath('/test.api', (), {'format': 'api'}),
+            URLTestPath('/test.asdf', (), {'format': 'asdf'}),
+        ]
+        self._resolve_urlpatterns(urlpatterns, test_paths)
+
+    def test_default_args(self):
+        urlpatterns = patterns(
+            '',
+            url(r'^test$', dummy_view, {'foo': 'bar'}),
+        )
+        test_paths = [
+            URLTestPath('/test', (), {'foo': 'bar', }),
+            URLTestPath('/test.api', (), {'foo': 'bar', 'format': 'api'}),
+            URLTestPath('/test.asdf', (), {'foo': 'bar', 'format': 'asdf'}),
+        ]
+        self._resolve_urlpatterns(urlpatterns, test_paths)
+
+    def test_included_urls(self):
+        nested_patterns = patterns(
+            '',
+            url(r'^path$', dummy_view)
+        )
+        urlpatterns = patterns(
+            '',
+            url(r'^test/', include(nested_patterns), {'foo': 'bar'}),
+        )
+        test_paths = [
+            URLTestPath('/test/path', (), {'foo': 'bar', }),
+            URLTestPath('/test/path.api', (), {'foo': 'bar', 'format': 'api'}),
+            URLTestPath('/test/path.asdf', (), {'foo': 'bar', 'format': 'asdf'}),
+        ]
+        self._resolve_urlpatterns(urlpatterns, test_paths)
diff --git a/rest_framework/tests/utils.py b/rest_framework/tests/utils.py
index 3906adb9a..8c87917d9 100644
--- a/rest_framework/tests/utils.py
+++ b/rest_framework/tests/utils.py
@@ -1,9 +1,10 @@
-from django.test.client import RequestFactory, FakePayload
+from __future__ import unicode_literals
+from django.test.client import FakePayload, Client as _Client, RequestFactory as _RequestFactory
 from django.test.client import MULTIPART_CONTENT
-from urlparse import urlparse
+from rest_framework.compat import urlparse
 
 
-class RequestFactory(RequestFactory):
+class RequestFactory(_RequestFactory):
 
     def __init__(self, **defaults):
         super(RequestFactory, self).__init__(**defaults)
@@ -14,7 +15,7 @@ class RequestFactory(RequestFactory):
 
         patch_data = self._encode_data(data, content_type)
 
-        parsed = urlparse(path)
+        parsed = urlparse.urlparse(path)
         r = {
             'CONTENT_LENGTH': len(patch_data),
             'CONTENT_TYPE':   content_type,
@@ -25,3 +26,15 @@ class RequestFactory(RequestFactory):
         }
         r.update(extra)
         return self.request(**r)
+
+
+class Client(_Client, RequestFactory):
+    def patch(self, path, data={}, content_type=MULTIPART_CONTENT,
+              follow=False, **extra):
+        """
+        Send a resource to the server using PATCH.
+        """
+        response = super(Client, self).patch(path, data=data, content_type=content_type, **extra)
+        if follow:
+            response = self._handle_redirects(response, **extra)
+        return response
diff --git a/rest_framework/tests/validation.py b/rest_framework/tests/validation.py
new file mode 100644
index 000000000..cbdd6515e
--- /dev/null
+++ b/rest_framework/tests/validation.py
@@ -0,0 +1,65 @@
+from __future__ import unicode_literals
+from django.db import models
+from django.test import TestCase
+from rest_framework import generics, serializers, status
+from rest_framework.tests.utils import RequestFactory
+import json
+
+factory = RequestFactory()
+
+
+# Regression for #666
+
+class ValidationModel(models.Model):
+    blank_validated_field = models.CharField(max_length=255)
+
+
+class ValidationModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ValidationModel
+        fields = ('blank_validated_field',)
+        read_only_fields = ('blank_validated_field',)
+
+
+class UpdateValidationModel(generics.RetrieveUpdateDestroyAPIView):
+    model = ValidationModel
+    serializer_class = ValidationModelSerializer
+
+
+class TestPreSaveValidationExclusions(TestCase):
+    def test_pre_save_validation_exclusions(self):
+        """
+        Somewhat weird test case to ensure that we don't perform model
+        validation on read only fields.
+        """
+        obj = ValidationModel.objects.create(blank_validated_field='')
+        request = factory.put('/', json.dumps({}),
+                              content_type='application/json')
+        view = UpdateValidationModel().as_view()
+        response = view(request, pk=obj.pk).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+# Regression for #653
+
+class ShouldValidateModel(models.Model):
+    should_validate_field = models.CharField(max_length=255)
+
+
+class ShouldValidateModelSerializer(serializers.ModelSerializer):
+    renamed = serializers.CharField(source='should_validate_field', required=False)
+
+    class Meta:
+        model = ShouldValidateModel
+        fields = ('renamed',)
+
+
+class TestPreSaveValidationExclusions(TestCase):
+    def test_renamed_fields_are_model_validated(self):
+        """
+        Ensure fields with 'source' applied do get still get model validation.
+        """
+        # We've set `required=False` on the serializer, but the model
+        # does not have `blank=True`, so this serializer should not validate.
+        serializer = ShouldValidateModelSerializer(data={'renamed': ''})
+        self.assertEqual(serializer.is_valid(), False)
diff --git a/rest_framework/tests/validators.py b/rest_framework/tests/validators.py
deleted file mode 100644
index c032985ec..000000000
--- a/rest_framework/tests/validators.py
+++ /dev/null
@@ -1,329 +0,0 @@
-# from django import forms
-# from django.db import models
-# from django.test import TestCase
-# from rest_framework.response import ImmediateResponse
-# from rest_framework.views import View
-
-
-# class TestDisabledValidations(TestCase):
-#     """Tests on FormValidator with validation disabled by setting form to None"""
-
-#     def test_disabled_form_validator_returns_content_unchanged(self):
-#         """If the view's form attribute is None then FormValidator(view).validate_request(content, None)
-#         should just return the content unmodified."""
-#         class DisabledFormResource(FormResource):
-#             form = None
-
-#         class MockView(View):
-#             resource = DisabledFormResource
-
-#         view = MockView()
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(FormResource(view).validate_request(content, None), content)
-
-#     def test_disabled_form_validator_get_bound_form_returns_none(self):
-#         """If the view's form attribute is None on then
-#         FormValidator(view).get_bound_form(content) should just return None."""
-#         class DisabledFormResource(FormResource):
-#             form = None
-
-#         class MockView(View):
-#             resource = DisabledFormResource
-
-#         view = MockView()
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(FormResource(view).get_bound_form(content), None)
-
-#     def test_disabled_model_form_validator_returns_content_unchanged(self):
-#         """If the view's form is None and does not have a Resource with a model set then
-#         ModelFormValidator(view).validate_request(content, None) should just return the content unmodified."""
-
-#         class DisabledModelFormView(View):
-#             resource = ModelResource
-
-#         view = DisabledModelFormView()
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(ModelResource(view).get_bound_form(content), None)
-
-#     def test_disabled_model_form_validator_get_bound_form_returns_none(self):
-#         """If the form attribute is None on FormValidatorMixin then get_bound_form(content) should just return None."""
-#         class DisabledModelFormView(View):
-#             resource = ModelResource
-
-#         view = DisabledModelFormView()
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(ModelResource(view).get_bound_form(content), None)
-
-
-# class TestNonFieldErrors(TestCase):
-#     """Tests against form validation errors caused by non-field errors.  (eg as might be caused by some custom form validation)"""
-
-#     def test_validate_failed_due_to_non_field_error_returns_appropriate_message(self):
-#         """If validation fails with a non-field error, ensure the response a non-field error"""
-#         class MockForm(forms.Form):
-#             field1 = forms.CharField(required=False)
-#             field2 = forms.CharField(required=False)
-#             ERROR_TEXT = 'You may not supply both field1 and field2'
-
-#             def clean(self):
-#                 if 'field1' in self.cleaned_data and 'field2' in self.cleaned_data:
-#                     raise forms.ValidationError(self.ERROR_TEXT)
-#                 return self.cleaned_data
-
-#         class MockResource(FormResource):
-#             form = MockForm
-
-#         class MockView(View):
-#             pass
-
-#         view = MockView()
-#         content = {'field1': 'example1', 'field2': 'example2'}
-#         try:
-#             MockResource(view).validate_request(content, None)
-#         except ImmediateResponse, exc:
-#             response = exc.response
-#             self.assertEqual(response.raw_content, {'errors': [MockForm.ERROR_TEXT]})
-#         else:
-#             self.fail('ImmediateResponse was not raised')
-
-
-# class TestFormValidation(TestCase):
-#     """Tests which check basic form validation.
-#     Also includes the same set of tests with a ModelFormValidator for which the form has been explicitly set.
-#     (ModelFormValidator should behave as FormValidator if a form is set rather than relying on the default ModelForm)"""
-#     def setUp(self):
-#         class MockForm(forms.Form):
-#             qwerty = forms.CharField(required=True)
-
-#         class MockFormResource(FormResource):
-#             form = MockForm
-
-#         class MockModelResource(ModelResource):
-#             form = MockForm
-
-#         class MockFormView(View):
-#             resource = MockFormResource
-
-#         class MockModelFormView(View):
-#             resource = MockModelResource
-
-#         self.MockFormResource = MockFormResource
-#         self.MockModelResource = MockModelResource
-#         self.MockFormView = MockFormView
-#         self.MockModelFormView = MockModelFormView
-
-#     def validation_returns_content_unchanged_if_already_valid_and_clean(self, validator):
-#         """If the content is already valid and clean then validate(content) should just return the content unmodified."""
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(validator.validate_request(content, None), content)
-
-#     def validation_failure_raises_response_exception(self, validator):
-#         """If form validation fails a ResourceException 400 (Bad Request) should be raised."""
-#         content = {}
-#         self.assertRaises(ImmediateResponse, validator.validate_request, content, None)
-
-#     def validation_does_not_allow_extra_fields_by_default(self, validator):
-#         """If some (otherwise valid) content includes fields that are not in the form then validation should fail.
-#         It might be okay on normal form submission, but for Web APIs we oughta get strict, as it'll help show up
-#         broken clients more easily (eg submitting content with a misnamed field)"""
-#         content = {'qwerty': 'uiop', 'extra': 'extra'}
-#         self.assertRaises(ImmediateResponse, validator.validate_request, content, None)
-
-#     def validation_allows_extra_fields_if_explicitly_set(self, validator):
-#         """If we include an allowed_extra_fields paramater on _validate, then allow fields with those names."""
-#         content = {'qwerty': 'uiop', 'extra': 'extra'}
-#         validator._validate(content, None, allowed_extra_fields=('extra',))
-
-#     def validation_allows_unknown_fields_if_explicitly_allowed(self, validator):
-#         """If we set ``unknown_form_fields`` on the form resource, then don't
-#         raise errors on unexpected request data"""
-#         content = {'qwerty': 'uiop', 'extra': 'extra'}
-#         validator.allow_unknown_form_fields = True
-#         self.assertEqual({'qwerty': u'uiop'},
-#                          validator.validate_request(content, None),
-#                          "Resource didn't accept unknown fields.")
-#         validator.allow_unknown_form_fields = False
-
-#     def validation_does_not_require_extra_fields_if_explicitly_set(self, validator):
-#         """If we include an allowed_extra_fields paramater on _validate, then do not fail if we do not have fields with those names."""
-#         content = {'qwerty': 'uiop'}
-#         self.assertEqual(validator._validate(content, None, allowed_extra_fields=('extra',)), content)
-
-#     def validation_failed_due_to_no_content_returns_appropriate_message(self, validator):
-#         """If validation fails due to no content, ensure the response contains a single non-field error"""
-#         content = {}
-#         try:
-#             validator.validate_request(content, None)
-#         except ImmediateResponse, exc:
-#             response = exc.response
-#             self.assertEqual(response.raw_content, {'field_errors': {'qwerty': ['This field is required.']}})
-#         else:
-#             self.fail('ResourceException was not raised')
-
-#     def validation_failed_due_to_field_error_returns_appropriate_message(self, validator):
-#         """If validation fails due to a field error, ensure the response contains a single field error"""
-#         content = {'qwerty': ''}
-#         try:
-#             validator.validate_request(content, None)
-#         except ImmediateResponse, exc:
-#             response = exc.response
-#             self.assertEqual(response.raw_content, {'field_errors': {'qwerty': ['This field is required.']}})
-#         else:
-#             self.fail('ResourceException was not raised')
-
-#     def validation_failed_due_to_invalid_field_returns_appropriate_message(self, validator):
-#         """If validation fails due to an invalid field, ensure the response contains a single field error"""
-#         content = {'qwerty': 'uiop', 'extra': 'extra'}
-#         try:
-#             validator.validate_request(content, None)
-#         except ImmediateResponse, exc:
-#             response = exc.response
-#             self.assertEqual(response.raw_content, {'field_errors': {'extra': ['This field does not exist.']}})
-#         else:
-#             self.fail('ResourceException was not raised')
-
-#     def validation_failed_due_to_multiple_errors_returns_appropriate_message(self, validator):
-#         """If validation for multiple reasons, ensure the response contains each error"""
-#         content = {'qwerty': '', 'extra': 'extra'}
-#         try:
-#             validator.validate_request(content, None)
-#         except ImmediateResponse, exc:
-#             response = exc.response
-#             self.assertEqual(response.raw_content, {'field_errors': {'qwerty': ['This field is required.'],
-#                                                                          'extra': ['This field does not exist.']}})
-#         else:
-#             self.fail('ResourceException was not raised')
-
-#     # Tests on FormResource
-
-#     def test_form_validation_returns_content_unchanged_if_already_valid_and_clean(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_returns_content_unchanged_if_already_valid_and_clean(validator)
-
-#     def test_form_validation_failure_raises_response_exception(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_failure_raises_response_exception(validator)
-
-#     def test_validation_does_not_allow_extra_fields_by_default(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_does_not_allow_extra_fields_by_default(validator)
-
-#     def test_validation_allows_extra_fields_if_explicitly_set(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_allows_extra_fields_if_explicitly_set(validator)
-
-#     def test_validation_allows_unknown_fields_if_explicitly_allowed(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_allows_unknown_fields_if_explicitly_allowed(validator)
-
-#     def test_validation_does_not_require_extra_fields_if_explicitly_set(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_does_not_require_extra_fields_if_explicitly_set(validator)
-
-#     def test_validation_failed_due_to_no_content_returns_appropriate_message(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_failed_due_to_no_content_returns_appropriate_message(validator)
-
-#     def test_validation_failed_due_to_field_error_returns_appropriate_message(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_failed_due_to_field_error_returns_appropriate_message(validator)
-
-#     def test_validation_failed_due_to_invalid_field_returns_appropriate_message(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_failed_due_to_invalid_field_returns_appropriate_message(validator)
-
-#     def test_validation_failed_due_to_multiple_errors_returns_appropriate_message(self):
-#         validator = self.MockFormResource(self.MockFormView())
-#         self.validation_failed_due_to_multiple_errors_returns_appropriate_message(validator)
-
-#     # Same tests on ModelResource
-
-#     def test_modelform_validation_returns_content_unchanged_if_already_valid_and_clean(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_returns_content_unchanged_if_already_valid_and_clean(validator)
-
-#     def test_modelform_validation_failure_raises_response_exception(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_failure_raises_response_exception(validator)
-
-#     def test_modelform_validation_does_not_allow_extra_fields_by_default(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_does_not_allow_extra_fields_by_default(validator)
-
-#     def test_modelform_validation_allows_extra_fields_if_explicitly_set(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_allows_extra_fields_if_explicitly_set(validator)
-
-#     def test_modelform_validation_does_not_require_extra_fields_if_explicitly_set(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_does_not_require_extra_fields_if_explicitly_set(validator)
-
-#     def test_modelform_validation_failed_due_to_no_content_returns_appropriate_message(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_failed_due_to_no_content_returns_appropriate_message(validator)
-
-#     def test_modelform_validation_failed_due_to_field_error_returns_appropriate_message(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_failed_due_to_field_error_returns_appropriate_message(validator)
-
-#     def test_modelform_validation_failed_due_to_invalid_field_returns_appropriate_message(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_failed_due_to_invalid_field_returns_appropriate_message(validator)
-
-#     def test_modelform_validation_failed_due_to_multiple_errors_returns_appropriate_message(self):
-#         validator = self.MockModelResource(self.MockModelFormView())
-#         self.validation_failed_due_to_multiple_errors_returns_appropriate_message(validator)
-
-
-# class TestModelFormValidator(TestCase):
-#     """Tests specific to ModelFormValidatorMixin"""
-
-#     def setUp(self):
-#         """Create a validator for a model with two fields and a property."""
-#         class MockModel(models.Model):
-#             qwerty = models.CharField(max_length=256)
-#             uiop = models.CharField(max_length=256, blank=True)
-
-#             @property
-#             def read_only(self):
-#                 return 'read only'
-
-#         class MockResource(ModelResource):
-#             model = MockModel
-
-#         class MockView(View):
-#             resource = MockResource
-
-#         self.validator = MockResource(MockView)
-
-#     def test_property_fields_are_allowed_on_model_forms(self):
-#         """Validation on ModelForms may include property fields that exist on the Model to be included in the input."""
-#         content = {'qwerty': 'example', 'uiop': 'example', 'read_only': 'read only'}
-#         self.assertEqual(self.validator.validate_request(content, None), content)
-
-#     def test_property_fields_are_not_required_on_model_forms(self):
-#         """Validation on ModelForms does not require property fields that exist on the Model to be included in the input."""
-#         content = {'qwerty': 'example', 'uiop': 'example'}
-#         self.assertEqual(self.validator.validate_request(content, None), content)
-
-#     def test_extra_fields_not_allowed_on_model_forms(self):
-#         """If some (otherwise valid) content includes fields that are not in the form then validation should fail.
-#         It might be okay on normal form submission, but for Web APIs we oughta get strict, as it'll help show up
-#         broken clients more easily (eg submitting content with a misnamed field)"""
-#         content = {'qwerty': 'example', 'uiop': 'example', 'read_only': 'read only', 'extra': 'extra'}
-#         self.assertRaises(ImmediateResponse, self.validator.validate_request, content, None)
-
-#     def test_validate_requires_fields_on_model_forms(self):
-#         """If some (otherwise valid) content includes fields that are not in the form then validation should fail.
-#         It might be okay on normal form submission, but for Web APIs we oughta get strict, as it'll help show up
-#         broken clients more easily (eg submitting content with a misnamed field)"""
-#         content = {'read_only': 'read only'}
-#         self.assertRaises(ImmediateResponse, self.validator.validate_request, content, None)
-
-#     def test_validate_does_not_require_blankable_fields_on_model_forms(self):
-#         """Test standard ModelForm validation behaviour - fields with blank=True are not required."""
-#         content = {'qwerty': 'example', 'read_only': 'read only'}
-#         self.validator.validate_request(content, None)
-
-#     def test_model_form_validator_uses_model_forms(self):
-#         self.assertTrue(isinstance(self.validator.get_bound_form(), forms.ModelForm))
diff --git a/rest_framework/tests/views.py b/rest_framework/tests/views.py
index 7cd826565..994cf6dc3 100644
--- a/rest_framework/tests/views.py
+++ b/rest_framework/tests/views.py
@@ -1,4 +1,4 @@
-import copy
+from __future__ import unicode_literals
 from django.test import TestCase
 from django.test.client import RequestFactory
 from rest_framework import status
@@ -6,6 +6,7 @@ from rest_framework.decorators import api_view
 from rest_framework.response import Response
 from rest_framework.settings import api_settings
 from rest_framework.views import APIView
+import copy
 
 factory = RequestFactory()
 
@@ -49,10 +50,10 @@ class ClassBasedViewIntegrationTests(TestCase):
         request = factory.post('/', 'f00bar', content_type='application/json')
         response = self.view(request)
         expected = {
-            'detail': u'JSON parse error - No JSON object could be decoded'
+            'detail': 'JSON parse error - No JSON object could be decoded'
         }
-        self.assertEquals(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertEquals(sanitise_json_error(response.data), expected)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(sanitise_json_error(response.data), expected)
 
     def test_400_parse_error_tunneled_content(self):
         content = 'f00bar'
@@ -64,10 +65,10 @@ class ClassBasedViewIntegrationTests(TestCase):
         request = factory.post('/', form_data)
         response = self.view(request)
         expected = {
-            'detail': u'JSON parse error - No JSON object could be decoded'
+            'detail': 'JSON parse error - No JSON object could be decoded'
         }
-        self.assertEquals(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertEquals(sanitise_json_error(response.data), expected)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(sanitise_json_error(response.data), expected)
 
 
 class FunctionBasedViewIntegrationTests(TestCase):
@@ -78,10 +79,10 @@ class FunctionBasedViewIntegrationTests(TestCase):
         request = factory.post('/', 'f00bar', content_type='application/json')
         response = self.view(request)
         expected = {
-            'detail': u'JSON parse error - No JSON object could be decoded'
+            'detail': 'JSON parse error - No JSON object could be decoded'
         }
-        self.assertEquals(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertEquals(sanitise_json_error(response.data), expected)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(sanitise_json_error(response.data), expected)
 
     def test_400_parse_error_tunneled_content(self):
         content = 'f00bar'
@@ -93,7 +94,7 @@ class FunctionBasedViewIntegrationTests(TestCase):
         request = factory.post('/', form_data)
         response = self.view(request)
         expected = {
-            'detail': u'JSON parse error - No JSON object could be decoded'
+            'detail': 'JSON parse error - No JSON object could be decoded'
         }
-        self.assertEquals(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertEquals(sanitise_json_error(response.data), expected)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(sanitise_json_error(response.data), expected)
diff --git a/rest_framework/throttling.py b/rest_framework/throttling.py
index 8fe64248d..810cad637 100644
--- a/rest_framework/throttling.py
+++ b/rest_framework/throttling.py
@@ -1,7 +1,8 @@
-import time
+from __future__ import unicode_literals
 from django.core.cache import cache
 from rest_framework import exceptions
 from rest_framework.settings import api_settings
+import time
 
 
 class BaseThrottle(object):
diff --git a/rest_framework/urlpatterns.py b/rest_framework/urlpatterns.py
index 143928c99..d9143bb4c 100644
--- a/rest_framework/urlpatterns.py
+++ b/rest_framework/urlpatterns.py
@@ -1,7 +1,38 @@
-from rest_framework.compat import url
+from __future__ import unicode_literals
+from django.core.urlresolvers import RegexURLResolver
+from rest_framework.compat import url, include
 from rest_framework.settings import api_settings
 
 
+def apply_suffix_patterns(urlpatterns, suffix_pattern, suffix_required):
+    ret = []
+    for urlpattern in urlpatterns:
+        if isinstance(urlpattern, RegexURLResolver):
+            # Set of included URL patterns
+            regex = urlpattern.regex.pattern
+            namespace = urlpattern.namespace
+            app_name = urlpattern.app_name
+            kwargs = urlpattern.default_kwargs
+            # Add in the included patterns, after applying the suffixes
+            patterns = apply_suffix_patterns(urlpattern.url_patterns,
+                                             suffix_pattern,
+                                             suffix_required)
+            ret.append(url(regex, include(patterns, namespace, app_name), kwargs))
+
+        else:
+            # Regular URL pattern
+            regex = urlpattern.regex.pattern.rstrip('$') + suffix_pattern
+            view = urlpattern._callback or urlpattern._callback_str
+            kwargs = urlpattern.default_args
+            name = urlpattern.name
+            # Add in both the existing and the new urlpattern
+            if not suffix_required:
+                ret.append(urlpattern)
+            ret.append(url(regex, view, kwargs, name))
+
+    return ret
+
+
 def format_suffix_patterns(urlpatterns, suffix_required=False, allowed=None):
     """
     Supplement existing urlpatterns with corresponding patterns that also
@@ -28,15 +59,4 @@ def format_suffix_patterns(urlpatterns, suffix_required=False, allowed=None):
     else:
         suffix_pattern = r'\.(?P<%s>[a-z]+)$' % suffix_kwarg
 
-    ret = []
-    for urlpattern in urlpatterns:
-        # Form our complementing '.format' urlpattern
-        regex = urlpattern.regex.pattern.rstrip('$') + suffix_pattern
-        view = urlpattern._callback or urlpattern._callback_str
-        kwargs = urlpattern.default_args
-        name = urlpattern.name
-        # Add in both the existing and the new urlpattern
-        if not suffix_required:
-            ret.append(urlpattern)
-        ret.append(url(regex, view, kwargs, name))
-    return ret
+    return apply_suffix_patterns(urlpatterns, suffix_pattern, suffix_required)
diff --git a/rest_framework/urls.py b/rest_framework/urls.py
index fbe4bc07e..9c4719f1d 100644
--- a/rest_framework/urls.py
+++ b/rest_framework/urls.py
@@ -12,6 +12,7 @@ your authentication settings include `SessionAuthentication`.
         url(r'^auth', include('rest_framework.urls', namespace='rest_framework'))
     )
 """
+from __future__ import unicode_literals
 from rest_framework.compat import patterns, url
 
 
diff --git a/rest_framework/utils/__init__.py b/rest_framework/utils/__init__.py
index 84fcb5dbb..e69de29bb 100644
--- a/rest_framework/utils/__init__.py
+++ b/rest_framework/utils/__init__.py
@@ -1,100 +0,0 @@
-from django.utils.encoding import smart_unicode
-from django.utils.xmlutils import SimplerXMLGenerator
-from rest_framework.compat import StringIO
-import re
-import xml.etree.ElementTree as ET
-
-
-# From xml2dict
-class XML2Dict(object):
-
-    def __init__(self):
-        pass
-
-    def _parse_node(self, node):
-        node_tree = {}
-        # Save attrs and text, hope there will not be a child with same name
-        if node.text:
-            node_tree = node.text
-        for (k, v) in node.attrib.items():
-            k, v = self._namespace_split(k, v)
-            node_tree[k] = v
-        #Save childrens
-        for child in node.getchildren():
-            tag, tree = self._namespace_split(child.tag, self._parse_node(child))
-            if  tag not in node_tree:  # the first time, so store it in dict
-                node_tree[tag] = tree
-                continue
-            old = node_tree[tag]
-            if not isinstance(old, list):
-                node_tree.pop(tag)
-                node_tree[tag] = [old]  # multi times, so change old dict to a list
-            node_tree[tag].append(tree)  # add the new one
-
-        return  node_tree
-
-    def _namespace_split(self, tag, value):
-        """
-           Split the tag  '{http://cs.sfsu.edu/csc867/myscheduler}patients'
-             ns = http://cs.sfsu.edu/csc867/myscheduler
-             name = patients
-        """
-        result = re.compile("\{(.*)\}(.*)").search(tag)
-        if result:
-            value.namespace, tag = result.groups()
-        return (tag, value)
-
-    def parse(self, file):
-        """parse a xml file to a dict"""
-        f = open(file, 'r')
-        return self.fromstring(f.read())
-
-    def fromstring(self, s):
-        """parse a string"""
-        t = ET.fromstring(s)
-        unused_root_tag, root_tree = self._namespace_split(t.tag, self._parse_node(t))
-        return root_tree
-
-
-def xml2dict(input):
-    return XML2Dict().fromstring(input)
-
-
-# Piston:
-class XMLRenderer():
-    def _to_xml(self, xml, data):
-        if isinstance(data, (list, tuple)):
-            for item in data:
-                xml.startElement("list-item", {})
-                self._to_xml(xml, item)
-                xml.endElement("list-item")
-
-        elif isinstance(data, dict):
-            for key, value in data.iteritems():
-                xml.startElement(key, {})
-                self._to_xml(xml, value)
-                xml.endElement(key)
-
-        elif data is None:
-            # Don't output any value
-            pass
-
-        else:
-            xml.characters(smart_unicode(data))
-
-    def dict2xml(self, data):
-        stream = StringIO.StringIO()
-
-        xml = SimplerXMLGenerator(stream, "utf-8")
-        xml.startDocument()
-        xml.startElement("root", {})
-
-        self._to_xml(xml, data)
-
-        xml.endElement("root")
-        xml.endDocument()
-        return stream.getvalue()
-
-
-def dict2xml(input):
-    return XMLRenderer().dict2xml(input)
diff --git a/rest_framework/utils/breadcrumbs.py b/rest_framework/utils/breadcrumbs.py
index 80e39d46d..af21ac79b 100644
--- a/rest_framework/utils/breadcrumbs.py
+++ b/rest_framework/utils/breadcrumbs.py
@@ -1,3 +1,4 @@
+from __future__ import unicode_literals
 from django.core.urlresolvers import resolve, get_script_prefix
 
 
diff --git a/rest_framework/utils/encoders.py b/rest_framework/utils/encoders.py
index 7afe100a8..b6de18a81 100644
--- a/rest_framework/utils/encoders.py
+++ b/rest_framework/utils/encoders.py
@@ -1,13 +1,14 @@
 """
 Helper classes for parsers.
 """
+from __future__ import unicode_literals
+from django.utils.datastructures import SortedDict
+from rest_framework.compat import timezone
+from rest_framework.serializers import DictWithMetadata, SortedDictWithMetadata
 import datetime
 import decimal
 import types
 import json
-from django.utils.datastructures import SortedDict
-from rest_framework.compat import timezone
-from rest_framework.serializers import DictWithMetadata, SortedDictWithMetadata
 
 
 class JSONEncoder(json.JSONEncoder):
diff --git a/rest_framework/utils/mediatypes.py b/rest_framework/utils/mediatypes.py
index ee7f3a546..c09c29338 100644
--- a/rest_framework/utils/mediatypes.py
+++ b/rest_framework/utils/mediatypes.py
@@ -3,8 +3,9 @@ Handling of media types, as found in HTTP Content-Type and Accept headers.
 
 See http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
 """
-
+from __future__ import unicode_literals
 from django.http.multipartparser import parse_header
+from rest_framework import HTTP_HEADER_ENCODING
 
 
 def media_type_matches(lhs, rhs):
@@ -47,7 +48,7 @@ class _MediaType(object):
         if media_type_str is None:
             media_type_str = ''
         self.orig = media_type_str
-        self.full_type, self.params = parse_header(media_type_str)
+        self.full_type, self.params = parse_header(media_type_str.encode(HTTP_HEADER_ENCODING))
         self.main_type, sep, self.sub_type = self.full_type.partition('/')
 
     def match(self, other):
diff --git a/rest_framework/views.py b/rest_framework/views.py
index 10bdd5a53..81cbdcbb2 100644
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -1,8 +1,7 @@
 """
 Provides an APIView class that is used as the base of all class-based views.
 """
-
-import re
+from __future__ import unicode_literals
 from django.core.exceptions import PermissionDenied
 from django.http import Http404
 from django.utils.html import escape
@@ -13,6 +12,7 @@ from rest_framework.compat import View, apply_markdown
 from rest_framework.response import Response
 from rest_framework.request import Request
 from rest_framework.settings import api_settings
+import re
 
 
 def _remove_trailing_string(content, trailing):
@@ -148,6 +148,8 @@ class APIView(View):
         """
         If request is not permitted, determine what kind of exception to raise.
         """
+        if not self.request.successful_authenticator:
+            raise exceptions.NotAuthenticated()
         raise exceptions.PermissionDenied()
 
     def throttled(self, request, wait):
@@ -156,6 +158,15 @@ class APIView(View):
         """
         raise exceptions.Throttled(wait)
 
+    def get_authenticate_header(self, request):
+        """
+        If a request is unauthenticated, determine the WWW-Authenticate
+        header to use for 401 responses, if any.
+        """
+        authenticators = self.get_authenticators()
+        if authenticators:
+            return authenticators[0].authenticate_header(request)
+
     def get_parser_context(self, http_request):
         """
         Returns a dict that is passed through to Parser.parse(),
@@ -200,13 +211,13 @@ class APIView(View):
 
     def get_parsers(self):
         """
-        Instantiates and returns the list of renderers that this view can use.
+        Instantiates and returns the list of parsers that this view can use.
         """
         return [parser() for parser in self.parser_classes]
 
     def get_authenticators(self):
         """
-        Instantiates and returns the list of renderers that this view can use.
+        Instantiates and returns the list of authenticators that this view can use.
         """
         return [auth() for auth in self.authentication_classes]
 
@@ -241,23 +252,43 @@ class APIView(View):
 
         try:
             return conneg.select_renderer(request, renderers, self.format_kwarg)
-        except:
+        except Exception:
             if force:
                 return (renderers[0], renderers[0].media_type)
             raise
 
-    def has_permission(self, request, obj=None):
+    def perform_authentication(self, request):
         """
-        Return `True` if the request should be permitted.
+        Perform authentication on the incoming request.
+
+        Note that if you override this and simply 'pass', then authentication
+        will instead be performed lazily, the first time either
+        `request.user` or `request.auth` is accessed.
+        """
+        request.user
+
+    def check_permissions(self, request):
+        """
+        Check if the request should be permitted.
+        Raises an appropriate exception if the request is not permitted.
         """
         for permission in self.get_permissions():
-            if not permission.has_permission(request, self, obj):
-                return False
-        return True
+            if not permission.has_permission(request, self):
+                self.permission_denied(request)
+
+    def check_object_permissions(self, request, obj):
+        """
+        Check if the request should be permitted for a given object.
+        Raises an appropriate exception if the request is not permitted.
+        """
+        for permission in self.get_permissions():
+            if not permission.has_object_permission(request, self, obj):
+                self.permission_denied(request)
 
     def check_throttles(self, request):
         """
         Check if request should be throttled.
+        Raises an appropriate exception if the request is throttled.
         """
         for throttle in self.get_throttles():
             if not throttle.allow_request(request, self):
@@ -284,8 +315,8 @@ class APIView(View):
         self.format_kwarg = self.get_format_suffix(**kwargs)
 
         # Ensure that the incoming request is permitted
-        if not self.has_permission(request):
-            self.permission_denied(request)
+        self.perform_authentication(request)
+        self.check_permissions(request)
         self.check_throttles(request)
 
         # Perform content negotiation and store the accepted info on the request
@@ -319,6 +350,16 @@ class APIView(View):
             # Throttle wait header
             self.headers['X-Throttle-Wait-Seconds'] = '%d' % exc.wait
 
+        if isinstance(exc, (exceptions.NotAuthenticated,
+                            exceptions.AuthenticationFailed)):
+            # WWW-Authenticate header for 401 responses, else coerce to 403
+            auth_header = self.get_authenticate_header(self.request)
+
+            if auth_header:
+                self.headers['WWW-Authenticate'] = auth_header
+            else:
+                exc.status_code = status.HTTP_403_FORBIDDEN
+
         if isinstance(exc, exceptions.APIException):
             return Response({'detail': exc.detail},
                             status=exc.status_code,
diff --git a/setup.py b/setup.py
index 26d072837..ebaaf9828 100755
--- a/setup.py
+++ b/setup.py
@@ -45,9 +45,9 @@ version = get_version('rest_framework')
 
 if sys.argv[-1] == 'publish':
     os.system("python setup.py sdist upload")
-    print "You probably want to also tag the version now:"
-    print "  git tag -a %s -m 'version %s'" % (version, version)
-    print "  git push --tags"
+    print("You probably want to also tag the version now:")
+    print("  git tag -a %s -m 'version %s'" % (version, version))
+    print("  git push --tags")
     sys.exit()
 
 
@@ -57,21 +57,28 @@ setup(
     url='http://django-rest-framework.org',
     download_url='http://pypi.python.org/pypi/rest_framework/',
     license='BSD',
-    description='A lightweight REST framework for Django.',
+    description='Web APIs for Django, made easy.',
     author='Tom Christie',
-    author_email='tom@tomchristie.com',
+    author_email='tom@tomchristie.com',  # SEE NOTE BELOW (*)
     packages=get_packages('rest_framework'),
     package_data=get_package_data('rest_framework'),
     test_suite='rest_framework.runtests.runtests.main',
     install_requires=[],
     classifiers=[
-        'Development Status :: 4 - Beta',
+        'Development Status :: 5 - Production/Stable',
         'Environment :: Web Environment',
         'Framework :: Django',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: BSD License',
         'Operating System :: OS Independent',
         'Programming Language :: Python',
+        'Programming Language :: Python :: 3',
         'Topic :: Internet :: WWW/HTTP',
     ]
 )
+
+# (*) Please direct queries to the discussion group, rather than to me directly
+#     Doing so helps ensure your question is helpful to other users.
+#     Queries directly to my email are likely to receive a canned response.
+#
+#     Many thanks for your understanding.
diff --git a/tox.ini b/tox.ini
index 22c85e493..d62359a54 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,36 +1,72 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
-envlist = py2.7-django1.5,py2.7-django1.4,py2.7-django1.3,py2.6-django1.5,py2.6-django1.4,py2.6-django1.3
+envlist = py3.3-django1.5,py3.2-django1.5,py2.7-django1.5,py2.6-django1.5,py2.7-django1.4,py2.6-django1.4,py2.7-django1.3,py2.6-django1.3
 
 [testenv]
 commands = {envpython} rest_framework/runtests/runtests.py
 
+[testenv:py3.3-django1.5]
+basepython = python3.3
+deps = django==1.5
+       django-filter==0.6a1
+       defusedxml==0.3
+
+[testenv:py3.2-django1.5]
+basepython = python3.2
+deps = django==1.5
+       django-filter==0.6a1
+       defusedxml==0.3
+
 [testenv:py2.7-django1.5]
 basepython = python2.7
-deps = https://github.com/django/django/zipball/master
-       django-filter==0.5.4
+deps = django==1.5
+       django-filter==0.6a1
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3
+
+[testenv:py2.6-django1.5]
+basepython = python2.6
+deps = django==1.5
+       django-filter==0.6a1
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3
 
 [testenv:py2.7-django1.4]
 basepython = python2.7
 deps = django==1.4.3
-       django-filter==0.5.4
+       django-filter==0.6a1
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3
+
+[testenv:py2.6-django1.4]
+basepython = python2.6
+deps = django==1.4.3
+       django-filter==0.6a1
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3
 
 [testenv:py2.7-django1.3]
 basepython = python2.7
 deps = django==1.3.5
        django-filter==0.5.4
-
-[testenv:py2.6-django1.5]
-basepython = python2.6
-deps = https://github.com/django/django/zipball/master
-       django-filter==0.5.4
-
-[testenv:py2.6-django1.4]
-basepython = python2.6
-deps = django==1.4.3
-       django-filter==0.5.4
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3
 
 [testenv:py2.6-django1.3]
 basepython = python2.6
 deps = django==1.3.5
        django-filter==0.5.4
+       defusedxml==0.3
+       django-oauth-plus==2.0
+       oauth2==1.5.211
+       django-oauth2-provider==0.2.3