diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 838a4b51a..8ae01735c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,18 +14,19 @@ jobs: strategy: matrix: python-version: - - '3.9' - '3.10' - '3.11' - '3.12' - '3.13' + - '3.14' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} + allow-prereleases: true cache: 'pip' cache-dependency-path: 'requirements/*.txt' @@ -39,7 +40,7 @@ jobs: run: tox run -f py$(echo ${{ matrix.python-version }} | tr -d . | cut -f 1 -d '-') - name: Run extra tox targets - if: ${{ matrix.python-version == '3.9' }} + if: ${{ matrix.python-version == '3.13' }} run: | tox -e base,dist,docs @@ -52,11 +53,11 @@ jobs: name: Test documentation links runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-python@v6 with: - python-version: '3.9' + python-version: '3.13' - name: Install dependencies run: pip install -r requirements/requirements-documentation.txt diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 7b7c5df2a..ef58e9b77 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -20,7 +20,7 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - run: git fetch --no-tags --prune --depth=1 origin gh-pages - uses: actions/setup-python@v6 with: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 8432fe48b..a1b678919 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 27bbcb763..5780c8e31 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v6.0.0 hooks: - id: check-added-large-files - id: check-case-conflict @@ -8,32 +8,43 @@ repos: - id: check-merge-conflict - id: check-symlinks - id: check-toml -- repo: https://github.com/pycqa/isort - rev: 5.13.2 +- repo: https://github.com/PyCQA/isort + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/PyCQA/flake8 - rev: 7.0.0 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: - flake8-tidy-imports + - flake8-bugbear - repo: https://github.com/adamchainz/blacken-docs - rev: 1.16.0 + rev: 1.20.0 hooks: - id: blacken-docs - exclude: ^(?!docs).*$ additional_dependencies: - - black==23.1.0 + - black==25.9.0 - repo: https://github.com/codespell-project/codespell # Configuration for codespell is in .codespellrc - rev: v2.2.6 + rev: v2.4.1 hooks: - id: codespell + args: [ + "--builtin", "clear,rare,code,names,en-GB_to_en-US", + "--ignore-words", "codespell-ignore-words.txt", + "--skip", "*.css", + ] exclude: locale|kickstarter-announcement.md|coreapi-0.1.1.js - + additional_dependencies: + # python doesn't come with a toml parser prior to 3.11 + - "tomli; python_version < '3.11'" - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.21.0 hooks: - id: pyupgrade - args: ["--py39-plus", "--keep-percent-format"] + args: ["--py310-plus", "--keep-percent-format"] +- repo: https://github.com/tox-dev/pyproject-fmt + rev: v2.11.0 + hooks: + - id: pyproject-fmt diff --git a/MANIFEST.in b/MANIFEST.in index f7b975e6f..3d0ca3745 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,8 +1,3 @@ -include README.md -include LICENSE.md recursive-include tests/ * -recursive-include rest_framework/static *.js *.css *.map *.png *.ico *.eot *.svg *.ttf *.woff *.woff2 -recursive-include rest_framework/templates *.html schema.js -recursive-include rest_framework/locale *.mo global-exclude __pycache__ global-exclude *.py[co] diff --git a/README.md b/README.md index 1427b274b..f875f65dd 100644 --- a/README.md +++ b/README.md @@ -10,30 +10,6 @@ Full documentation for the project is available at [https://www.django-rest-fram --- -# Funding - -REST framework is a *collaboratively funded project*. If you use -REST framework commercially we strongly encourage you to invest in its -continued development by [signing up for a paid plan][funding]. - -The initial aim is to provide a single full-time position on REST framework. -*Every single sign-up makes a significant impact towards making that possible.* - -[![][sentry-img]][sentry-url] -[![][stream-img]][stream-url] -[![][spacinov-img]][spacinov-url] -[![][retool-img]][retool-url] -[![][bitio-img]][bitio-url] -[![][posthog-img]][posthog-url] -[![][cryptapi-img]][cryptapi-url] -[![][fezto-img]][fezto-url] -[![][svix-img]][svix-url] -[![][zuplo-img]][zuplo-url] - -Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry][sentry-url], [Stream][stream-url], [Spacinov][spacinov-url], [Retool][retool-url], [bit.io][bitio-url], [PostHog][posthog-url], [CryptAPI][cryptapi-url], [FEZTO][fezto-url], [Svix][svix-url], and [Zuplo][zuplo-url]. - ---- - # Overview Django REST framework is a powerful and flexible toolkit for building Web APIs. @@ -54,8 +30,8 @@ Some reasons you might want to use REST framework: # Requirements -* Python 3.9+ -* Django 4.2, 5.0, 5.1, 5.2 +* Python 3.10+ +* Django 4.2, 5.0, 5.1, 5.2, 6.0 We **highly recommend** and only officially support the latest patch release of each Python and Django series. @@ -67,10 +43,11 @@ Install using `pip`... pip install djangorestframework Add `'rest_framework'` to your `INSTALLED_APPS` setting. + ```python INSTALLED_APPS = [ - ... - 'rest_framework', + # ... + "rest_framework", ] ``` @@ -99,7 +76,7 @@ from rest_framework import routers, serializers, viewsets class UserSerializer(serializers.HyperlinkedModelSerializer): class Meta: model = User - fields = ['url', 'username', 'email', 'is_staff'] + fields = ["url", "username", "email", "is_staff"] # ViewSets define the view behavior. @@ -110,13 +87,13 @@ class UserViewSet(viewsets.ModelViewSet): # Routers provide a way of automatically determining the URL conf. router = routers.DefaultRouter() -router.register(r'users', UserViewSet) +router.register(r"users", UserViewSet) # Wire up our API using automatic URL routing. # Additionally, we include login URLs for the browsable API. urlpatterns = [ - path('', include(router.urls)), - path('api-auth/', include('rest_framework.urls', namespace='rest_framework')), + path("", include(router.urls)), + path("api-auth/", include("rest_framework.urls", namespace="rest_framework")), ] ``` @@ -126,15 +103,15 @@ Add the following to your `settings.py` module: ```python INSTALLED_APPS = [ - ... # Make sure to include the default installed apps here. - 'rest_framework', + # ... make sure to include the default installed apps here. + "rest_framework", ] REST_FRAMEWORK = { # Use Django's standard `django.contrib.auth` permissions, # or allow read-only access for unauthenticated users. - 'DEFAULT_PERMISSION_CLASSES': [ - 'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly', + "DEFAULT_PERMISSION_CLASSES": [ + "rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly", ] } ``` @@ -188,28 +165,6 @@ Please see the [security policy][security-policy]. [funding]: https://fund.django-rest-framework.org/topics/funding/ [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors -[sentry-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/sentry-readme.png -[stream-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/stream-readme.png -[spacinov-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/spacinov-readme.png -[retool-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/retool-readme.png -[bitio-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/bitio-readme.png -[posthog-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/posthog-readme.png -[cryptapi-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/cryptapi-readme.png -[fezto-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/fezto-readme.png -[svix-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/svix-premium.png -[zuplo-img]: https://raw.githubusercontent.com/encode/django-rest-framework/main/docs/img/premium/zuplo-readme.png - -[sentry-url]: https://getsentry.com/welcome/ -[stream-url]: https://getstream.io/?utm_source=DjangoRESTFramework&utm_medium=Webpage_Logo_Ad&utm_content=Developer&utm_campaign=DjangoRESTFramework_Jan2022_HomePage -[spacinov-url]: https://www.spacinov.com/ -[retool-url]: https://retool.com/?utm_source=djangorest&utm_medium=sponsorship -[bitio-url]: https://bit.io/jobs?utm_source=DRF&utm_medium=sponsor&utm_campaign=DRF_sponsorship -[posthog-url]: https://posthog.com?utm_source=drf&utm_medium=sponsorship&utm_campaign=open-source-sponsorship -[cryptapi-url]: https://cryptapi.io -[fezto-url]: https://www.fezto.xyz/?utm_source=DjangoRESTFramework -[svix-url]: https://www.svix.com/?utm_source=django-REST&utm_medium=sponsorship -[zuplo-url]: https://zuplo.link/django-gh - [oauth1-section]: https://www.django-rest-framework.org/api-guide/authentication/#django-rest-framework-oauth [oauth2-section]: https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit [serializer-section]: https://www.django-rest-framework.org/api-guide/serializers/#serializers diff --git a/codespell-ignore-words.txt b/codespell-ignore-words.txt new file mode 100644 index 000000000..07c9fdb9b --- /dev/null +++ b/codespell-ignore-words.txt @@ -0,0 +1,7 @@ +Tim +assertIn +IAM +endcode +deque +thead +lets \ No newline at end of file diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index 84e58bf4b..a00a3873f 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -19,13 +19,10 @@ The `request.user` property will typically be set to an instance of the `contrib The `request.auth` property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with. ---- +!!! note + Don't forget that **authentication by itself won't allow or disallow an incoming request**, it simply identifies the credentials that the request was made with. -**Note:** Don't forget that **authentication by itself won't allow or disallow an incoming request**, it simply identifies the credentials that the request was made with. - -For information on how to set up the permission policies for your API please see the [permissions documentation][permission]. - ---- + For information on how to set up the permission policies for your API please see the [permissions documentation][permission]. ## How authentication is determined @@ -122,17 +119,15 @@ Unauthenticated responses that are denied permission will result in an `HTTP 401 WWW-Authenticate: Basic realm="api" -**Note:** If you use `BasicAuthentication` in production you must ensure that your API is only available over `https`. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage. +!!! note + If you use `BasicAuthentication` in production you must ensure that your API is only available over `https`. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage. ## TokenAuthentication ---- +!!! note + The token authentication provided by Django REST framework is a fairly simple implementation. -**Note:** The token authentication provided by Django REST framework is a fairly simple implementation. - -For an implementation which allows more than one token per user, has some tighter security implementation details, and supports token expiry, please see the [Django REST Knox][django-rest-knox] third party package. - ---- + For an implementation which allows more than one token per user, has some tighter security implementation details, and supports token expiry, please see the [Django REST Knox][django-rest-knox] third party package. This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. @@ -173,11 +168,8 @@ The `curl` command line tool may be useful for testing token authenticated APIs. curl -X GET http://127.0.0.1:8000/api/example/ -H 'Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' ---- - -**Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https`. - ---- +!!! note + If you use `TokenAuthentication` in production you must ensure that your API is only available over `https`. ### Generating Tokens @@ -293,7 +285,8 @@ Unauthenticated responses that are denied permission will result in an `HTTP 403 If you're using an AJAX-style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `PATCH`, `POST` or `DELETE` requests. See the [Django CSRF documentation][csrf-ajax] for more details. -**Warning**: Always use Django's standard login view when creating login pages. This will ensure your login views are properly protected. +!!! warning + Always use Django's standard login view when creating login pages. This will ensure your login views are properly protected. CSRF validation in REST framework works slightly differently from standard Django due to the need to support both session and non-session based authentication to the same views. This means that only authenticated requests require CSRF tokens, and anonymous requests may be sent without CSRF tokens. This behavior is not suitable for login views, which should always have CSRF validation applied. @@ -334,11 +327,8 @@ You *may* also override the `.authenticate_header(self, request)` method. If im If the `.authenticate_header()` method is not overridden, the authentication scheme will return `HTTP 403 Forbidden` responses when an unauthenticated request is denied access. ---- - -**Note:** When your custom authenticator is invoked by the request object's `.user` or `.auth` properties, you may see an `AttributeError` re-raised as a `WrappedAttributeError`. This is necessary to prevent the original exception from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from your custom authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. These errors should be fixed or otherwise handled by your authenticator. - ---- +!!! note + When your custom authenticator is invoked by the request object's `.user` or `.auth` properties, you may see an `AttributeError` re-raised as a `WrappedAttributeError`. This is necessary to prevent the original exception from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from your custom authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. These errors should be fixed or otherwise handled by your authenticator. ## Example @@ -426,6 +416,11 @@ HTTP Signature (currently a [IETF draft][http-signature-ietf-draft]) provides a [Djoser][djoser] library provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. The package works with a custom user model and uses token-based authentication. This is a ready to use REST implementation of the Django authentication system. +## DRF Auth Kit + +[DRF Auth Kit][drf-auth-kit] library provides a modern REST authentication solution with JWT cookies, social login, multi-factor authentication, and comprehensive user management. The package offers full type safety, automatic OpenAPI schema generation with DRF Spectacular. It supports multiple authentication types (JWT, DRF Token, or Custom) and includes built-in internationalization for 50+ languages. + + ## django-rest-auth / dj-rest-auth This library provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. By having these API endpoints, your client apps such as AngularJS, iOS, Android, and others can communicate to your Django backend site independently via REST APIs for user management. @@ -454,9 +449,9 @@ There are currently two forks of this project. More information can be found in the [Documentation](https://django-rest-durin.readthedocs.io/en/latest/index.html). -## django-pyoidc +## django-pyoidc -[dango-pyoidc][django_pyoidc] adds support for OpenID Connect (OIDC) authentication. This allows you to delegate user management to an Identity Provider, which can be used to implement Single-Sign-On (SSO). It provides support for most uses-cases, such as customizing how token info are mapped to user models, using OIDC audiences for access control, etc. +[django_pyoidc][django-pyoidc] adds support for OpenID Connect (OIDC) authentication. This allows you to delegate user management to an Identity Provider, which can be used to implement Single-Sign-On (SSO). It provides support for most uses-cases, such as customizing how token info are mapped to user models, using OIDC audiences for access control, etc. More information can be found in the [Documentation](https://django-pyoidc.readthedocs.io/latest/index.html). @@ -497,4 +492,5 @@ More information can be found in the [Documentation](https://django-pyoidc.readt [django-rest-authemail]: https://github.com/celiao/django-rest-authemail [django-rest-durin]: https://github.com/eshaan7/django-rest-durin [login-required-middleware]: https://docs.djangoproject.com/en/stable/ref/middleware/#django.contrib.auth.middleware.LoginRequiredMiddleware -[django-pyoidc] : https://github.com/makinacorpus/django_pyoidc +[django-pyoidc]: https://github.com/makinacorpus/django_pyoidc +[drf-auth-kit]: https://github.com/huynguyengl99/drf-auth-kit diff --git a/docs/api-guide/caching.md b/docs/api-guide/caching.md index 4beea30d0..7f9d95781 100644 --- a/docs/api-guide/caching.md +++ b/docs/api-guide/caching.md @@ -82,8 +82,8 @@ def get_user_list(request): ``` -**NOTE:** The [`cache_page`][page] decorator only caches the -`GET` and `HEAD` responses with status 200. +!!! note + The [`cache_page`][page] decorator only caches the `GET` and `HEAD` responses with status 200. [page]: https://docs.djangoproject.com/en/stable/topics/cache/#the-per-view-cache [cookie]: https://docs.djangoproject.com/en/stable/topics/http/decorators/#django.views.decorators.vary.vary_on_cookie diff --git a/docs/api-guide/content-negotiation.md b/docs/api-guide/content-negotiation.md index 81cff6a89..043c9b836 100644 --- a/docs/api-guide/content-negotiation.md +++ b/docs/api-guide/content-negotiation.md @@ -34,13 +34,11 @@ If the requested view was only configured with renderers for `YAML` and `HTML`, For more information on the `HTTP Accept` header, see [RFC 2616][accept-header] ---- -**Note**: "q" values are not taken into account by REST framework when determining preference. The use of "q" values negatively impacts caching, and in the author's opinion they are an unnecessary and overcomplicated approach to content negotiation. +!!! note + "q" values are not taken into account by REST framework when determining preference. The use of "q" values negatively impacts caching, and in the author's opinion they are an unnecessary and overcomplicated approach to content negotiation. -This is a valid approach as the HTTP spec deliberately underspecifies how a server should weight server-based preferences against client-based preferences. - ---- + This is a valid approach as the HTTP spec deliberately underspecifies how a server should weight server-based preferences against client-based preferences. # Custom content negotiation diff --git a/docs/api-guide/fields.md b/docs/api-guide/fields.md index 8278e2a2f..cb5730e21 100644 --- a/docs/api-guide/fields.md +++ b/docs/api-guide/fields.md @@ -11,11 +11,8 @@ source: Serializer fields handle converting between primitive values and internal datatypes. They also deal with validating input values, as well as retrieving and setting the values from their parent objects. ---- - -**Note:** The serializer fields are declared in `fields.py`, but by convention you should import them using `from rest_framework import serializers` and refer to fields as `serializers.`. - ---- +!!! note + The serializer fields are declared in `fields.py`, but by convention you should import them using `from rest_framework import serializers` and refer to fields as `serializers.`. ## Core arguments @@ -180,7 +177,7 @@ The `allow_null` option is also available for string fields, although its usage ## EmailField -A text representation, validates the text to be a valid e-mail address. +A text representation, validates the text to be a valid email address. Corresponds to `django.db.models.fields.EmailField` @@ -269,6 +266,18 @@ Corresponds to `django.db.models.fields.IntegerField`, `django.db.models.fields. * `max_value` Validate that the number provided is no greater than this value. * `min_value` Validate that the number provided is no less than this value. +## BigIntegerField + +A biginteger representation. + +Corresponds to `django.db.models.fields.BigIntegerField`. + +**Signature**: `BigIntegerField(max_value=None, min_value=None, coerce_to_string=None)` + +* `max_value` Validate that the number provided is no greater than this value. +* `min_value` Validate that the number provided is no less than this value. +* `coerce_to_string` Set to `True` if string values should be returned for the representation, or `False` if `BigInteger` objects should be returned. Defaults to the same value as the `COERCE_BIGINT_TO_STRING` settings key, which will be `False` unless overridden. If `BigInteger` objects are returned by the serializer, then the final output format will be determined by the renderer. + ## FloatField A floating point representation. @@ -553,11 +562,8 @@ The `HiddenField` class is usually only needed if you have some validation that For further examples on `HiddenField` see the [validators](validators.md) documentation. ---- - -**Note:** `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request). - ---- +!!! note + `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request). ## ModelField @@ -762,7 +768,7 @@ suitable for updating our target object. With `source='*'`, the return from ('y_coordinate', 4), ('x_coordinate', 3)]) -For completeness lets do the same thing again but with the nested serializer +For completeness let's do the same thing again but with the nested serializer approach suggested above: class NestedCoordinateSerializer(serializers.Serializer): diff --git a/docs/api-guide/filtering.md b/docs/api-guide/filtering.md index 6c80dc754..d36d4ce95 100644 --- a/docs/api-guide/filtering.md +++ b/docs/api-guide/filtering.md @@ -235,7 +235,7 @@ For example: search_fields = ['=username', '=email'] -By default, the search parameter is named `'search'`, but this may be overridden with the `SEARCH_PARAM` setting. +By default, the search parameter is named `'search'`, but this may be overridden with the `SEARCH_PARAM` setting in the `REST_FRAMEWORK` configuration. To dynamically change search fields based on request content, it's possible to subclass the `SearchFilter` and override the `get_search_fields()` function. For example, the following subclass will only search on `title` if the query parameter `title_only` is in the request: @@ -257,7 +257,7 @@ The `OrderingFilter` class supports simple query parameter controlled ordering o ![Ordering Filter](../img/ordering-filter.png) -By default, the query parameter is named `'ordering'`, but this may be overridden with the `ORDERING_PARAM` setting. +By default, the query parameter is named `'ordering'`, but this may be overridden with the `ORDERING_PARAM` setting in the `REST_FRAMEWORK` configuration. For example, to order users by username: diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md index 62a27263c..9bf21026a 100644 --- a/docs/api-guide/generic-views.md +++ b/docs/api-guide/generic-views.md @@ -96,9 +96,39 @@ For example: user = self.request.user return user.accounts.all() ---- +!!! tip + If the `serializer_class` used in the generic view spans ORM relations, leading to an N+1 problem, you could optimize your queryset in this method using `select_related` and `prefetch_related`. To get more information about N+1 problem and use cases of the mentioned methods refer to related section in [django documentation][django-docs-select-related]. -**Note:** If the `serializer_class` used in the generic view spans orm relations, leading to an n+1 problem, you could optimize your queryset in this method using `select_related` and `prefetch_related`. To get more information about n+1 problem and use cases of the mentioned methods refer to related section in [django documentation][django-docs-select-related]. +### Avoiding N+1 Queries + +When listing objects (e.g. using `ListAPIView` or `ModelViewSet`), serializers may trigger an N+1 query pattern if related objects are accessed individually for each item. + +To prevent this, optimize the queryset in `get_queryset()` or by setting the `queryset` class attribute using [`select_related()`](https://docs.djangoproject.com/en/stable/ref/models/querysets/#select-related) and [`prefetch_related()`](https://docs.djangoproject.com/en/stable/ref/models/querysets/#prefetch-related), depending on the type of relationship. + +**For ForeignKey and OneToOneField**: + +Use `select_related()` to fetch related objects in the same query: + + def get_queryset(self): + return Order.objects.select_related("customer", "billing_address") + +**For reverse and many-to-many relationships**: + +Use `prefetch_related()` to efficiently load collections of related objects: + + def get_queryset(self): + return Book.objects.prefetch_related("categories", "reviews__user") + +**Combining both**: + + def get_queryset(self): + return ( + Order.objects + .select_related("customer") + .prefetch_related("items__product") + ) + +These optimizations reduce repeated database access and improve list view performance. --- @@ -374,8 +404,6 @@ Allowing `PUT` as create operations is problematic, as it necessarily exposes in Both styles "`PUT` as 404" and "`PUT` as create" can be valid in different circumstances, but from version 3.0 onwards we now use 404 behavior as the default, due to it being simpler and more obvious. -If you need to generic PUT-as-create behavior you may want to include something like [this `AllowPUTAsCreateMixin` class](https://gist.github.com/tomchristie/a2ace4577eff2c603b1b) as a mixin to your views. - --- # Third party packages diff --git a/docs/api-guide/metadata.md b/docs/api-guide/metadata.md index 20708c6e3..f4e8ed2da 100644 --- a/docs/api-guide/metadata.md +++ b/docs/api-guide/metadata.md @@ -66,7 +66,7 @@ The REST framework package only includes a single metadata class implementation, ## Creating schema endpoints -If you have specific requirements for creating schema endpoints that are accessed with regular `GET` requests, you might consider re-using the metadata API for doing so. +If you have specific requirements for creating schema endpoints that are accessed with regular `GET` requests, you might consider reusing the metadata API for doing so. For example, the following additional route could be used on a viewset to provide a linkable schema endpoint. diff --git a/docs/api-guide/pagination.md b/docs/api-guide/pagination.md index 41887ffd8..e4e5f4979 100644 --- a/docs/api-guide/pagination.md +++ b/docs/api-guide/pagination.md @@ -108,7 +108,7 @@ To set these attributes you should override the `PageNumberPagination` class, an * `page_query_param` - A string value indicating the name of the query parameter to use for the pagination control. * `page_size_query_param` - If set, this is a string value indicating the name of a query parameter that allows the client to set the page size on a per-request basis. Defaults to `None`, indicating that the client may not control the requested page size. * `max_page_size` - If set, this is a numeric value indicating the maximum allowable requested page size. This attribute is only valid if `page_size_query_param` is also set. -* `last_page_strings` - A list or tuple of string values indicating values that may be used with the `page_query_param` to request the final page in the set. Defaults to `('last',)` +* `last_page_strings` - A list or tuple of string values indicating values that may be used with the `page_query_param` to request the final page in the set. Defaults to `('last',)`. For example, use `?page=last` to go directly to the last page. * `template` - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to `None` to disable HTML pagination controls completely. Defaults to `"rest_framework/pagination/numbers.html"`. --- diff --git a/docs/api-guide/parsers.md b/docs/api-guide/parsers.md index e5d117011..2859db825 100644 --- a/docs/api-guide/parsers.md +++ b/docs/api-guide/parsers.md @@ -17,15 +17,12 @@ REST framework includes a number of built-in Parser classes, that allow you to a The set of valid parsers for a view is always defined as a list of classes. When `request.data` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content. ---- +!!! note + When developing client applications always remember to make sure you're setting the `Content-Type` header when sending data in an HTTP request. -**Note**: When developing client applications always remember to make sure you're setting the `Content-Type` header when sending data in an HTTP request. + If you don't set the content type, most clients will default to using `'application/x-www-form-urlencoded'`, which may not be what you want. -If you don't set the content type, most clients will default to using `'application/x-www-form-urlencoded'`, which may not be what you wanted. - -As an example, if you are sending `json` encoded data using jQuery with the [.ajax() method][jquery-ajax], you should make sure to include the `contentType: 'application/json'` setting. - ---- + As an example, if you are sending `json` encoded data using jQuery with the [.ajax() method][jquery-ajax], you should make sure to include the `contentType: 'application/json'` setting. ## Setting the parsers diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index c6d9f9338..b8179490e 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -51,18 +51,15 @@ For example: self.check_object_permissions(self.request, obj) return obj ---- +!!! note + With the exception of `DjangoObjectPermissions`, the provided + permission classes in `rest_framework.permissions` **do not** implement the + methods necessary to check object permissions. -**Note**: With the exception of `DjangoObjectPermissions`, the provided -permission classes in `rest_framework.permissions` **do not** implement the -methods necessary to check object permissions. - -If you wish to use the provided permission classes in order to check object -permissions, **you must** subclass them and implement the -`has_object_permission()` method described in the [_Custom -permissions_](#custom-permissions) section (below). - ---- + If you wish to use the provided permission classes in order to check object + permissions, **you must** subclass them and implement the + `has_object_permission()` method described in the [_Custom + permissions_](#custom-permissions) section (below). #### Limitations of object level permissions @@ -118,7 +115,8 @@ Or, if you're using the `@api_view` decorator with function based views. } return Response(content) -__Note:__ when you set new permission classes via the class attribute or decorators you're telling the view to ignore the default list set in the __settings.py__ file. +!!! note + When you set new permission classes via the class attribute or decorators you're telling the view to ignore the default list set in the ``settings.py`` file. Provided they inherit from `rest_framework.permissions.BasePermission`, permissions can be composed using standard Python bitwise operators. For example, `IsAuthenticatedOrReadOnly` could be written: @@ -131,7 +129,7 @@ Provided they inherit from `rest_framework.permissions.BasePermission`, permissi return request.method in SAFE_METHODS class ExampleView(APIView): - permission_classes = [IsAuthenticated|ReadOnly] + permission_classes = [IsAuthenticated | ReadOnly] def get(self, request, format=None): content = { @@ -139,9 +137,8 @@ Provided they inherit from `rest_framework.permissions.BasePermission`, permissi } return Response(content) -__Note:__ it supports & (and), | (or) and ~ (not). - ---- +!!! note + Composition of permissions supports `&` (and), `|` (or) and `~` (not) operators. # API Reference @@ -185,7 +182,7 @@ To use custom model permissions, override `DjangoModelPermissions` and set the ` Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API. -## DjangoObjectPermissions +## DjangoObjectPermissions This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian]. @@ -199,11 +196,8 @@ Note that `DjangoObjectPermissions` **does not** require the `django-guardian` p As with `DjangoModelPermissions` you can use custom model permissions by overriding `DjangoObjectPermissions` and setting the `.perms_map` property. Refer to the source code for details. ---- - -**Note**: If you need object level `view` permissions for `GET`, `HEAD` and `OPTIONS` requests and are using django-guardian for your object-level permissions backend, you'll want to consider using the `DjangoObjectPermissionsFilter` class provided by the [`djangorestframework-guardian` package][django-rest-framework-guardian]. It ensures that list endpoints only return results including objects for which the user has appropriate view permissions. - ---- +!!! note + If you need object level `view` permissions for `GET`, `HEAD` and `OPTIONS` requests and are using django-guardian for your object-level permissions backend, you'll want to consider using the `DjangoObjectPermissionsFilter` class provided by the [`djangorestframework-guardian` package][django-rest-framework-guardian]. It ensures that list endpoints only return results including objects for which the user has appropriate view permissions. # Custom permissions @@ -221,11 +215,8 @@ If you need to test if a request is a read operation or a write operation, you s else: # Check permissions for write request ---- - -**Note**: The instance-level `has_object_permission` method will only be called if the view-level `has_permission` checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call `.check_object_permissions(request, obj)`. If you are using the generic views then this will be handled for you by default. (Function-based views will need to check object permissions explicitly, raising `PermissionDenied` on failure.) - ---- +!!! note + The instance-level `has_object_permission` method will only be called if the view-level `has_permission` checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call `.check_object_permissions(request, obj)`. If you are using the generic views then this will be handled for you by default. (Function-based views will need to check object permissions explicitly, raising `PermissionDenied` on failure.) Custom permissions will raise a `PermissionDenied` exception if the test fails. To change the error message associated with the exception, implement a `message` attribute directly on your custom permission. Otherwise the `default_detail` attribute from `PermissionDenied` will be used. Similarly, to change the code identifier associated with the exception, implement a `code` attribute directly on your custom permission - otherwise the `default_code` attribute from `PermissionDenied` will be used. @@ -340,6 +331,10 @@ The [Django Rest Framework Role Filters][django-rest-framework-role-filters] pac The [Django Rest Framework PSQ][drf-psq] package is an extension that gives support for having action-based **permission_classes**, **serializer_class**, and **queryset** dependent on permission-based rules. +## Axioms DRF PY + +The [Axioms DRF PY][axioms-drf-py] package is an extension that provides support for authentication and claim-based fine-grained authorization (**scopes**, **roles**, **groups**, **permissions**, etc. including object-level checks) using JWT tokens issued by an OAuth2/OIDC Authorization Server including AWS Cognito, Auth0, Okta, Microsoft Entra, etc. + [cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html [authentication]: authentication.md @@ -359,3 +354,4 @@ The [Django Rest Framework PSQ][drf-psq] package is an extension that gives supp [django-rest-framework-guardian]: https://github.com/rpkilby/django-rest-framework-guardian [drf-access-policy]: https://github.com/rsinger86/drf-access-policy [drf-psq]: https://github.com/drf-psq/drf-psq +[axioms-drf-py]: https://github.com/abhishektiwari/axioms-drf-py diff --git a/docs/api-guide/relations.md b/docs/api-guide/relations.md index 7c4eece4b..bd958f0ac 100644 --- a/docs/api-guide/relations.md +++ b/docs/api-guide/relations.md @@ -11,42 +11,36 @@ source: Relational fields are used to represent model relationships. They can be applied to `ForeignKey`, `ManyToManyField` and `OneToOneField` relationships, as well as to reverse relationships, and custom relationships such as `GenericForeignKey`. ---- +!!! note + The relational fields are declared in `relations.py`, but by convention you should import them from the `serializers` module, using `from rest_framework import serializers` and refer to fields as `serializers.`. -**Note:** The relational fields are declared in `relations.py`, but by convention you should import them from the `serializers` module, using `from rest_framework import serializers` and refer to fields as `serializers.`. +!!! note + REST Framework does not attempt to automatically optimize querysets passed to serializers in terms of `select_related` and `prefetch_related` since it would be too much magic. A serializer with a field spanning an ORM relation through its source attribute could require an additional database hit to fetch related objects from the database. It is the programmer's responsibility to optimize queries to avoid additional database hits which could occur while using such a serializer. ---- - ---- - -**Note:** REST Framework does not attempt to automatically optimize querysets passed to serializers in terms of `select_related` and `prefetch_related` since it would be too much magic. A serializer with a field spanning an orm relation through its source attribute could require an additional database hit to fetch related objects from the database. It is the programmer's responsibility to optimize queries to avoid additional database hits which could occur while using such a serializer. - -For example, the following serializer would lead to a database hit each time evaluating the tracks field if it is not prefetched: - - class AlbumSerializer(serializers.ModelSerializer): - tracks = serializers.SlugRelatedField( - many=True, - read_only=True, - slug_field='title' - ) - - class Meta: - model = Album - fields = ['album_name', 'artist', 'tracks'] - - # For each album object, tracks should be fetched from database - qs = Album.objects.all() - print(AlbumSerializer(qs, many=True).data) - -If `AlbumSerializer` is used to serialize a fairly large queryset with `many=True` then it could be a serious performance problem. Optimizing the queryset passed to `AlbumSerializer` with: - - qs = Album.objects.prefetch_related('tracks') - # No additional database hits required - print(AlbumSerializer(qs, many=True).data) - -would solve the issue. - ---- + For example, the following serializer would lead to a database hit each time evaluating the tracks field if it is not prefetched: + + class AlbumSerializer(serializers.ModelSerializer): + tracks = serializers.SlugRelatedField( + many=True, + read_only=True, + slug_field='title' + ) + + class Meta: + model = Album + fields = ['album_name', 'artist', 'tracks'] + + # For each album object, tracks should be fetched from database + qs = Album.objects.all() + print(AlbumSerializer(qs, many=True).data) + + If `AlbumSerializer` is used to serialize a fairly large queryset with `many=True` then it could be a serious performance problem. Optimizing the queryset passed to `AlbumSerializer` with: + + qs = Album.objects.prefetch_related('tracks') + # No additional database hits required + print(AlbumSerializer(qs, many=True).data) + + would solve the issue. #### Inspecting relationships. @@ -183,15 +177,12 @@ Would serialize to a representation like this: By default this field is read-write, although you can change this behavior using the `read_only` flag. ---- +!!! note + This field is designed for objects that map to a URL that accepts a single URL keyword argument, as set using the `lookup_field` and `lookup_url_kwarg` arguments. -**Note**: This field is designed for objects that map to a URL that accepts a single URL keyword argument, as set using the `lookup_field` and `lookup_url_kwarg` arguments. + This is suitable for URLs that contain a single primary key or slug argument as part of the URL. -This is suitable for URLs that contain a single primary key or slug argument as part of the URL. - -If you require more complex hyperlinked representation you'll need to customize the field, as described in the [custom hyperlinked fields](#custom-hyperlinked-fields) section, below. - ---- + If you require more complex hyperlinked representation you'll need to customize the field, as described in the [custom hyperlinked fields](#custom-hyperlinked-fields) section, below. **Arguments**: @@ -300,7 +291,7 @@ For example, the following serializer: Would serialize to a nested representation like this: - >>> album = Album.objects.create(album_name="The Grey Album", artist='Danger Mouse') + >>> album = Album.objects.create(album_name="The Gray Album", artist='Danger Mouse') >>> Track.objects.create(album=album, order=1, title='Public Service Announcement', duration=245) >>> Track.objects.create(album=album, order=2, title='What More Can I Say', duration=264) @@ -310,7 +301,7 @@ Would serialize to a nested representation like this: >>> serializer = AlbumSerializer(instance=album) >>> serializer.data { - 'album_name': 'The Grey Album', + 'album_name': 'The Gray Album', 'artist': 'Danger Mouse', 'tracks': [ {'order': 1, 'title': 'Public Service Announcement', 'duration': 245}, @@ -344,7 +335,7 @@ By default nested serializers are read-only. If you want to support write-operat return album >>> data = { - 'album_name': 'The Grey Album', + 'album_name': 'The Gray Album', 'artist': 'Danger Mouse', 'tracks': [ {'order': 1, 'title': 'Public Service Announcement', 'duration': 245}, diff --git a/docs/api-guide/renderers.md b/docs/api-guide/renderers.md index 7a6bd39f4..68af08df5 100644 --- a/docs/api-guide/renderers.md +++ b/docs/api-guide/renderers.md @@ -103,15 +103,10 @@ Unlike other renderers, the data passed to the `Response` does not need to be se The TemplateHTMLRenderer will create a `RequestContext`, using the `response.data` as the context dict, and determine a template name to use to render the context. ---- +!!! note + When used with a view that makes use of a serializer the `Response` sent for rendering may not be a dictionary and will need to be wrapped in a dict before returning to allow the `TemplateHTMLRenderer` to render it. For example: -**Note:** When used with a view that makes use of a serializer the `Response` sent for rendering may not be a dictionary and will need to be wrapped in a dict before returning to allow the `TemplateHTMLRenderer` to render it. For example: - -``` -response.data = {'results': response.data} -``` - ---- + response.data = {'results': response.data} The template name is determined by (in order of preference): @@ -134,7 +129,7 @@ An example of a view that uses `TemplateHTMLRenderer`: You can use `TemplateHTMLRenderer` either to return regular HTML pages using REST framework, or to return both HTML and API responses from a single endpoint. -If you're building websites that use `TemplateHTMLRenderer` along with other renderer classes, you should consider listing `TemplateHTMLRenderer` as the first class in the `renderer_classes` list, so that it will be prioritised first even for browsers that send poorly formed `ACCEPT:` headers. +If you're building websites that use `TemplateHTMLRenderer` along with other renderer classes, you should consider listing `TemplateHTMLRenderer` as the first class in the `renderer_classes` list, so that it will be prioritized first even for browsers that send poorly formed `ACCEPT:` headers. See the [_HTML & Forms_ Topic Page][html-and-forms] for further examples of `TemplateHTMLRenderer` usage. @@ -202,13 +197,16 @@ This renderer is suitable for CRUD-style web APIs that should also present a use Note that views that have nested or list serializers for their input won't work well with the `AdminRenderer`, as the HTML forms are unable to properly support them. -**Note**: The `AdminRenderer` is only able to include links to detail pages when a properly configured `URL_FIELD_NAME` (`url` by default) attribute is present in the data. For `HyperlinkedModelSerializer` this will be the case, but for `ModelSerializer` or plain `Serializer` classes you'll need to make sure to include the field explicitly. For example here we use models `get_absolute_url` method: +!!! note + The `AdminRenderer` is only able to include links to detail pages when a properly configured `URL_FIELD_NAME` (`url` by default) attribute is present in the data. For `HyperlinkedModelSerializer` this will be the case, but for `ModelSerializer` or plain `Serializer` classes you'll need to make sure to include the field explicitly. - class AccountSerializer(serializers.ModelSerializer): - url = serializers.CharField(source='get_absolute_url', read_only=True) + For example here we use models `get_absolute_url` method: - class Meta: - model = Account + class AccountSerializer(serializers.ModelSerializer): + url = serializers.CharField(source='get_absolute_url', read_only=True) + + class Meta: + model = Account **.media_type**: `text/html` @@ -390,9 +388,8 @@ Exceptions raised and handled by an HTML renderer will attempt to render using o Templates will render with a `RequestContext` which includes the `status_code` and `details` keys. -**Note**: If `DEBUG=True`, Django's standard traceback error page will be displayed instead of rendering the HTTP status code and text. - ---- +!!! note + If `DEBUG=True`, Django's standard traceback error page will be displayed instead of rendering the HTTP status code and text. # Third party packages @@ -444,13 +441,10 @@ Modify your REST framework settings. [REST framework JSONP][rest-framework-jsonp] provides JSONP rendering support. It was previously included directly in the REST framework package, and is now instead supported as a third-party package. ---- +!!! warning + If you require cross-domain AJAX requests, you should generally be using the more modern approach of [CORS][cors] as an alternative to `JSONP`. See the [CORS documentation][cors-docs] for more details. -**Warning**: If you require cross-domain AJAX requests, you should generally be using the more modern approach of [CORS][cors] as an alternative to `JSONP`. See the [CORS documentation][cors-docs] for more details. - -The `jsonp` approach is essentially a browser hack, and is [only appropriate for globally readable API endpoints][jsonp-security], where `GET` requests are unauthenticated and do not require any user permissions. - ---- + The `jsonp` approach is essentially a browser hack, and is [only appropriate for globally readable API endpoints][jsonp-security], where `GET` requests are unauthenticated and do not require any user permissions. #### Installation & configuration diff --git a/docs/api-guide/requests.md b/docs/api-guide/requests.md index d072ac436..b6d11e185 100644 --- a/docs/api-guide/requests.md +++ b/docs/api-guide/requests.md @@ -39,13 +39,10 @@ The `APIView` class or `@api_view` decorator will ensure that this property is a You won't typically need to access this property. ---- +!!! note + If a client sends malformed content, then accessing `request.data` may raise a `ParseError`. By default REST framework's `APIView` class or `@api_view` decorator will catch the error and return a `400 Bad Request` response. -**Note:** If a client sends malformed content, then accessing `request.data` may raise a `ParseError`. By default REST framework's `APIView` class or `@api_view` decorator will catch the error and return a `400 Bad Request` response. - -If a client sends a request with a content-type that cannot be parsed then a `UnsupportedMediaType` exception will be raised, which by default will be caught and return a `415 Unsupported Media Type` response. - ---- + If a client sends a request with a content-type that cannot be parsed then a `UnsupportedMediaType` exception will be raised, which by default will be caught and return a `415 Unsupported Media Type` response. # Content negotiation @@ -91,11 +88,8 @@ The `APIView` class or `@api_view` decorator will ensure that this property is a You won't typically need to access this property. ---- - -**Note:** You may see a `WrappedAttributeError` raised when calling the `.user` or `.auth` properties. These errors originate from an authenticator as a standard `AttributeError`, however it's necessary that they be re-raised as a different exception type in order to prevent them from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from the authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. The authenticator will need to be fixed. - ---- +!!! note + You may see a `WrappedAttributeError` raised when calling the `.user` or `.auth` properties. These errors originate from an authenticator as a standard `AttributeError`, however it's necessary that they be re-raised as a different exception type in order to prevent them from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from the authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. The authenticator will need to be fixed. # Browser enhancements diff --git a/docs/api-guide/responses.md b/docs/api-guide/responses.md index dbdc8ff2c..00fe95196 100644 --- a/docs/api-guide/responses.md +++ b/docs/api-guide/responses.md @@ -11,7 +11,7 @@ source: REST framework supports HTTP content negotiation by providing a `Response` class which allows you to return content that can be rendered into multiple content types, depending on the client request. -The `Response` class subclasses Django's `SimpleTemplateResponse`. `Response` objects are initialised with data, which should consist of native Python primitives. REST framework then uses standard HTTP content negotiation to determine how it should render the final response content. +The `Response` class subclasses Django's `SimpleTemplateResponse`. `Response` objects are initialized with data, which should consist of native Python primitives. REST framework then uses standard HTTP content negotiation to determine how it should render the final response content. There's no requirement for you to use the `Response` class, you can also return regular `HttpResponse` or `StreamingHttpResponse` objects from your views if required. Using the `Response` class simply provides a nicer interface for returning content-negotiated Web API responses, that can be rendered to multiple formats. diff --git a/docs/api-guide/routers.md b/docs/api-guide/routers.md index d2be3991f..4ef4d789b 100644 --- a/docs/api-guide/routers.md +++ b/docs/api-guide/routers.md @@ -40,17 +40,14 @@ The example above would generate the following URL patterns: * URL pattern: `^accounts/$` Name: `'account-list'` * URL pattern: `^accounts/{pk}/$` Name: `'account-detail'` ---- +!!! note + The `basename` argument is used to specify the initial part of the view name pattern. In the example above, that's the `user` or `account` part. -**Note**: The `basename` argument is used to specify the initial part of the view name pattern. In the example above, that's the `user` or `account` part. + Typically you won't *need* to specify the `basename` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set. If you try to register that viewset you'll see an error like this: -Typically you won't *need* to specify the `basename` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set. If you try to register that viewset you'll see an error like this: + 'basename' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute. - 'basename' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute. - -This means you'll need to explicitly set the `basename` argument when registering the viewset, as it could not be automatically determined from the model name. - ---- + This means you'll need to explicitly set the `basename` argument when registering the viewset, as it could not be automatically determined from the model name. ### Using `include` with routers @@ -91,16 +88,13 @@ Or both an application and instance namespace: See Django's [URL namespaces docs][url-namespace-docs] and the [`include` API reference][include-api-reference] for more details. ---- - -**Note**: If using namespacing with hyperlinked serializers you'll also need to ensure that any `view_name` parameters -on the serializers correctly reflect the namespace. In the examples above you'd need to include a parameter such as -`view_name='app_name:user-detail'` for serializer fields hyperlinked to the user detail view. - -The automatic `view_name` generation uses a pattern like `%(model_name)-detail`. Unless your models names actually clash -you may be better off **not** namespacing your Django REST Framework views when using hyperlinked serializers. - ---- +!!! note + If using namespacing with hyperlinked serializers you'll also need to ensure that any `view_name` parameters + on the serializers correctly reflect the namespace. In the examples above you'd need to include a parameter such as + `view_name='app_name:user-detail'` for serializer fields hyperlinked to the user detail view. + + The automatic `view_name` generation uses a pattern like `%(model_name)-detail`. Unless your models names actually clash + you may be better off **not** namespacing your Django REST Framework views when using hyperlinked serializers. ### Routing for extra actions diff --git a/docs/api-guide/schemas.md b/docs/api-guide/schemas.md index c74d00cb7..2a6b684e8 100644 --- a/docs/api-guide/schemas.md +++ b/docs/api-guide/schemas.md @@ -20,7 +20,7 @@ package and then subsequently retired over the next releases. As a full-fledged replacement, we recommend the [drf-spectacular] package. It has extensive support for generating OpenAPI 3 schemas from -REST framework APIs, with both automatic and customisable options available. +REST framework APIs, with both automatic and customizable options available. For further information please refer to [Documenting your API](../topics/documenting-your-api.md#drf-spectacular). @@ -238,15 +238,12 @@ operation = auto_schema.get_operation(...) In compiling the schema, `SchemaGenerator` calls `get_components()` and `get_operation()` for each view, allowed method, and path. ----- - -**Note**: The automatic introspection of components, and many operation -parameters relies on the relevant attributes and methods of -`GenericAPIView`: `get_serializer()`, `pagination_class`, `filter_backends`, -etc. For basic `APIView` subclasses, default introspection is essentially limited to -the URL kwarg path parameters for this reason. - ----- +!!! note + The automatic introspection of components, and many operation + parameters relies on the relevant attributes and methods of + `GenericAPIView`: `get_serializer()`, `pagination_class`, `filter_backends`, + etc. For basic `APIView` subclasses, default introspection is essentially limited to + the URL kwarg path parameters for this reason. `AutoSchema` encapsulates the view introspection needed for schema generation. Because of this all the schema generation logic is kept in a single place, diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md index 3ce8f887f..f7a9f1bb2 100644 --- a/docs/api-guide/serializers.md +++ b/docs/api-guide/serializers.md @@ -48,7 +48,7 @@ We can now use `CommentSerializer` to serialize a comment, or list of comments. serializer.data # {'email': 'leila@example.com', 'content': 'foo bar', 'created': '2016-01-27T15:17:10.375877'} -At this point we've translated the model instance into Python native datatypes. To finalise the serialization process we render the data into `json`. +At this point we've translated the model instance into Python native datatypes. To finalize the serialization process we render the data into `json`. from rest_framework.renderers import JSONRenderer @@ -155,7 +155,7 @@ When deserializing data, you always need to call `is_valid()` before attempting serializer.is_valid() # False serializer.errors - # {'email': ['Enter a valid e-mail address.'], 'created': ['This field is required.']} + # {'email': ['Enter a valid email address.'], 'created': ['This field is required.']} Each key in the dictionary will be the field name, and the values will be lists of strings of any error messages corresponding to that field. The `non_field_errors` key may also be present, and will list any general validation errors. The name of the `non_field_errors` key may be customized using the `NON_FIELD_ERRORS_KEY` REST framework setting. @@ -192,11 +192,8 @@ Your `validate_` methods should return the validated value or raise raise serializers.ValidationError("Blog post is not about Django") return value ---- - -**Note:** If your `` is declared on your serializer with the parameter `required=False` then this validation step will not take place if the field is not included. - ---- +!!! note + If your `` is declared on your serializer with the parameter `required=False` then this validation step will not take place if the field is not included. #### Object-level validation @@ -298,7 +295,7 @@ When dealing with nested representations that support deserializing the data, an serializer.is_valid() # False serializer.errors - # {'user': {'email': ['Enter a valid e-mail address.']}, 'created': ['This field is required.']} + # {'user': {'email': ['Enter a valid email address.']}, 'created': ['This field is required.']} Similarly, the `.validated_data` property will include nested data structures. @@ -542,20 +539,16 @@ This option should be a list or tuple of field names, and is declared as follows Model fields which have `editable=False` set, and `AutoField` fields will be set to read-only by default, and do not need to be added to the `read_only_fields` option. ---- +!!! note + There is a special-case where a read-only field is part of a `unique_together` constraint at the model level. In this case the field is required by the serializer class in order to validate the constraint, but should also not be editable by the user. -**Note**: There is a special-case where a read-only field is part of a `unique_together` constraint at the model level. In this case the field is required by the serializer class in order to validate the constraint, but should also not be editable by the user. + The right way to deal with this is to specify the field explicitly on the serializer, providing both the `read_only=True` and `default=…` keyword arguments. -The right way to deal with this is to specify the field explicitly on the serializer, providing both the `read_only=True` and `default=…` keyword arguments. + One example of this is a read-only relation to the currently authenticated `User` which is `unique_together` with another identifier. In this case you would declare the user field like so: -One example of this is a read-only relation to the currently authenticated `User` which is `unique_together` with another identifier. In this case you would declare the user field like so: - - user = serializers.PrimaryKeyRelatedField(read_only=True, default=serializers.CurrentUserDefault()) - -Please review the [Validators Documentation](/api-guide/validators/) for details on the [UniqueTogetherValidator](/api-guide/validators/#uniquetogethervalidator) and [CurrentUserDefault](/api-guide/validators/#currentuserdefault) classes. - ---- + user = serializers.PrimaryKeyRelatedField(read_only=True, default=serializers.CurrentUserDefault()) + Please review the [Validators Documentation](/api-guide/validators/) for details on the [UniqueTogetherValidator](/api-guide/validators/#uniquetogethervalidator) and [CurrentUserDefault](/api-guide/validators/#currentuserdefault) classes. ## Additional keyword arguments @@ -708,7 +701,7 @@ You can override a URL field view name and lookup field by using either, or both class AccountSerializer(serializers.HyperlinkedModelSerializer): class Meta: model = Account - fields = ['account_url', 'account_name', 'users', 'created'] + fields = ['url', 'account_name', 'users', 'created'] extra_kwargs = { 'url': {'view_name': 'accounts', 'lookup_field': 'account_name'}, 'users': {'lookup_field': 'username'} diff --git a/docs/api-guide/settings.md b/docs/api-guide/settings.md index 2a070b77e..390dbd911 100644 --- a/docs/api-guide/settings.md +++ b/docs/api-guide/settings.md @@ -371,6 +371,14 @@ When set to `True`, the serializer `DecimalField` class will return strings inst Default: `True` +#### COERCE_BIGINT_TO_STRING + +When returning biginteger objects in API representations that do not support numbers up to 2^64, it is best to return the value as a string. This avoids the loss of precision that occurs with biginteger implementations. + +When set to `True`, the serializer `BigIntegerField` class (by default) will return strings instead of `BigInteger` objects. When set to `False`, serializers will return `BigInteger` objects, which the default JSON encoder will return as numbers. + +Default: `False` + --- ## View names and descriptions diff --git a/docs/api-guide/testing.md b/docs/api-guide/testing.md index 97b432ddd..aa8d59d54 100644 --- a/docs/api-guide/testing.md +++ b/docs/api-guide/testing.md @@ -90,36 +90,32 @@ For example, when forcibly authenticating using a token, you might do something request = factory.get('/accounts/django-superstars/') force_authenticate(request, user=user, token=user.auth_token) ---- +!!! note + `force_authenticate` directly sets `request.user` to the in-memory `user` instance. If you are reusing the same `user` instance across multiple tests that update the saved `user` state, you may need to call [`refresh_from_db()`][refresh_from_db_docs] between tests. -**Note**: `force_authenticate` directly sets `request.user` to the in-memory `user` instance. If you are re-using the same `user` instance across multiple tests that update the saved `user` state, you may need to call [`refresh_from_db()`][refresh_from_db_docs] between tests. +!!! note + When using `APIRequestFactory`, the object that is returned is Django's standard `HttpRequest`, and not REST framework's `Request` object, which is only generated once the view is called. ---- - -**Note**: When using `APIRequestFactory`, the object that is returned is Django's standard `HttpRequest`, and not REST framework's `Request` object, which is only generated once the view is called. - -This means that setting attributes directly on the request object may not always have the effect you expect. For example, setting `.token` directly will have no effect, and setting `.user` directly will only work if session authentication is being used. - - # Request will only authenticate if `SessionAuthentication` is in use. - request = factory.get('/accounts/django-superstars/') - request.user = user - response = view(request) - -If you want to test a request involving the REST framework’s 'Request' object, you’ll need to manually transform it first: - - class DummyView(APIView): - ... - - factory = APIRequestFactory() - request = factory.get('/', {'demo': 'test'}) - drf_request = DummyView().initialize_request(request) - assert drf_request.query_params == {'demo': ['test']} - - request = factory.post('/', {'example': 'test'}) - drf_request = DummyView().initialize_request(request) - assert drf_request.data.get('example') == 'test' - ---- + This means that setting attributes directly on the request object may not always have the effect you expect. For example, setting `.token` directly will have no effect, and setting `.user` directly will only work if session authentication is being used. + + # Request will only authenticate if `SessionAuthentication` is in use. + request = factory.get('/accounts/django-superstars/') + request.user = user + response = view(request) + + If you want to test a request involving the REST framework’s 'Request' object, you’ll need to manually transform it first: + + class DummyView(APIView): + ... + + factory = APIRequestFactory() + request = factory.get('/', {'demo': 'test'}) + drf_request = DummyView().initialize_request(request) + assert drf_request.query_params == {'demo': ['test']} + + request = factory.post('/', {'example': 'test'}) + drf_request = DummyView().initialize_request(request) + assert drf_request.data.get('example') == 'test' ## Forcing CSRF validation @@ -127,11 +123,8 @@ By default, requests created with `APIRequestFactory` will not have CSRF validat factory = APIRequestFactory(enforce_csrf_checks=True) ---- - -**Note**: It's worth noting that Django's standard `RequestFactory` doesn't need to include this option, because when using regular Django the CSRF validation takes place in middleware, which is not run when testing views directly. When using REST framework, CSRF validation takes place inside the view, so the request factory needs to disable view-level CSRF checks. - ---- +!!! note + It's worth noting that Django's standard `RequestFactory` doesn't need to include this option, because when using regular Django the CSRF validation takes place in middleware, which is not run when testing views directly. When using REST framework, CSRF validation takes place inside the view, so the request factory needs to disable view-level CSRF checks. # APIClient @@ -264,7 +257,7 @@ For example... csrftoken = response.cookies['csrftoken'] # Interact with the API. - response = client.post('http://testserver/organisations/', json={ + response = client.post('http://testserver/organizations/', json={ 'name': 'MegaCorp', 'status': 'active' }, headers={'X-CSRFToken': csrftoken}) @@ -292,12 +285,12 @@ The CoreAPIClient allows you to interact with your API using the Python client = CoreAPIClient() schema = client.get('http://testserver/schema/') - # Create a new organisation + # Create a new organization params = {'name': 'MegaCorp', 'status': 'active'} - client.action(schema, ['organisations', 'create'], params) + client.action(schema, ['organizations', 'create'], params) - # Ensure that the organisation exists in the listing - data = client.action(schema, ['organisations', 'list']) + # Ensure that the organization exists in the listing + data = client.action(schema, ['organizations', 'list']) assert(len(data) == 1) assert(data == [{'name': 'MegaCorp', 'status': 'active'}]) @@ -353,6 +346,7 @@ REST framework also provides a test case class for isolating `urlpatterns` on a ## Example from django.urls import include, path, reverse + from rest_framework import status from rest_framework.test import APITestCase, URLPatternsTestCase diff --git a/docs/api-guide/throttling.md b/docs/api-guide/throttling.md index 0ea8b4158..899c134ae 100644 --- a/docs/api-guide/throttling.md +++ b/docs/api-guide/throttling.md @@ -19,9 +19,9 @@ Multiple throttles can also be used if you want to impose both burst throttling Throttles do not necessarily only refer to rate-limiting requests. For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed. -**The application-level throttling that REST framework provides should not be considered a security measure or protection against brute forcing or denial-of-service attacks. Deliberately malicious actors will always be able to spoof IP origins. In addition to this, the built-in throttling implementations are implemented using Django's cache framework, and use non-atomic operations to determine the request rate, which may sometimes result in some fuzziness. +**The application-level throttling that REST framework provides should not be considered a security measure or protection against brute forcing or denial-of-service attacks. Deliberately malicious actors will always be able to spoof IP origins. In addition to this, the built-in throttling implementations are implemented using Django's cache framework, and use non-atomic operations to determine the request rate, which may sometimes result in some fuzziness.** -The application-level throttling provided by REST framework is intended for implementing policies such as different business tiers and basic protections against service over-use.** +**The application-level throttling provided by REST framework is intended for implementing policies such as different business tiers and basic protections against service over-use.** ## How throttling is determined diff --git a/docs/api-guide/validators.md b/docs/api-guide/validators.md index e3407e8a3..71e6527f8 100644 --- a/docs/api-guide/validators.md +++ b/docs/api-guide/validators.md @@ -5,7 +5,7 @@ source: # Validators -> Validators can be useful for re-using validation logic between different types of fields. +> Validators can be useful for reusing validation logic between different types of fields. > > — [Django documentation][cite] @@ -101,11 +101,8 @@ The validator should be applied to *serializer classes*, like so: ) ] ---- - -**Note**: The `UniqueTogetherValidator` class always imposes an implicit constraint that all the fields it applies to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input. - ---- +!!! note + The `UniqueTogetherValidator` class always imposes an implicit constraint that all the fields it applies to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input. ## UniqueForDateValidator @@ -158,24 +155,19 @@ If you want the date field to be entirely hidden from the user, then use `Hidden published = serializers.HiddenField(default=timezone.now) ---- +!!! note + The `UniqueForValidator` classes impose an implicit constraint that the fields they are applied to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input. -**Note**: The `UniqueForValidator` classes impose an implicit constraint that the fields they are applied to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input. - ---- - ---- - -**Note:** `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request). - ---- +!!! note + `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request). # Advanced field defaults Validators that are applied across multiple fields in the serializer can sometimes require a field input that should not be provided by the API client, but that *is* available as input to the validator. For this purposes use `HiddenField`. This field will be present in `validated_data` but *will not* be used in the serializer output representation. -**Note:** Using a `read_only=True` field is excluded from writable fields so it won't use a `default=…` argument. Look [3.8 announcement](https://www.django-rest-framework.org/community/3.8-announcement/#altered-the-behaviour-of-read_only-plus-default-on-field). +!!! note + Using a `read_only=True` field is excluded from writable fields so it won't use a `default=…` argument. Look [3.8 announcement](https://www.django-rest-framework.org/community/3.8-announcement/#altered-the-behavior-of-read_only-plus-default-on-field). REST framework includes a couple of defaults that may be useful in this context. diff --git a/docs/api-guide/views.md b/docs/api-guide/views.md index b293de75a..9c9bd9af6 100644 --- a/docs/api-guide/views.md +++ b/docs/api-guide/views.md @@ -45,11 +45,8 @@ For example: usernames = [user.username for user in User.objects.all()] return Response(usernames) ---- - -**Note**: The full methods, attributes on, and relations between Django REST Framework's `APIView`, `GenericAPIView`, various `Mixins`, and `Viewsets` can be initially complex. In addition to the documentation here, the [Classy Django REST Framework][classy-drf] resource provides a browsable reference, with full methods and attributes, for each of Django REST Framework's class-based views. - ---- +!!! note + The full methods, attributes on, and relations between Django REST Framework's `APIView`, `GenericAPIView`, various `Mixins`, and `Viewsets` can be initially complex. In addition to the documentation here, the [Classy Django REST Framework][classy-drf] resource provides a browsable reference, with full methods and attributes, for each of Django REST Framework's class-based views. ## API policy attributes @@ -186,8 +183,13 @@ The available decorators are: * `@authentication_classes(...)` * `@throttle_classes(...)` * `@permission_classes(...)` +* `@content_negotiation_class(...)` +* `@metadata_class(...)` +* `@versioning_class(...)` -Each of these decorators takes a single argument which must be a list or tuple of classes. +Each of these decorators is equivalent to setting their respective [api policy attributes][api-policy-attributes]. + +All decorators take a single argument. The ones that end with `_class` expect a single class while the ones ending in `_classes` expect a list or tuple of classes. ## View schema decorator @@ -224,4 +226,5 @@ You may pass `None` in order to exclude the view from schema generation. [throttling]: throttling.md [schemas]: schemas.md [classy-drf]: http://www.cdrf.co +[api-policy-attributes]: views.md#api-policy-attributes diff --git a/docs/api-guide/viewsets.md b/docs/api-guide/viewsets.md index 22acfe327..142cbcabf 100644 --- a/docs/api-guide/viewsets.md +++ b/docs/api-guide/viewsets.md @@ -57,6 +57,9 @@ Typically we wouldn't do this, but would instead register the viewset with a rou router.register(r'users', UserViewSet, basename='user') urlpatterns = router.urls +!!! warning + Do not use `.as_view()` with `@action` methods. It bypasses router setup and may ignore action settings like `permission_classes`. Use `DefaultRouter` for actions. + Rather than writing your own viewsets, you'll often want to use the existing base classes that provide a default set of behavior. For example: class UserViewSet(viewsets.ModelViewSet): @@ -128,7 +131,8 @@ You may inspect these attributes to adjust behavior based on the current action. permission_classes = [IsAdminUser] return [permission() for permission in permission_classes] -**Note**: the `action` attribute is not available in the `get_parsers`, `get_authenticators` and `get_content_negotiator` methods, as it is set _after_ they are called in the framework lifecycle. If you override one of these methods and try to access the `action` attribute in them, you will get an `AttributeError` error. +!!! note + The `action` attribute is not available in the `get_parsers`, `get_authenticators` and `get_content_negotiator` methods, as it is set _after_ they are called in the framework lifecycle. If you override one of these methods and try to access the `action` attribute in them, you will get an `AttributeError` error. ## Marking extra actions for routing @@ -231,7 +235,7 @@ Using the example from the previous section: Alternatively, you can use the `url_name` attribute set by the `@action` decorator. ```pycon ->>> view.reverse_action(view.set_password.url_name, args=['1']) +>>> view.reverse_action(view.set_password.url_name, args=["1"]) 'http://localhost:8000/api/users/1/set_password' ``` diff --git a/docs/community/3.0-announcement.md b/docs/community/3.0-announcement.md index cec61f337..52acd10e2 100644 --- a/docs/community/3.0-announcement.md +++ b/docs/community/3.0-announcement.md @@ -632,7 +632,7 @@ The `MultipleChoiceField` class has been added. This field acts like `ChoiceFiel The `from_native(self, value)` and `to_native(self, data)` method names have been replaced with the more obviously named `to_internal_value(self, data)` and `to_representation(self, value)`. -The `field_from_native()` and `field_to_native()` methods are removed. Previously you could use these methods if you wanted to customise the behavior in a way that did not simply lookup the field value from the object. For example... +The `field_from_native()` and `field_to_native()` methods are removed. Previously you could use these methods if you wanted to customize the behavior in a way that did not simply lookup the field value from the object. For example... def field_to_native(self, obj, field_name): """A custom read-only field that returns the class name.""" diff --git a/docs/community/3.11-announcement.md b/docs/community/3.11-announcement.md index 2fc37a764..e913d5e0a 100644 --- a/docs/community/3.11-announcement.md +++ b/docs/community/3.11-announcement.md @@ -50,11 +50,9 @@ class DocStringExampleListView(APIView): permission_classes = [permissions.IsAuthenticatedOrReadOnly] - def get(self, request, *args, **kwargs): - ... + def get(self, request, *args, **kwargs): ... - def post(self, request, *args, **kwargs): - ... + def post(self, request, *args, **kwargs): ... ``` ## Validator / Default Context @@ -76,8 +74,7 @@ Validator implementations will look like this: class CustomValidator: requires_context = True - def __call__(self, value, serializer_field): - ... + def __call__(self, value, serializer_field): ... ``` Default implementations will look like this: @@ -86,8 +83,7 @@ Default implementations will look like this: class CustomDefault: requires_context = True - def __call__(self, serializer_field): - ... + def __call__(self, serializer_field): ... ``` --- diff --git a/docs/community/3.12-announcement.md b/docs/community/3.12-announcement.md index b192f7290..5264ddd85 100644 --- a/docs/community/3.12-announcement.md +++ b/docs/community/3.12-announcement.md @@ -50,7 +50,7 @@ See [the schema documentation](https://www.django-rest-framework.org/api-guide/s ## Customizing the operation ID. REST framework automatically determines operation IDs to use in OpenAPI -schemas. The latest version provides more control for overriding the behaviour +schemas. The latest version provides more control for overriding the behavior used to generate the operation IDs. See [the schema documentation](https://www.django-rest-framework.org/api-guide/schemas/#operationid) for more information. @@ -96,7 +96,7 @@ for details on using custom `AutoSchema` subclasses. ## Support for JSONField. Django 3.1 deprecated the existing `django.contrib.postgres.fields.JSONField` -in favour of a new database-agnositic `JSONField`. +in favor of a new database-agnositic `JSONField`. REST framework 3.12 now supports this new model field, and `ModelSerializer` classes will correctly map the model field. diff --git a/docs/community/3.13-announcement.md b/docs/community/3.13-announcement.md index e2c1fefa6..10d31b764 100644 --- a/docs/community/3.13-announcement.md +++ b/docs/community/3.13-announcement.md @@ -50,6 +50,6 @@ They must now use the more explicit keyword argument style... aliases = serializers.ListField(child=serializers.CharField()) ``` -This change has been made because using positional arguments here *does not* result in the expected behaviour. +This change has been made because using positional arguments here *does not* result in the expected behavior. See Pull Request [#7632](https://github.com/encode/django-rest-framework/pull/7632) for more details. diff --git a/docs/community/3.15-announcement.md b/docs/community/3.15-announcement.md index 848d534b2..fbe0c759b 100644 --- a/docs/community/3.15-announcement.md +++ b/docs/community/3.15-announcement.md @@ -39,12 +39,12 @@ By default the URLs created by `SimpleRouter` use regular expressions. This beha Dependency on pytz has been removed and deprecation warnings have been added, Django will provide ZoneInfo instances as long as USE_DEPRECATED_PYTZ is not enabled. More info on the migration can be found [in this guide](https://pytz-deprecation-shim.readthedocs.io/en/latest/migration.html). -## Align `SearchFilter` behaviour to `django.contrib.admin` search +## Align `SearchFilter` behavior to `django.contrib.admin` search Searches now may contain _quoted phrases_ with spaces, each phrase is considered as a single search term, and it will raise a validation error if any null-character is provided in search. See the [Filtering API guide](../api-guide/filtering.md) for more information. ## Other fixes and improvements -There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behaviour. +There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behavior. See the [release notes](release-notes.md) page for a complete listing. diff --git a/docs/community/3.16-announcement.md b/docs/community/3.16-announcement.md index b8f460ae7..97e102c09 100644 --- a/docs/community/3.16-announcement.md +++ b/docs/community/3.16-announcement.md @@ -29,7 +29,7 @@ The current minimum versions of Django is now 4.2 and Python 3.9. ## Django LoginRequiredMiddleware -The new `LoginRequiredMiddleware` introduced by Django 5.1 can now be used alongside Django REST Framework, however it is not honored for API views as an equivalent behaviour can be configured via `DEFAULT_AUTHENTICATION_CLASSES`. See [our dedicated section](../api-guide/authentication.md#django-51-loginrequiredmiddleware) in the docs for more information. +The new `LoginRequiredMiddleware` introduced by Django 5.1 can now be used alongside Django REST Framework, however it is not honored for API views as an equivalent behavior can be configured via `DEFAULT_AUTHENTICATION_CLASSES`. See [our dedicated section](../api-guide/authentication.md#django-51-loginrequiredmiddleware) in the docs for more information. ## Improved support for UniqueConstraint @@ -37,6 +37,6 @@ The generation of validators for [UniqueConstraint](https://docs.djangoproject.c ## Other fixes and improvements -There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behaviour. +There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behavior. See the [release notes](release-notes.md) page for a complete listing. diff --git a/docs/community/3.4-announcement.md b/docs/community/3.4-announcement.md index 03ef6fc41..2c68b178a 100644 --- a/docs/community/3.4-announcement.md +++ b/docs/community/3.4-announcement.md @@ -157,7 +157,7 @@ will result in a list of the available choices being returned in the response. In cases where there is a relational field, the previous behavior would be to return a list of available instances to choose from for that relational field. -In order to minimise exposed information the behavior now is to *not* return +In order to minimize exposed information the behavior now is to *not* return choices information for relational fields. If you want to override this new behavior you'll need to [implement a custom diff --git a/docs/community/3.5-announcement.md b/docs/community/3.5-announcement.md index de558fead..eb3bf7fd5 100644 --- a/docs/community/3.5-announcement.md +++ b/docs/community/3.5-announcement.md @@ -81,7 +81,7 @@ a dynamic client library to interact with your API. Finally, we're also now exposing the schema generation as a [publicly documented API][schema-generation-api], allowing you to more easily -override the behaviour. +override the behavior. ## Requests test client @@ -106,12 +106,12 @@ client library. client = CoreAPIClient() schema = client.get('http://testserver/schema/') - # Create a new organisation + # Create a new organization params = {'name': 'MegaCorp', 'status': 'active'} - client.action(schema, ['organisations', 'create'], params) + client.action(schema, ['organizations', 'create'], params) - # Ensure that the organisation exists in the listing - data = client.action(schema, ['organisations', 'list']) + # Ensure that the organization exists in the listing + data = client.action(schema, ['organizations', 'list']) assert(len(data) == 1) assert(data == [{'name': 'MegaCorp', 'status': 'active'}]) @@ -204,10 +204,10 @@ The `'pk'` identifier in schema paths is now mapped onto the actually model fiel name by default. This will typically be `'id'`. This gives a better external representation for schemas, with less implementation -detail being exposed. It also reflects the behaviour of using a ModelSerializer +detail being exposed. It also reflects the behavior of using a ModelSerializer class with `fields = '__all__'`. -You can revert to the previous behaviour by setting `'SCHEMA_COERCE_PATH_PK': False` +You can revert to the previous behavior by setting `'SCHEMA_COERCE_PATH_PK': False` in the REST framework settings. ### Schema action name representations @@ -215,7 +215,7 @@ in the REST framework settings. The internal `retrieve()` and `destroy()` method names are now coerced to an external representation of `read` and `delete`. -You can revert to the previous behaviour by setting `'SCHEMA_COERCE_METHOD_NAMES': {}` +You can revert to the previous behavior by setting `'SCHEMA_COERCE_METHOD_NAMES': {}` in the REST framework settings. ### DjangoFilterBackend diff --git a/docs/community/3.7-announcement.md b/docs/community/3.7-announcement.md index d1a39fa60..49f68ead2 100644 --- a/docs/community/3.7-announcement.md +++ b/docs/community/3.7-announcement.md @@ -53,7 +53,7 @@ In order to try to address this we're now adding the ability for per-view custom Let's take a quick look at using the new functionality... -The `APIView` class has a `schema` attribute, that is used to control how the Schema for that particular view is generated. The default behaviour is to use the `AutoSchema` class. +The `APIView` class has a `schema` attribute, that is used to control how the Schema for that particular view is generated. The default behavior is to use the `AutoSchema` class. from rest_framework.views import APIView from rest_framework.schemas import AutoSchema diff --git a/docs/community/3.8-announcement.md b/docs/community/3.8-announcement.md index f33b220fd..eef3ae0c9 100644 --- a/docs/community/3.8-announcement.md +++ b/docs/community/3.8-announcement.md @@ -36,7 +36,7 @@ If you use REST framework commercially and would like to see this work continue, ## Breaking Changes -### Altered the behaviour of `read_only` plus `default` on Field. +### Altered the behavior of `read_only` plus `default` on Field. [#5886][gh5886] `read_only` fields will now **always** be excluded from writable fields. @@ -44,7 +44,7 @@ Previously `read_only` fields when combined with a `default` value would use the operations. This was counter-intuitive in some circumstances and led to difficulties supporting dotted `source` attributes on nullable relations. -In order to maintain the old behaviour you may need to pass the value of `read_only` fields when calling `save()` in +In order to maintain the old behavior you may need to pass the value of `read_only` fields when calling `save()` in the view: def perform_create(self, serializer): diff --git a/docs/community/3.9-announcement.md b/docs/community/3.9-announcement.md index 6bc5e3cc3..bd886482c 100644 --- a/docs/community/3.9-announcement.md +++ b/docs/community/3.9-announcement.md @@ -152,7 +152,7 @@ See [#5990][gh5990]. ### `action` decorator replaces `list_route` and `detail_route` -Both `list_route` and `detail_route` are now deprecated in favour of the single `action` decorator. +Both `list_route` and `detail_route` are now deprecated in favor of the single `action` decorator. They will be removed entirely in 3.10. The `action` decorator takes a boolean `detail` argument. diff --git a/docs/community/contributing.md b/docs/community/contributing.md index aceff45ac..da92630d4 100644 --- a/docs/community/contributing.md +++ b/docs/community/contributing.md @@ -81,12 +81,42 @@ To run the tests, clone the repository, and then: # Run the tests ./runtests.py +!!! tip + If your tests require access to the database, do not forget to inherit from `django.test.TestCase` or use the `@pytest.mark.django_db()` decorator. + + For example, with TestCase: + + from django.test import TestCase + + class MyDatabaseTest(TestCase): + def test_something(self): + # Your test code here + pass + + Or with decorator: + + import pytest + + @pytest.mark.django_db() + class MyDatabaseTest: + def test_something(self): + # Your test code here + pass + + You can reuse existing models defined in `tests/models.py` for your tests. + ### Test options Run using a more concise output style. ./runtests.py -q + +If you do not want the output to be captured (for example, to see print statements directly), you can use the `-s` flag. + + ./runtests.py -s + + Run the tests for a given test case. ./runtests.py MyTestCase @@ -99,7 +129,9 @@ Shorter form to run the tests for a given test method. ./runtests.py test_this_method -Note: The test case and test method matching is fuzzy and will sometimes run other tests that contain a partial string match to the given command line input. + +!!! note + The test case and test method matching is fuzzy and will sometimes run other tests that contain a partial string match to the given command line input. ### Running against multiple environments @@ -191,13 +223,12 @@ Linking in this style means you'll be able to click the hyperlink in your Markdo ##### 3. Notes -If you want to draw attention to a note or warning, use a pair of enclosing lines, like so: +If you want to draw attention to a note or warning, use an [admonition], like so: - --- + !!! note + A useful documentation note. - **Note:** A useful documentation note. - - --- +The documentation theme styles `info`, `warning`, `tip` and `danger` admonition types, but more could be added if the need arise. [cite]: https://www.w3.org/People/Berners-Lee/FAQ.html @@ -213,3 +244,4 @@ If you want to draw attention to a note or warning, use a pair of enclosing line [mou]: http://mouapp.com/ [repo]: https://github.com/encode/django-rest-framework [how-to-fork]: https://help.github.com/articles/fork-a-repo/ +[admonition]: https://python-markdown.github.io/extensions/admonition/ diff --git a/docs/community/funding.md b/docs/community/funding.md deleted file mode 100644 index 7bca4bae4..000000000 --- a/docs/community/funding.md +++ /dev/null @@ -1,388 +0,0 @@ - - - - -# Funding - -If you use REST framework commercially we strongly encourage you to invest in its continued development by signing up for a paid plan. - -**We believe that collaboratively funded software can offer outstanding returns on investment, by encouraging our users to collectively share the cost of development.** - -Signing up for a paid plan will: - -* Directly contribute to faster releases, more features, and higher quality software. -* Allow more time to be invested in keeping the package up to date. -* Safeguard the future development of REST framework. - -REST framework continues to be open-source and permissively licensed, but we firmly believe it is in the commercial best-interest for users of the project to invest in its ongoing development. - ---- - -## What funding has enabled so far - -* The [3.4](https://www.django-rest-framework.org/community/3.4-announcement/) and [3.5](https://www.django-rest-framework.org/community/3.5-announcement/) releases, including schema generation for both Swagger and RAML, a Python client library, a Command Line client, and addressing of a large number of outstanding issues. -* The [3.6](https://www.django-rest-framework.org/community/3.6-announcement/) release, including JavaScript client library, and API documentation, complete with auto-generated code samples. -* The [3.7 release](https://www.django-rest-framework.org/community/3.7-announcement/), made possible due to our collaborative funding model, focuses on improvements to schema generation and the interactive API documentation. -* The recent [3.8 release](https://www.django-rest-framework.org/community/3.8-announcement/). -* Tom Christie, the creator of Django REST framework, working on the project full-time. -* Around 80-90 issues and pull requests closed per month since Tom Christie started working on the project full-time. -* A community & operations manager position part-time for 4 months, helping mature the business and grow sponsorship. -* Contracting development time for the work on the JavaScript client library and API documentation tooling. - ---- - -## What our sponsors and users say - -> As a developer, Django REST framework feels like an obvious and natural extension to all the great things that make up Django and it's community. Getting started is easy while providing simple abstractions which makes it flexible and customizable. Contributing and supporting Django REST framework helps ensure its future and one way or another it also helps Django, and the Python ecosystem. -> -> — José Padilla, Django REST framework contributor - -  - -> The number one feature of the Python programming language is its community. Such a community is only possible because of the Open Source nature of the language and all the culture that comes from it. Building great Open Source projects require great minds. Given that, we at Vinta are not only proud to sponsor the team behind DRF but we also recognize the ROI that comes from it. -> -> — Filipe Ximenes, Vinta Software - -  - -> It's really awesome that this project continues to endure. The code base is top notch and the maintainers are committed to the highest level of quality. -DRF is one of the core reasons why Django is top choice among web frameworks today. In my opinion, it sets the standard for rest frameworks for the development community at large. -> -> — Andrew Conti, Django REST framework user - -Sign up for a paid plan today, and help ensure that REST framework becomes a sustainable, full-time funded project. - ---- - -## Individual plan - -This subscription is recommended for individuals with an interest in seeing REST framework continue to improve. - -If you are using REST framework as a full-time employee, consider recommending that your company takes out a [corporate plan](#corporate-plans). - -
-
-
-
- {{ symbol }} - {{ rates.personal1 }} - /month{% if vat %} +VAT{% endif %} -
-
Individual
-
-
- Support ongoing development -
-
- Credited on the site -
-
- -
-
-
-
- -*Billing is monthly and you can cancel at any time.* - ---- - -## Corporate plans - -These subscriptions are recommended for companies and organizations using REST framework either publicly or privately. - -In exchange for funding you'll also receive advertising space on our site, allowing you to **promote your company or product to many tens of thousands of developers worldwide**. - -Our professional and premium plans also include **priority support**. At any time your engineers can escalate an issue or discussion group thread, and we'll ensure it gets a guaranteed response within the next working day. - -
-
-
-
- {{ symbol }} - {{ rates.corporate1 }} - /month{% if vat %} +VAT{% endif %} -
-
Basic
-
-
- Support ongoing development -
-
- Funding page ad placement -
-
- -
-
-
-
-
- {{ symbol }} - {{ rates.corporate2 }} - /month{% if vat %} +VAT{% endif %} -
-
Professional
-
-
- Support ongoing development -
-
- Sidebar ad placement -
-
- Priority support for your engineers -
-
- -
-
-
-
-
- {{ symbol }} - {{ rates.corporate3 }} - /month{% if vat %} +VAT{% endif %} -
-
Premium
-
-
- Support ongoing development -
-
- Homepage ad placement -
-
- Sidebar ad placement -
-
- Priority support for your engineers -
-
- -
-
-
- -
- -*Billing is monthly and you can cancel at any time.* - -Once you've signed up, we will contact you via email and arrange your ad placements on the site. - -For further enquires please contact funding@django-rest-framework.org. - ---- - -## Accountability - -In an effort to keep the project as transparent as possible, we are releasing [monthly progress reports](https://www.encode.io/reports/march-2018/) and regularly include financial reports and cost breakdowns. - - - - -
-
-
-

Stay up to date, with our monthly progress reports...

-
- - -
-
- - -
- -
-
-
-
- - - ---- - -## Frequently asked questions - -**Q: Can you issue monthly invoices?** -A: Yes, we are happy to issue monthly invoices. Please just email us and let us know who to issue the invoice to (name and address) and which email address to send it to each month. - -**Q: Does sponsorship include VAT?** -A: Sponsorship is VAT exempt. - -**Q: Do I have to sign up for a certain time period?** -A: No, we appreciate your support for any time period that is convenient for you. Also, you can cancel your sponsorship anytime. - -**Q: Can I pay yearly? Can I pay upfront fox X amount of months at a time?** -A: We are currently only set up to accept monthly payments. However, if you'd like to support Django REST framework and you can only do yearly/upfront payments, we are happy to work with you and figure out a convenient solution. - -**Q: Are you only looking for corporate sponsors?** -A: No, we value individual sponsors just as much as corporate sponsors and appreciate any kind of support. - ---- - -## Our sponsors - -
- - diff --git a/docs/community/project-management.md b/docs/community/project-management.md index bf591d5ef..5c7577ec8 100644 --- a/docs/community/project-management.md +++ b/docs/community/project-management.md @@ -51,20 +51,14 @@ The following template should be used for the description of the issue, and serv Release manager is @***. Pull request is #***. - During development cycle: - - - [ ] Upload the new content to be translated to [transifex](https://www.django-rest-framework.org/topics/project-management/#translations). - - Checklist: - [ ] Create pull request for [release notes](https://github.com/encode/django-rest-framework/blob/mains/docs/topics/release-notes.md) based on the [*.*.* milestone](https://github.com/encode/django-rest-framework/milestones/***). - [ ] Update supported versions: - - [ ] `setup.py` `python_requires` list - - [ ] `setup.py` Python & Django version trove classifiers + - [ ] `pyproject.toml` `python_requires` list + - [ ] `pyproject.toml` Python & Django version trove classifiers - [ ] `README` Python & Django versions - [ ] `docs` Python & Django versions - - [ ] Update the translations from [transifex](https://www.django-rest-framework.org/topics/project-management/#translations). - [ ] Ensure the pull request increments the version to `*.*.*` in [`restframework/__init__.py`](https://github.com/encode/django-rest-framework/blob/main/rest_framework/__init__.py). - [ ] Ensure documentation validates - Build and serve docs `mkdocs serve` @@ -72,7 +66,9 @@ The following template should be used for the description of the issue, and serv - [ ] Confirm with @tomchristie that release is finalized and ready to go. - [ ] Ensure that release date is included in pull request. - [ ] Merge the release pull request. - - [ ] Push the package to PyPI with `./setup.py publish`. + - [ ] Install the release tools: `pip install build twine` + - [ ] Build the package: `python -m build` + - [ ] Push the package to PyPI with `twine upload dist/*` - [ ] Tag the release, with `git tag -a *.*.* -m 'version *.*.*'; git push --tags`. - [ ] Deploy the documentation with `mkdocs gh-deploy`. - [ ] Make a release announcement on the [discussion group](https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework). @@ -85,55 +81,6 @@ When pushing the release to PyPI ensure that your environment has been installed --- -## Translations - -The maintenance team are responsible for managing the translation packs include in REST framework. Translating the source strings into multiple languages is managed through the [transifex service][transifex-project]. - -### Managing Transifex - -The [official Transifex client][transifex-client] is used to upload and download translations to Transifex. The client is installed using pip: - - pip install transifex-client - -To use it you'll need a login to Transifex which has a password, and you'll need to have administrative access to the Transifex project. You'll need to create a `~/.transifexrc` file which contains your credentials. - - [https://www.transifex.com] - username = *** - token = *** - password = *** - hostname = https://www.transifex.com - -### Upload new source files - -When any user visible strings are changed, they should be uploaded to Transifex so that the translators can start to translate them. To do this, just run: - - # 1. Update the source django.po file, which is the US English version. - cd rest_framework - django-admin makemessages -l en_US - # 2. Push the source django.po file to Transifex. - cd .. - tx push -s - -When pushing source files, Transifex will update the source strings of a resource to match those from the new source file. - -Here's how differences between the old and new source files will be handled: - -* New strings will be added. -* Modified strings will be added as well. -* Strings which do not exist in the new source file will be removed from the database, along with their translations. If that source strings gets re-added later then [Transifex Translation Memory][translation-memory] will automatically include the translation string. - -### Download translations - -When a translator has finished translating their work needs to be downloaded from Transifex into the REST framework repository. To do this, run: - - # 3. Pull the translated django.po files from Transifex. - tx pull -a --minimum-perc 10 - cd rest_framework - # 4. Compile the binary .mo files for all supported languages. - django-admin compilemessages - ---- - ## Project requirements All our test requirements are pinned to exact versions, in order to ensure that our test runs are reproducible. We maintain the requirements in the `requirements` directory. The requirements files are referenced from the `tox.ini` configuration file, ensuring we have a single source of truth for package versions used in testing. @@ -158,7 +105,4 @@ The following issues still need to be addressed: [bus-factor]: https://en.wikipedia.org/wiki/Bus_factor [un-triaged]: https://github.com/encode/django-rest-framework/issues?q=is%3Aopen+no%3Alabel -[transifex-project]: https://www.transifex.com/projects/p/django-rest-framework/ -[transifex-client]: https://pypi.org/project/transifex-client/ -[translation-memory]: http://docs.transifex.com/guides/tm#let-tm-automatically-populate-translations [mailing-list]: https://groups.google.com/forum/#!forum/django-rest-framework diff --git a/docs/community/release-notes.md b/docs/community/release-notes.md index ae59ae000..86cab8e2b 100644 --- a/docs/community/release-notes.md +++ b/docs/community/release-notes.md @@ -105,7 +105,7 @@ This release fixes a few bugs, clean-up some old code paths for unsupported Pyth **Date**: 28th March 2025 -This release is considered a significant release to improve upstream support with Django and Python. Some of these may change the behaviour of existing features and pre-existing behaviour. Specifically, some fixes were added to around the support of `UniqueConstraint` with nullable fields which will improve built-in serializer validation. +This release is considered a significant release to improve upstream support with Django and Python. Some of these may change the behavior of existing features and pre-existing behavior. Specifically, some fixes were added to around the support of `UniqueConstraint` with nullable fields which will improve built-in serializer validation. #### Features @@ -215,7 +215,7 @@ Date: 15th March 2024 * Partial serializer should not have required fields [[#7563](https://github.com/encode/django-rest-framework/pull/7563)] * Propagate 'default' from model field to serializer field. [[#9030](https://github.com/encode/django-rest-framework/pull/9030)] * Allow to override child.run_validation call in ListSerializer [[#8035](https://github.com/encode/django-rest-framework/pull/8035)] -* Align SearchFilter behaviour to django.contrib.admin search [[#9017](https://github.com/encode/django-rest-framework/pull/9017)] +* Align SearchFilter behavior to django.contrib.admin search [[#9017](https://github.com/encode/django-rest-framework/pull/9017)] * Class name added to unknown field error [[#9019](https://github.com/encode/django-rest-framework/pull/9019)] * Fix: Pagination response schemas. [[#9049](https://github.com/encode/django-rest-framework/pull/9049)] * Fix choices in ChoiceField to support IntEnum [[#8955](https://github.com/encode/django-rest-framework/pull/8955)] @@ -369,7 +369,7 @@ Date: 28th September 2020 * Add `--file` option to `generateschema` command. [#7130] * Support `tags` for OpenAPI schema generation. See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#grouping-operations-with-tags). [#7184] -* Support customising the operation ID for schema generation. See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#operationid). [#7190] +* Support customizing the operation ID for schema generation. See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#operationid). [#7190] * Support OpenAPI components for schema generation. See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#components). [#7124] * The following methods on `AutoSchema` become public API: `get_path_parameters`, `get_pagination_parameters`, `get_filter_parameters`, `get_request_body`, `get_responses`, `get_serializer`, `get_paginator`, `map_serializer`, `map_field`, `map_choice_field`, `map_field_validators`, `allows_filters`. See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#autoschema) * Add support for Django 3.1's database-agnositic `JSONField`. [#7467] @@ -407,7 +407,7 @@ Date: 28th September 2020 * Fix `PrimaryKeyRelatedField` and `HyperlinkedRelatedField` when source field is actually a property. [#7142] * `Token.generate_key` is now a class method. [#7502] * `@action` warns if method is wrapped in a decorator that does not preserve information using `@functools.wraps`. [#7098] -* Deprecate `serializers.NullBooleanField` in favour of `serializers.BooleanField` with `allow_null=True` [#7122] +* Deprecate `serializers.NullBooleanField` in favor of `serializers.BooleanField` with `allow_null=True` [#7122] --- @@ -417,7 +417,7 @@ Date: 28th September 2020 **Date**: 30th September 2020 -* **Security**: Drop `urlize_quoted_links` template tag in favour of Django's built-in `urlize`. Removes a XSS vulnerability for some kinds of content in the browsable API. +* **Security**: Drop `urlize_quoted_links` template tag in favor of Django's built-in `urlize`. Removes a XSS vulnerability for some kinds of content in the browsable API. ### 3.11.1 @@ -429,7 +429,7 @@ Date: 28th September 2020 **Date**: 12th December 2019 -* Drop `.set_context` API [in favour of a `requires_context` marker](3.11-announcement.md#validator-default-context). +* Drop `.set_context` API [in favor of a `requires_context` marker](3.11-announcement.md#validator-default-context). * Changed default widget for TextField with choices to select box. [#6892][gh6892] * Supported nested writes on non-relational fields, such as JSONField. [#6916][gh6916] * Include request/response media types in OpenAPI schemas, based on configured parsers/renderers. [#6865][gh6865] @@ -621,13 +621,13 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. **Date**: [3rd April 2018][3.8.0-milestone] -* **Breaking Change**: Alter `read_only` plus `default` behaviour. [#5886][gh5886] +* **Breaking Change**: Alter `read_only` plus `default` behavior. [#5886][gh5886] `read_only` fields will now **always** be excluded from writable fields. Previously `read_only` fields with a `default` value would use the `default` for create and update operations. - In order to maintain the old behaviour you may need to pass the value of `read_only` fields when calling `save()` in + In order to maintain the old behavior you may need to pass the value of `read_only` fields when calling `save()` in the view: def perform_create(self, serializer): @@ -635,13 +635,13 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. Alternatively you may override `save()` or `create()` or `update()` on the serializer as appropriate. -* Correct allow_null behaviour when required=False [#5888][gh5888] +* Correct allow_null behavior when required=False [#5888][gh5888] Without an explicit `default`, `allow_null` implies a default of `null` for outgoing serialization. Previously such fields were being skipped when read-only or otherwise not required. **Possible backwards compatibility break** if you were relying on such fields being excluded from the outgoing - representation. In order to restore the old behaviour you can override `data` to exclude the field when `None`. + representation. In order to restore the old behavior you can override `data` to exclude the field when `None`. For example: @@ -698,7 +698,7 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. * Add HStoreField, postgres fields tests [#5654][gh5654] * Always fully qualify ValidationError in docs [#5751][gh5751] * Remove unreachable code from ManualSchema [#5766][gh5766] -* Allowed customising API documentation code samples [#5752][gh5752] +* Allowed customizing API documentation code samples [#5752][gh5752] * Updated docs to use `pip show` [#5757][gh5757] * Load 'static' instead of 'staticfiles' in templates [#5773][gh5773] * Fixed a typo in `fields` docs [#5783][gh5783] @@ -761,7 +761,7 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. * Schema: Extract method for `manual_fields` processing [#5633][gh5633] - Allows for easier customisation of `manual_fields` processing, for example + Allows for easier customization of `manual_fields` processing, for example to provide per-method manual fields. `AutoSchema` adds `get_manual_fields`, as the intended override point, and a utility method `update_fields`, to handle by-name field replacement from a list, which, in general, you are not @@ -883,7 +883,7 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. * Don't strip microseconds from `time` when encoding. Makes consistent with `datetime`. **BC Change**: Previously only milliseconds were encoded. [#5440][gh5440] * Added `STRICT_JSON` setting (default `True`) to raise exception for the extended float values (`nan`, `inf`, `-inf`) accepted by Python's `json` module. - **BC Change**: Previously these values would converted to corresponding strings. Set `STRICT_JSON` to `False` to restore the previous behaviour. [#5265][gh5265] + **BC Change**: Previously these values would converted to corresponding strings. Set `STRICT_JSON` to `False` to restore the previous behavior. [#5265][gh5265] * Add support for `page_size` parameter in CursorPaginator class [#5250][gh5250] * Make `DEFAULT_PAGINATION_CLASS` `None` by default. **BC Change**: If your were **just** setting `PAGE_SIZE` to enable pagination you will need to add `DEFAULT_PAGINATION_CLASS`. @@ -921,10 +921,10 @@ Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10. * Fix naming collisions in Schema Generation [#5464][gh5464] * Call Django's authenticate function with the request object [#5295][gh5295] * Update coreapi JS to 0.1.1 [#5479][gh5479] -* Have `is_list_view` recognise RetrieveModel… views [#5480][gh5480] +* Have `is_list_view` recognize RetrieveModel… views [#5480][gh5480] * Remove Django 1.8 & 1.9 compatibility code [#5481][gh5481] * Remove deprecated schema code from DefaultRouter [#5482][gh5482] -* Refactor schema generation to allow per-view customisation. +* Refactor schema generation to allow per-view customization. **BC Change**: `SchemaGenerator.get_serializer_fields` has been refactored as `AutoSchema.get_serializer_fields` and drops the `view` argument [#5354][gh5354] ## 3.6.x series diff --git a/docs/community/third-party-packages.md b/docs/community/third-party-packages.md index a4ad2db1e..80cb445e1 100644 --- a/docs/community/third-party-packages.md +++ b/docs/community/third-party-packages.md @@ -58,6 +58,7 @@ To submit new content, [create a pull request][drf-create-pr]. * [hawkrest][hawkrest] - Provides Hawk HTTP Authorization. * [djangorestframework-httpsignature][djangorestframework-httpsignature] - Provides an easy to use HTTP Signature Authentication mechanism. * [djoser][djoser] - Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. +* [DRF Auth Kit][drf-auth-kit] - Provides complete REST authentication with JWT cookies, social login, MFA, and user management. Features full type safety and automatic OpenAPI schema generation. * [dj-rest-auth][dj-rest-auth] - Provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. * [drf-oidc-auth][drf-oidc-auth] - Implements OpenID Connect token authentication for DRF. * [drfpasswordless][drfpasswordless] - Adds (Medium, Square Cash inspired) passwordless logins and signups via email and mobile numbers. @@ -72,6 +73,7 @@ To submit new content, [create a pull request][drf-create-pr]. * [dry-rest-permissions][dry-rest-permissions] - Provides a simple way to define permissions for individual api actions. * [drf-access-policy][drf-access-policy] - Declarative and flexible permissions inspired by AWS' IAM policies. * [drf-psq][drf-psq] - An extension that gives support for having action-based **permission_classes**, **serializer_class**, and **queryset** dependent on permission-based rules. +* [axioms-drf-py][axioms-drf-py] - Supports authentication and claim-based fine-grained authorization (**scopes**, **roles**, **groups**, **permissions**, etc. including object-level checks) using JWT tokens issued by an OAuth2/OIDC Authorization Server. ### Serializers @@ -150,14 +152,16 @@ To submit new content, [create a pull request][drf-create-pr]. * [django-rest-framework-condition][django-rest-framework-condition] - Decorators for managing HTTP cache headers for Django REST framework (ETag and Last-modified). * [django-rest-witchcraft][django-rest-witchcraft] - Provides DRF integration with SQLAlchemy with SQLAlchemy model serializers/viewsets and a bunch of other goodies * [djangorestframework-mvt][djangorestframework-mvt] - An extension for creating views that serve Postgres data as Map Box Vector Tiles. -* [drf-viewset-profiler][drf-viewset-profiler] - Lib to profile all methods from a viewset line by line. +* [drf-viewset-profiler][drf-viewset-profiler] - Lib to profile all methods from a viewset line by line. * [djangorestframework-features][djangorestframework-features] - Advanced schema generation and more based on named features. * [django-elasticsearch-dsl-drf][django-elasticsearch-dsl-drf] - Integrate Elasticsearch DSL with Django REST framework. Package provides views, serializers, filter backends, pagination and other handy add-ons. +* [django-lisan][django-lisan] - A lightweight translation and localization framework for Django REST Framework APIs. * [django-api-client][django-api-client] - DRF client that groups the Endpoint response, for use in CBVs and FBV as if you were working with Django's Native Models.. * [fast-drf] - A model based library for making API development faster and easier. * [django-requestlogs] - Providing middleware and other helpers for audit logging for REST framework. * [drf-standardized-errors][drf-standardized-errors] - DRF exception handler to standardize error responses for all API endpoints. * [drf-api-action][drf-api-action] - uses the power of DRF also as a library functions +* [apitally] - A simple API monitoring, analytics, and request logging tool using middleware. For DRF-specific setup guide, [click here](https://docs.apitally.io/frameworks/django-rest-framework). ### Customization @@ -180,6 +184,7 @@ To submit new content, [create a pull request][drf-create-pr]. [permissions]: ../api-guide/permissions.md [third-party-packages]: #existing-third-party-packages [discussion-group]: https://groups.google.com/forum/#!forum/django-rest-framework +[drf-auth-kit]: https://github.com/huynguyengl99/drf-auth-kit [djangorestframework-digestauth]: https://github.com/juanriaza/django-rest-framework-digestauth [django-oauth-toolkit]: https://github.com/evonove/django-oauth-toolkit [djangorestframework-jwt]: https://github.com/GetBlimp/django-rest-framework-jwt @@ -260,4 +265,7 @@ To submit new content, [create a pull request][drf-create-pr]. [drf-redesign]: https://github.com/youzarsiph/drf-redesign [drf-material]: https://github.com/youzarsiph/drf-material [django-pyoidc]: https://github.com/makinacorpus/django_pyoidc +[apitally]: https://github.com/apitally/apitally-py [drf-shapeless-serializers]: https://github.com/khaledsukkar2/drf-shapeless-serializers +[django-lisan]: https://github.com/Nabute/django-lisan +[axioms-drf-py]: https://github.com/abhishektiwari/axioms-drf-py diff --git a/docs/index.md b/docs/index.md index d590d2c04..3888880fa 100644 --- a/docs/index.md +++ b/docs/index.md @@ -53,33 +53,7 @@ Some reasons you might want to use REST framework: * [Serialization][serializers] that supports both [ORM][modelserializer-section] and [non-ORM][serializer-section] data sources. * Customizable all the way down - just use [regular function-based views][functionview-section] if you don't need the [more][generic-views] [powerful][viewsets] [features][routers]. * Extensive documentation, and [great community support][group]. -* Used and trusted by internationally recognised companies including [Mozilla][mozilla], [Red Hat][redhat], [Heroku][heroku], and [Eventbrite][eventbrite]. - ---- - -## Funding - -REST framework is a *collaboratively funded project*. If you use -REST framework commercially we strongly encourage you to invest in its -continued development by **[signing up for a paid plan][funding]**. - -*Every single sign-up helps us make REST framework long-term financially sustainable.* - - -
- -*Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=DjangoRESTFramework&utm_medium=Webpage_Logo_Ad&utm_content=Developer&utm_campaign=DjangoRESTFramework_Jan2022_HomePage), [Spacinov](https://www.spacinov.com/), [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship), [bit.io](https://bit.io/jobs?utm_source=DRF&utm_medium=sponsor&utm_campaign=DRF_sponsorship), [PostHog](https://posthog.com?utm_source=DRF&utm_medium=sponsor&utm_campaign=DRF_sponsorship), [CryptAPI](https://cryptapi.io), [FEZTO](https://www.fezto.xyz/?utm_source=DjangoRESTFramework), [Svix](https://www.svix.com/?utm_source=django-REST&utm_medium=sponsorship), , and [Zuplo](https://zuplo.link/django-web).* +* Used and trusted by internationally recognized companies including [Mozilla][mozilla], [Red Hat][redhat], [Heroku][heroku], and [Eventbrite][eventbrite]. --- @@ -88,7 +62,7 @@ continued development by **[signing up for a paid plan][funding]**. REST framework requires the following: * Django (4.2, 5.0, 5.1, 5.2) -* Python (3.9, 3.10, 3.11, 3.12, 3.13) +* Python (3.10, 3.11, 3.12, 3.13, 3.14) We **highly recommend** and only officially support the latest patch release of each Python and Django series. @@ -192,8 +166,6 @@ Framework. For support please see the [REST framework discussion group][group], try the `#restframework` channel on `irc.libera.chat`, or raise a question on [Stack Overflow][stack-overflow], making sure to include the ['django-rest-framework'][django-rest-framework-tag] tag. -For priority support please sign up for a [professional or premium sponsorship plan](https://fund.django-rest-framework.org/topics/funding/). - ## Security **Please report security issues by emailing security@encode.io**. @@ -246,7 +218,6 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [serializer-section]: api-guide/serializers#serializers [modelserializer-section]: api-guide/serializers#modelserializer [functionview-section]: api-guide/views#function-based-views -[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors [quickstart]: tutorial/quickstart.md @@ -257,10 +228,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [authentication]: api-guide/authentication.md [contributing]: community/contributing.md -[funding]: community/funding.md [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework [stack-overflow]: https://stackoverflow.com/ [django-rest-framework-tag]: https://stackoverflow.com/questions/tagged/django-rest-framework [security-mail]: mailto:rest-framework-security@googlegroups.com -[twitter]: https://twitter.com/_tomchristie diff --git a/docs/topics/browsable-api.md b/docs/topics/browsable-api.md index 8cf530b7a..dd2da6877 100644 --- a/docs/topics/browsable-api.md +++ b/docs/topics/browsable-api.md @@ -181,7 +181,7 @@ The context that's available to the template: * `FORMAT_PARAM` : The view can accept a format override * `METHOD_PARAM` : The view can accept a method override -You can override the `BrowsableAPIRenderer.get_context()` method to customise the context that gets passed to the template. +You can override the `BrowsableAPIRenderer.get_context()` method to customize the context that gets passed to the template. #### Not using base.html diff --git a/docs/topics/internationalization.md b/docs/topics/internationalization.md index b7387f772..5f4b719b5 100644 --- a/docs/topics/internationalization.md +++ b/docs/topics/internationalization.md @@ -60,11 +60,12 @@ If you only wish to support a subset of the available languages, use Django's st ## Adding new translations -REST framework translations are managed online using [Transifex][transifex-project]. You can use the Transifex service to add new translation languages. The maintenance team will then ensure that these translation strings are included in the REST framework package. +REST framework translations are managed on GitHub. You can contribute new translation languages or update existing ones +by following the guidelines in the [Contributing to REST Framework] section and submitting a pull request. Sometimes you may need to add translation strings to your project locally. You may need to do this if: -* You want to use REST Framework in a language which has not been translated yet on Transifex. +* You want to use REST Framework in a language which is not supported by the project. * Your project includes custom error messages, which are not part of REST framework's default translation strings. #### Translating a new language locally @@ -103,9 +104,9 @@ You can find more information on how the language preference is determined in th For API clients the most appropriate of these will typically be to use the `Accept-Language` header; Sessions and cookies will not be available unless using session authentication, and generally better practice to prefer an `Accept-Language` header for API clients rather than using language URL prefixes. [cite]: https://youtu.be/Wa0VfS2q94Y +[Contributing to REST Framework]: ../community/contributing.md#development [django-translation]: https://docs.djangoproject.com/en/stable/topics/i18n/translation [custom-exception-handler]: ../api-guide/exceptions.md#custom-exception-handling -[transifex-project]: https://explore.transifex.com/django-rest-framework-1/django-rest-framework/ [django-po-source]: https://raw.githubusercontent.com/encode/django-rest-framework/main/rest_framework/locale/en_US/LC_MESSAGES/django.po [django-language-preference]: https://docs.djangoproject.com/en/stable/topics/i18n/translation/#how-django-discovers-language-preference [django-locale-paths]: https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-LOCALE_PATHS diff --git a/docs/topics/rest-hypermedia-hateoas.md b/docs/topics/rest-hypermedia-hateoas.md index 3498bddd1..c0822b027 100644 --- a/docs/topics/rest-hypermedia-hateoas.md +++ b/docs/topics/rest-hypermedia-hateoas.md @@ -32,7 +32,7 @@ REST framework also includes [serialization] and [parser]/[renderer] components ## What REST framework doesn't provide. -What REST framework doesn't do is give you machine readable hypermedia formats such as [HAL][hal], [Collection+JSON][collection], [JSON API][json-api] or HTML [microformats] by default, or the ability to auto-magically create fully HATEOAS style APIs that include hypermedia-based form descriptions and semantically labelled hyperlinks. Doing so would involve making opinionated choices about API design that should really remain outside of the framework's scope. +What REST framework doesn't do is give you machine readable hypermedia formats such as [HAL][hal], [Collection+JSON][collection], [JSON API][json-api] or HTML [microformats] by default, or the ability to auto-magically create fully HATEOAS style APIs that include hypermedia-based form descriptions and semantically labeled hyperlinks. Doing so would involve making opinionated choices about API design that should really remain outside of the framework's scope. [cite]: https://vimeo.com/channels/restfest/49503453 [dissertation]: https://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm diff --git a/docs/tutorial/1-serialization.md b/docs/tutorial/1-serialization.md index b9bf67acb..168cda5dd 100644 --- a/docs/tutorial/1-serialization.md +++ b/docs/tutorial/1-serialization.md @@ -6,47 +6,55 @@ This tutorial will cover creating a simple pastebin code highlighting Web API. The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started. If you just want a quick overview, you should head over to the [quickstart] documentation instead. ---- - -**Note**: The code for this tutorial is available in the [encode/rest-framework-tutorial][repo] repository on GitHub. Feel free to clone the repository and see the code in action. - ---- +!!! note + The code for this tutorial is available in the [encode/rest-framework-tutorial][repo] repository on GitHub. Feel free to clone the repository and see the code in action. ## Setting up a new environment Before we do anything else we'll create a new virtual environment, using [venv]. This will make sure our package configuration is kept nicely isolated from any other projects we're working on. - python3 -m venv env - source env/bin/activate +```bash +python3 -m venv env +source env/bin/activate +``` Now that we're inside a virtual environment, we can install our package requirements. - pip install django - pip install djangorestframework - pip install pygments # We'll be using this for the code highlighting +```bash +pip install django +pip install djangorestframework +pip install pygments # We'll be using this for the code highlighting +``` -**Note:** To exit the virtual environment at any time, just type `deactivate`. For more information see the [venv documentation][venv]. +!!! tip + To exit the virtual environment at any time, just type `deactivate`. For more information see the [venv documentation][venv]. ## Getting started Okay, we're ready to get coding. To get started, let's create a new project to work with. - cd ~ - django-admin startproject tutorial - cd tutorial +```bash +cd ~ +django-admin startproject tutorial +cd tutorial +``` Once that's done we can create an app that we'll use to create a simple Web API. - python manage.py startapp snippets +```bash +python manage.py startapp snippets +``` We'll need to add our new `snippets` app and the `rest_framework` app to `INSTALLED_APPS`. Let's edit the `tutorial/settings.py` file: - INSTALLED_APPS = [ - ... - 'rest_framework', - 'snippets', - ] +```text +INSTALLED_APPS = [ + ... + 'rest_framework', + 'snippets', +] +``` Okay, we're ready to roll. @@ -54,64 +62,72 @@ Okay, we're ready to roll. For the purposes of this tutorial we're going to start by creating a simple `Snippet` model that is used to store code snippets. Go ahead and edit the `snippets/models.py` file. Note: Good programming practices include comments. Although you will find them in our repository version of this tutorial code, we have omitted them here to focus on the code itself. - from django.db import models - from pygments.lexers import get_all_lexers - from pygments.styles import get_all_styles +```python +from django.db import models +from pygments.lexers import get_all_lexers +from pygments.styles import get_all_styles - LEXERS = [item for item in get_all_lexers() if item[1]] - LANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS]) - STYLE_CHOICES = sorted([(item, item) for item in get_all_styles()]) +LEXERS = [item for item in get_all_lexers() if item[1]] +LANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS]) +STYLE_CHOICES = sorted([(item, item) for item in get_all_styles()]) - class Snippet(models.Model): - created = models.DateTimeField(auto_now_add=True) - title = models.CharField(max_length=100, blank=True, default='') - code = models.TextField() - linenos = models.BooleanField(default=False) - language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100) - style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100) +class Snippet(models.Model): + created = models.DateTimeField(auto_now_add=True) + title = models.CharField(max_length=100, blank=True, default="") + code = models.TextField() + linenos = models.BooleanField(default=False) + language = models.CharField( + choices=LANGUAGE_CHOICES, default="python", max_length=100 + ) + style = models.CharField(choices=STYLE_CHOICES, default="friendly", max_length=100) - class Meta: - ordering = ['created'] + class Meta: + ordering = ["created"] +``` We'll also need to create an initial migration for our snippet model, and sync the database for the first time. - python manage.py makemigrations snippets - python manage.py migrate snippets +```bash +python manage.py makemigrations snippets +python manage.py migrate snippets +``` ## Creating a Serializer class The first thing we need to get started on our Web API is to provide a way of serializing and deserializing the snippet instances into representations such as `json`. We can do this by declaring serializers that work very similar to Django's forms. Create a file in the `snippets` directory named `serializers.py` and add the following. - from rest_framework import serializers - from snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES +```python +from rest_framework import serializers +from snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES - class SnippetSerializer(serializers.Serializer): - id = serializers.IntegerField(read_only=True) - title = serializers.CharField(required=False, allow_blank=True, max_length=100) - code = serializers.CharField(style={'base_template': 'textarea.html'}) - linenos = serializers.BooleanField(required=False) - language = serializers.ChoiceField(choices=LANGUAGE_CHOICES, default='python') - style = serializers.ChoiceField(choices=STYLE_CHOICES, default='friendly') +class SnippetSerializer(serializers.Serializer): + id = serializers.IntegerField(read_only=True) + title = serializers.CharField(required=False, allow_blank=True, max_length=100) + code = serializers.CharField(style={"base_template": "textarea.html"}) + linenos = serializers.BooleanField(required=False) + language = serializers.ChoiceField(choices=LANGUAGE_CHOICES, default="python") + style = serializers.ChoiceField(choices=STYLE_CHOICES, default="friendly") - def create(self, validated_data): - """ - Create and return a new `Snippet` instance, given the validated data. - """ - return Snippet.objects.create(**validated_data) + def create(self, validated_data): + """ + Create and return a new `Snippet` instance, given the validated data. + """ + return Snippet.objects.create(**validated_data) - def update(self, instance, validated_data): - """ - Update and return an existing `Snippet` instance, given the validated data. - """ - instance.title = validated_data.get('title', instance.title) - instance.code = validated_data.get('code', instance.code) - instance.linenos = validated_data.get('linenos', instance.linenos) - instance.language = validated_data.get('language', instance.language) - instance.style = validated_data.get('style', instance.style) - instance.save() - return instance + def update(self, instance, validated_data): + """ + Update and return an existing `Snippet` instance, given the validated data. + """ + instance.title = validated_data.get("title", instance.title) + instance.code = validated_data.get("code", instance.code) + instance.linenos = validated_data.get("linenos", instance.linenos) + instance.language = validated_data.get("language", instance.language) + instance.style = validated_data.get("style", instance.style) + instance.save() + return instance +``` The first part of the serializer class defines the fields that get serialized/deserialized. The `create()` and `update()` methods define how fully fledged instances are created or modified when calling `serializer.save()` @@ -125,57 +141,71 @@ We can actually also save ourselves some time by using the `ModelSerializer` cla Before we go any further we'll familiarize ourselves with using our new Serializer class. Let's drop into the Django shell. - python manage.py shell +```bash +python manage.py shell +``` Okay, once we've got a few imports out of the way, let's create a couple of code snippets to work with. - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer - from rest_framework.renderers import JSONRenderer - from rest_framework.parsers import JSONParser +```pycon +>>> from snippets.models import Snippet +>>> from snippets.serializers import SnippetSerializer +>>> from rest_framework.renderers import JSONRenderer +>>> from rest_framework.parsers import JSONParser - snippet = Snippet(code='foo = "bar"\n') - snippet.save() +>>> snippet = Snippet(code='foo = "bar"\n') +>>> snippet.save() - snippet = Snippet(code='print("hello, world")\n') - snippet.save() +>>> snippet = Snippet(code='print("hello, world")\n') +>>> snippet.save() +``` We've now got a few snippet instances to play with. Let's take a look at serializing one of those instances. - serializer = SnippetSerializer(snippet) - serializer.data - # {'id': 2, 'title': '', 'code': 'print("hello, world")\n', 'linenos': False, 'language': 'python', 'style': 'friendly'} +```pycon +>>> serializer = SnippetSerializer(snippet) +>>> serializer.data +{'id': 2, 'title': '', 'code': 'print("hello, world")\n', 'linenos': False, 'language': 'python', 'style': 'friendly'} +``` At this point we've translated the model instance into Python native datatypes. To finalize the serialization process we render the data into `json`. - content = JSONRenderer().render(serializer.data) - content - # b'{"id":2,"title":"","code":"print(\\"hello, world\\")\\n","linenos":false,"language":"python","style":"friendly"}' +```pycon +>>> content = JSONRenderer().render(serializer.data) +>>> content +b'{"id":2,"title":"","code":"print(\\"hello, world\\")\\n","linenos":false,"language":"python","style":"friendly"}' +``` Deserialization is similar. First we parse a stream into Python native datatypes... - import io +```pycon +>>> import io - stream = io.BytesIO(content) - data = JSONParser().parse(stream) +>>> stream = io.BytesIO(content) +>>> data = JSONParser().parse(stream) +``` ...then we restore those native datatypes into a fully populated object instance. - serializer = SnippetSerializer(data=data) - serializer.is_valid() - # True - serializer.validated_data - # {'title': '', 'code': 'print("hello, world")', 'linenos': False, 'language': 'python', 'style': 'friendly'} - serializer.save() - # +```pycon +>>> serializer = SnippetSerializer(data=data) +>>> serializer.is_valid() +True +>>> serializer.validated_data +{'title': '', 'code': 'print("hello, world")', 'linenos': False, 'language': 'python', 'style': 'friendly'} +>>> serializer.save() + +``` Notice how similar the API is to working with forms. The similarity should become even more apparent when we start writing views that use our serializer. We can also serialize querysets instead of model instances. To do so we simply add a `many=True` flag to the serializer arguments. - serializer = SnippetSerializer(Snippet.objects.all(), many=True) - serializer.data - # [{'id': 1, 'title': '', 'code': 'foo = "bar"\n', 'linenos': False, 'language': 'python', 'style': 'friendly'}, {'id': 2, 'title': '', 'code': 'print("hello, world")\n', 'linenos': False, 'language': 'python', 'style': 'friendly'}, {'id': 3, 'title': '', 'code': 'print("hello, world")', 'linenos': False, 'language': 'python', 'style': 'friendly'}] +```pycon +>>> serializer = SnippetSerializer(Snippet.objects.all(), many=True) +>>> serializer.data +[{'id': 1, 'title': '', 'code': 'foo = "bar"\n', 'linenos': False, 'language': 'python', 'style': 'friendly'}, {'id': 2, 'title': '', 'code': 'print("hello, world")\n', 'linenos': False, 'language': 'python', 'style': 'friendly'}, {'id': 3, 'title': '', 'code': 'print("hello, world")', 'linenos': False, 'language': 'python', 'style': 'friendly'}] +``` ## Using ModelSerializers @@ -186,23 +216,28 @@ In the same way that Django provides both `Form` classes and `ModelForm` classes Let's look at refactoring our serializer using the `ModelSerializer` class. Open the file `snippets/serializers.py` again, and replace the `SnippetSerializer` class with the following. - class SnippetSerializer(serializers.ModelSerializer): - class Meta: - model = Snippet - fields = ['id', 'title', 'code', 'linenos', 'language', 'style'] +```python +class SnippetSerializer(serializers.ModelSerializer): + class Meta: + model = Snippet + fields = ["id", "title", "code", "linenos", "language", "style"] +``` One nice property that serializers have is that you can inspect all the fields in a serializer instance, by printing its representation. Open the Django shell with `python manage.py shell`, then try the following: - from snippets.serializers import SnippetSerializer - serializer = SnippetSerializer() - print(repr(serializer)) - # SnippetSerializer(): - # id = IntegerField(label='ID', read_only=True) - # title = CharField(allow_blank=True, max_length=100, required=False) - # code = CharField(style={'base_template': 'textarea.html'}) - # linenos = BooleanField(required=False) - # language = ChoiceField(choices=[('Clipper', 'FoxPro'), ('Cucumber', 'Gherkin'), ('RobotFramework', 'RobotFramework'), ('abap', 'ABAP'), ('ada', 'Ada')... - # style = ChoiceField(choices=[('autumn', 'autumn'), ('borland', 'borland'), ('bw', 'bw'), ('colorful', 'colorful')... +```pycon +>>> from snippets.serializers import SnippetSerializer + +>>> serializer = SnippetSerializer() +>>> print(repr(serializer)) +SnippetSerializer(): + id = IntegerField(label='ID', read_only=True) + title = CharField(allow_blank=True, max_length=100, required=False) + code = CharField(style={'base_template': 'textarea.html'}) + linenos = BooleanField(required=False) + language = ChoiceField(choices=[('Clipper', 'FoxPro'), ('Cucumber', 'Gherkin'), ('RobotFramework', 'RobotFramework'), ('abap', 'ABAP'), ('ada', 'Ada')... + style = ChoiceField(choices=[('autumn', 'autumn'), ('borland', 'borland'), ('bw', 'bw'), ('colorful', 'colorful')... +``` It's important to remember that `ModelSerializer` classes don't do anything particularly magical, they are simply a shortcut for creating serializer classes: @@ -216,79 +251,89 @@ For the moment we won't use any of REST framework's other features, we'll just w Edit the `snippets/views.py` file, and add the following. - from django.http import HttpResponse, JsonResponse - from django.views.decorators.csrf import csrf_exempt - from rest_framework.parsers import JSONParser - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer +```python +from django.http import HttpResponse, JsonResponse +from django.views.decorators.csrf import csrf_exempt +from rest_framework.parsers import JSONParser +from snippets.models import Snippet +from snippets.serializers import SnippetSerializer +``` The root of our API is going to be a view that supports listing all the existing snippets, or creating a new snippet. - @csrf_exempt - def snippet_list(request): - """ - List all code snippets, or create a new snippet. - """ - if request.method == 'GET': - snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets, many=True) - return JsonResponse(serializer.data, safe=False) +```python +@csrf_exempt +def snippet_list(request): + """ + List all code snippets, or create a new snippet. + """ + if request.method == "GET": + snippets = Snippet.objects.all() + serializer = SnippetSerializer(snippets, many=True) + return JsonResponse(serializer.data, safe=False) - elif request.method == 'POST': - data = JSONParser().parse(request) - serializer = SnippetSerializer(data=data) - if serializer.is_valid(): - serializer.save() - return JsonResponse(serializer.data, status=201) - return JsonResponse(serializer.errors, status=400) + elif request.method == "POST": + data = JSONParser().parse(request) + serializer = SnippetSerializer(data=data) + if serializer.is_valid(): + serializer.save() + return JsonResponse(serializer.data, status=201) + return JsonResponse(serializer.errors, status=400) +``` Note that because we want to be able to POST to this view from clients that won't have a CSRF token we need to mark the view as `csrf_exempt`. This isn't something that you'd normally want to do, and REST framework views actually use more sensible behavior than this, but it'll do for our purposes right now. We'll also need a view which corresponds to an individual snippet, and can be used to retrieve, update or delete the snippet. - @csrf_exempt - def snippet_detail(request, pk): - """ - Retrieve, update or delete a code snippet. - """ - try: - snippet = Snippet.objects.get(pk=pk) - except Snippet.DoesNotExist: - return HttpResponse(status=404) +```python +@csrf_exempt +def snippet_detail(request, pk): + """ + Retrieve, update or delete a code snippet. + """ + try: + snippet = Snippet.objects.get(pk=pk) + except Snippet.DoesNotExist: + return HttpResponse(status=404) - if request.method == 'GET': - serializer = SnippetSerializer(snippet) + if request.method == "GET": + serializer = SnippetSerializer(snippet) + return JsonResponse(serializer.data) + + elif request.method == "PUT": + data = JSONParser().parse(request) + serializer = SnippetSerializer(snippet, data=data) + if serializer.is_valid(): + serializer.save() return JsonResponse(serializer.data) + return JsonResponse(serializer.errors, status=400) - elif request.method == 'PUT': - data = JSONParser().parse(request) - serializer = SnippetSerializer(snippet, data=data) - if serializer.is_valid(): - serializer.save() - return JsonResponse(serializer.data) - return JsonResponse(serializer.errors, status=400) - - elif request.method == 'DELETE': - snippet.delete() - return HttpResponse(status=204) + elif request.method == "DELETE": + snippet.delete() + return HttpResponse(status=204) +``` Finally we need to wire these views up. Create the `snippets/urls.py` file: - from django.urls import path - from snippets import views +```python +from django.urls import path +from snippets import views - urlpatterns = [ - path('snippets/', views.snippet_list), - path('snippets//', views.snippet_detail), - ] +urlpatterns = [ + path("snippets/", views.snippet_list), + path("snippets//", views.snippet_detail), +] +``` We also need to wire up the root urlconf, in the `tutorial/urls.py` file, to include our snippet app's URLs. - from django.urls import path, include +```python +from django.urls import path, include - urlpatterns = [ - path('', include('snippets.urls')), - ] +urlpatterns = [ + path("", include("snippets.urls")), +] +``` It's worth noting that there are a couple of edge cases we're not dealing with properly at the moment. If we send malformed `json`, or if a request is made with a method that the view doesn't handle, then we'll end up with a 500 "server error" response. Still, this'll do for now. @@ -298,18 +343,22 @@ Now we can start up a sample server that serves our snippets. Quit out of the shell... - quit() +```pycon +>>> quit() +``` ...and start up Django's development server. - python manage.py runserver +```bash +python manage.py runserver - Validating models... +Validating models... - 0 errors found - Django version 5.0, using settings 'tutorial.settings' - Starting Development server at http://127.0.0.1:8000/ - Quit the server with CONTROL-C. +0 errors found +Django version 5.0, using settings 'tutorial.settings' +Starting Development server at http://127.0.0.1:8000/ +Quit the server with CONTROL-C. +``` In another terminal window, we can test the server. @@ -317,47 +366,26 @@ We can test our API using [curl][curl] or [httpie][httpie]. Httpie is a user fri You can install httpie using pip: - pip install httpie +```bash +pip install httpie +``` Finally, we can get a list of all of the snippets: - http GET http://127.0.0.1:8000/snippets/ --unsorted +```bash +http GET http://127.0.0.1:8000/snippets/ --unsorted - HTTP/1.1 200 OK - ... - [ - { - "id": 1, - "title": "", - "code": "foo = \"bar\"\n", - "linenos": false, - "language": "python", - "style": "friendly" - }, - { - "id": 2, - "title": "", - "code": "print(\"hello, world\")\n", - "linenos": false, - "language": "python", - "style": "friendly" - }, - { - "id": 3, - "title": "", - "code": "print(\"hello, world\")", - "linenos": false, - "language": "python", - "style": "friendly" - } - ] - -Or we can get a particular snippet by referencing its id: - - http GET http://127.0.0.1:8000/snippets/2/ --unsorted - - HTTP/1.1 200 OK - ... +HTTP/1.1 200 OK +... +[ + { + "id": 1, + "title": "", + "code": "foo = \"bar\"\n", + "linenos": false, + "language": "python", + "style": "friendly" + }, { "id": 2, "title": "", @@ -365,7 +393,34 @@ Or we can get a particular snippet by referencing its id: "linenos": false, "language": "python", "style": "friendly" + }, + { + "id": 3, + "title": "", + "code": "print(\"hello, world\")", + "linenos": false, + "language": "python", + "style": "friendly" } +] +``` + +Or we can get a particular snippet by referencing its id: + +```bash +http GET http://127.0.0.1:8000/snippets/2/ --unsorted + +HTTP/1.1 200 OK +... +{ + "id": 2, + "title": "", + "code": "print(\"hello, world\")\n", + "linenos": false, + "language": "python", + "style": "friendly" +} +``` Similarly, you can have the same json displayed by visiting these URLs in a web browser. diff --git a/docs/tutorial/2-requests-and-responses.md b/docs/tutorial/2-requests-and-responses.md index 47c7facfc..fceb118bd 100644 --- a/docs/tutorial/2-requests-and-responses.md +++ b/docs/tutorial/2-requests-and-responses.md @@ -7,14 +7,18 @@ Let's introduce a couple of essential building blocks. REST framework introduces a `Request` object that extends the regular `HttpRequest`, and provides more flexible request parsing. The core functionality of the `Request` object is the `request.data` attribute, which is similar to `request.POST`, but more useful for working with Web APIs. - request.POST # Only handles form data. Only works for 'POST' method. - request.data # Handles arbitrary data. Works for 'POST', 'PUT' and 'PATCH' methods. +```python +request.POST # Only handles form data. Only works for 'POST' method. +request.data # Handles arbitrary data. Works for 'POST', 'PUT' and 'PATCH' methods. +``` ## Response objects REST framework also introduces a `Response` object, which is a type of `TemplateResponse` that takes unrendered content and uses content negotiation to determine the correct content type to return to the client. - return Response(data) # Renders to content type as requested by the client. +```python +return Response(data) # Renders to content type as requested by the client. +``` ## Status codes @@ -35,58 +39,62 @@ The wrappers also provide behavior such as returning `405 Method Not Allowed` re Okay, let's go ahead and start using these new components to refactor our views slightly. - from rest_framework import status - from rest_framework.decorators import api_view - from rest_framework.response import Response - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer +```python +from rest_framework import status +from rest_framework.decorators import api_view +from rest_framework.response import Response +from snippets.models import Snippet +from snippets.serializers import SnippetSerializer - @api_view(['GET', 'POST']) - def snippet_list(request): - """ - List all code snippets, or create a new snippet. - """ - if request.method == 'GET': - snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets, many=True) - return Response(serializer.data) +@api_view(["GET", "POST"]) +def snippet_list(request): + """ + List all code snippets, or create a new snippet. + """ + if request.method == "GET": + snippets = Snippet.objects.all() + serializer = SnippetSerializer(snippets, many=True) + return Response(serializer.data) - elif request.method == 'POST': - serializer = SnippetSerializer(data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data, status=status.HTTP_201_CREATED) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + elif request.method == "POST": + serializer = SnippetSerializer(data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data, status=status.HTTP_201_CREATED) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) +``` Our instance view is an improvement over the previous example. It's a little more concise, and the code now feels very similar to if we were working with the Forms API. We're also using named status codes, which makes the response meanings more obvious. Here is the view for an individual snippet, in the `views.py` module. - @api_view(['GET', 'PUT', 'DELETE']) - def snippet_detail(request, pk): - """ - Retrieve, update or delete a code snippet. - """ - try: - snippet = Snippet.objects.get(pk=pk) - except Snippet.DoesNotExist: - return Response(status=status.HTTP_404_NOT_FOUND) +```python +@api_view(["GET", "PUT", "DELETE"]) +def snippet_detail(request, pk): + """ + Retrieve, update or delete a code snippet. + """ + try: + snippet = Snippet.objects.get(pk=pk) + except Snippet.DoesNotExist: + return Response(status=status.HTTP_404_NOT_FOUND) - if request.method == 'GET': - serializer = SnippetSerializer(snippet) + if request.method == "GET": + serializer = SnippetSerializer(snippet) + return Response(serializer.data) + + elif request.method == "PUT": + serializer = SnippetSerializer(snippet, data=request.data) + if serializer.is_valid(): + serializer.save() return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - elif request.method == 'PUT': - serializer = SnippetSerializer(snippet, data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - - elif request.method == 'DELETE': - snippet.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + elif request.method == "DELETE": + snippet.delete() + return Response(status=status.HTTP_204_NO_CONTENT) +``` This should all feel very familiar - it is not a lot different from working with regular Django views. @@ -94,28 +102,27 @@ Notice that we're no longer explicitly tying our requests or responses to a give ## Adding optional format suffixes to our URLs -To take advantage of the fact that our responses are no longer hardwired to a single content type let's add support for format suffixes to our API endpoints. Using format suffixes gives us URLs that explicitly refer to a given format, and means our API will be able to handle URLs such as [http://example.com/api/items/4.json][json-url]. +To take advantage of the fact that our responses are no longer hardwired to a single content type let's add support for format suffixes to our API endpoints. Using format suffixes gives us URLs that explicitly refer to a given format, and means our API will be able to handle URLs such as [][json-url]. Start by adding a `format` keyword argument to both of the views, like so. - - def snippet_list(request, format=None): - +`def snippet_list(request, format=None):` and - - def snippet_detail(request, pk, format=None): +`def snippet_detail(request, pk, format=None):` Now update the `snippets/urls.py` file slightly, to append a set of `format_suffix_patterns` in addition to the existing URLs. - from django.urls import path - from rest_framework.urlpatterns import format_suffix_patterns - from snippets import views +```python +from django.urls import path +from rest_framework.urlpatterns import format_suffix_patterns +from snippets import views - urlpatterns = [ - path('snippets/', views.snippet_list), - path('snippets//', views.snippet_detail), - ] +urlpatterns = [ + path("snippets/", views.snippet_list), + path("snippets//", views.snippet_detail), +] - urlpatterns = format_suffix_patterns(urlpatterns) +urlpatterns = format_suffix_patterns(urlpatterns) +``` We don't necessarily need to add these extra url patterns in, but it gives us a simple, clean way of referring to a specific format. @@ -125,68 +132,76 @@ Go ahead and test the API from the command line, as we did in [tutorial part 1][ We can get a list of all of the snippets, as before. - http http://127.0.0.1:8000/snippets/ +```bash +http http://127.0.0.1:8000/snippets/ - HTTP/1.1 200 OK - ... - [ - { - "id": 1, - "title": "", - "code": "foo = \"bar\"\n", - "linenos": false, - "language": "python", - "style": "friendly" - }, - { - "id": 2, - "title": "", - "code": "print(\"hello, world\")\n", - "linenos": false, - "language": "python", - "style": "friendly" - } - ] +HTTP/1.1 200 OK +... +[ + { + "id": 1, + "title": "", + "code": "foo = \"bar\"\n", + "linenos": false, + "language": "python", + "style": "friendly" + }, + { + "id": 2, + "title": "", + "code": "print(\"hello, world\")\n", + "linenos": false, + "language": "python", + "style": "friendly" + } +] +``` We can control the format of the response that we get back, either by using the `Accept` header: - http http://127.0.0.1:8000/snippets/ Accept:application/json # Request JSON - http http://127.0.0.1:8000/snippets/ Accept:text/html # Request HTML +```bash +http http://127.0.0.1:8000/snippets/ Accept:application/json # Request JSON +http http://127.0.0.1:8000/snippets/ Accept:text/html # Request HTML +``` Or by appending a format suffix: - http http://127.0.0.1:8000/snippets.json # JSON suffix - http http://127.0.0.1:8000/snippets.api # Browsable API suffix +```bash +http http://127.0.0.1:8000/snippets.json # JSON suffix +http http://127.0.0.1:8000/snippets.api # Browsable API suffix +``` Similarly, we can control the format of the request that we send, using the `Content-Type` header. - # POST using form data - http --form POST http://127.0.0.1:8000/snippets/ code="print(123)" +```bash +# POST using form data +http --form POST http://127.0.0.1:8000/snippets/ code="print(123)" - { - "id": 3, - "title": "", - "code": "print(123)", - "linenos": false, - "language": "python", - "style": "friendly" - } +{ + "id": 3, + "title": "", + "code": "print(123)", + "linenos": false, + "language": "python", + "style": "friendly" +} - # POST using JSON - http --json POST http://127.0.0.1:8000/snippets/ code="print(456)" +# POST using JSON +http --json POST http://127.0.0.1:8000/snippets/ code="print(456)" - { - "id": 4, - "title": "", - "code": "print(456)", - "linenos": false, - "language": "python", - "style": "friendly" - } +{ + "id": 4, + "title": "", + "code": "print(456)", + "linenos": false, + "language": "python", + "style": "friendly" +} +``` If you add a `--debug` switch to the `http` requests above, you will be able to see the request type in request headers. -Now go and open the API in a web browser, by visiting [http://127.0.0.1:8000/snippets/][devserver]. +Now go and open the API in a web browser, by visiting [][devserver]. ### Browsability diff --git a/docs/tutorial/3-class-based-views.md b/docs/tutorial/3-class-based-views.md index ccfcd095d..59aee8813 100644 --- a/docs/tutorial/3-class-based-views.md +++ b/docs/tutorial/3-class-based-views.md @@ -6,74 +6,82 @@ We can also write our API views using class-based views, rather than function ba We'll start by rewriting the root view as a class-based view. All this involves is a little bit of refactoring of `views.py`. - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer - from django.http import Http404 - from rest_framework.views import APIView - from rest_framework.response import Response - from rest_framework import status +```python +from snippets.models import Snippet +from snippets.serializers import SnippetSerializer +from django.http import Http404 +from rest_framework.views import APIView +from rest_framework.response import Response +from rest_framework import status - class SnippetList(APIView): - """ - List all snippets, or create a new snippet. - """ - def get(self, request, format=None): - snippets = Snippet.objects.all() - serializer = SnippetSerializer(snippets, many=True) - return Response(serializer.data) +class SnippetList(APIView): + """ + List all snippets, or create a new snippet. + """ - def post(self, request, format=None): - serializer = SnippetSerializer(data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data, status=status.HTTP_201_CREATED) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + def get(self, request, format=None): + snippets = Snippet.objects.all() + serializer = SnippetSerializer(snippets, many=True) + return Response(serializer.data) + + def post(self, request, format=None): + serializer = SnippetSerializer(data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data, status=status.HTTP_201_CREATED) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) +``` So far, so good. It looks pretty similar to the previous case, but we've got better separation between the different HTTP methods. We'll also need to update the instance view in `views.py`. - class SnippetDetail(APIView): - """ - Retrieve, update or delete a snippet instance. - """ - def get_object(self, pk): - try: - return Snippet.objects.get(pk=pk) - except Snippet.DoesNotExist: - raise Http404 +```python +class SnippetDetail(APIView): + """ + Retrieve, update or delete a snippet instance. + """ - def get(self, request, pk, format=None): - snippet = self.get_object(pk) - serializer = SnippetSerializer(snippet) + def get_object(self, pk): + try: + return Snippet.objects.get(pk=pk) + except Snippet.DoesNotExist: + raise Http404 + + def get(self, request, pk, format=None): + snippet = self.get_object(pk) + serializer = SnippetSerializer(snippet) + return Response(serializer.data) + + def put(self, request, pk, format=None): + snippet = self.get_object(pk) + serializer = SnippetSerializer(snippet, data=request.data) + if serializer.is_valid(): + serializer.save() return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - def put(self, request, pk, format=None): - snippet = self.get_object(pk) - serializer = SnippetSerializer(snippet, data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - - def delete(self, request, pk, format=None): - snippet = self.get_object(pk) - snippet.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + def delete(self, request, pk, format=None): + snippet = self.get_object(pk) + snippet.delete() + return Response(status=status.HTTP_204_NO_CONTENT) +``` That's looking good. Again, it's still pretty similar to the function based view right now. We'll also need to refactor our `snippets/urls.py` slightly now that we're using class-based views. - from django.urls import path - from rest_framework.urlpatterns import format_suffix_patterns - from snippets import views +```python +from django.urls import path +from rest_framework.urlpatterns import format_suffix_patterns +from snippets import views - urlpatterns = [ - path('snippets/', views.SnippetList.as_view()), - path('snippets//', views.SnippetDetail.as_view()), - ] +urlpatterns = [ + path("snippets/", views.SnippetList.as_view()), + path("snippets//", views.SnippetDetail.as_view()), +] - urlpatterns = format_suffix_patterns(urlpatterns) +urlpatterns = format_suffix_patterns(urlpatterns) +``` Okay, we're done. If you run the development server everything should be working just as before. @@ -85,42 +93,49 @@ The create/retrieve/update/delete operations that we've been using so far are go Let's take a look at how we can compose the views by using the mixin classes. Here's our `views.py` module again. - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer - from rest_framework import mixins - from rest_framework import generics +```python +from snippets.models import Snippet +from snippets.serializers import SnippetSerializer +from rest_framework import mixins +from rest_framework import generics - class SnippetList(mixins.ListModelMixin, - mixins.CreateModelMixin, - generics.GenericAPIView): - queryset = Snippet.objects.all() - serializer_class = SnippetSerializer - def get(self, request, *args, **kwargs): - return self.list(request, *args, **kwargs) +class SnippetList( + mixins.ListModelMixin, mixins.CreateModelMixin, generics.GenericAPIView +): + queryset = Snippet.objects.all() + serializer_class = SnippetSerializer - def post(self, request, *args, **kwargs): - return self.create(request, *args, **kwargs) + def get(self, request, *args, **kwargs): + return self.list(request, *args, **kwargs) + + def post(self, request, *args, **kwargs): + return self.create(request, *args, **kwargs) +``` We'll take a moment to examine exactly what's happening here. We're building our view using `GenericAPIView`, and adding in `ListModelMixin` and `CreateModelMixin`. The base class provides the core functionality, and the mixin classes provide the `.list()` and `.create()` actions. We're then explicitly binding the `get` and `post` methods to the appropriate actions. Simple enough stuff so far. - class SnippetDetail(mixins.RetrieveModelMixin, - mixins.UpdateModelMixin, - mixins.DestroyModelMixin, - generics.GenericAPIView): - queryset = Snippet.objects.all() - serializer_class = SnippetSerializer +```python +class SnippetDetail( + mixins.RetrieveModelMixin, + mixins.UpdateModelMixin, + mixins.DestroyModelMixin, + generics.GenericAPIView, +): + queryset = Snippet.objects.all() + serializer_class = SnippetSerializer - def get(self, request, *args, **kwargs): - return self.retrieve(request, *args, **kwargs) + def get(self, request, *args, **kwargs): + return self.retrieve(request, *args, **kwargs) - def put(self, request, *args, **kwargs): - return self.update(request, *args, **kwargs) + def put(self, request, *args, **kwargs): + return self.update(request, *args, **kwargs) - def delete(self, request, *args, **kwargs): - return self.destroy(request, *args, **kwargs) + def delete(self, request, *args, **kwargs): + return self.destroy(request, *args, **kwargs) +``` Pretty similar. Again we're using the `GenericAPIView` class to provide the core functionality, and adding in mixins to provide the `.retrieve()`, `.update()` and `.destroy()` actions. @@ -128,19 +143,21 @@ Pretty similar. Again we're using the `GenericAPIView` class to provide the cor Using the mixin classes we've rewritten the views to use slightly less code than before, but we can go one step further. REST framework provides a set of already mixed-in generic views that we can use to trim down our `views.py` module even more. - from snippets.models import Snippet - from snippets.serializers import SnippetSerializer - from rest_framework import generics +```python +from snippets.models import Snippet +from snippets.serializers import SnippetSerializer +from rest_framework import generics - class SnippetList(generics.ListCreateAPIView): - queryset = Snippet.objects.all() - serializer_class = SnippetSerializer +class SnippetList(generics.ListCreateAPIView): + queryset = Snippet.objects.all() + serializer_class = SnippetSerializer - class SnippetDetail(generics.RetrieveUpdateDestroyAPIView): - queryset = Snippet.objects.all() - serializer_class = SnippetSerializer +class SnippetDetail(generics.RetrieveUpdateDestroyAPIView): + queryset = Snippet.objects.all() + serializer_class = SnippetSerializer +``` Wow, that's pretty concise. We've gotten a huge amount for free, and our code looks like good, clean, idiomatic Django. diff --git a/docs/tutorial/4-authentication-and-permissions.md b/docs/tutorial/4-authentication-and-permissions.md index cb0321ea2..a1c3359e2 100644 --- a/docs/tutorial/4-authentication-and-permissions.md +++ b/docs/tutorial/4-authentication-and-permissions.md @@ -14,81 +14,103 @@ First, let's add a couple of fields. One of those fields will be used to repres Add the following two fields to the `Snippet` model in `models.py`. - owner = models.ForeignKey('auth.User', related_name='snippets', on_delete=models.CASCADE) - highlighted = models.TextField() +```python +owner = models.ForeignKey( + "auth.User", related_name="snippets", on_delete=models.CASCADE +) +highlighted = models.TextField() +``` We'd also need to make sure that when the model is saved, that we populate the highlighted field, using the `pygments` code highlighting library. We'll need some extra imports: - from pygments.lexers import get_lexer_by_name - from pygments.formatters.html import HtmlFormatter - from pygments import highlight +```python +from pygments.lexers import get_lexer_by_name +from pygments.formatters.html import HtmlFormatter +from pygments import highlight +``` And now we can add a `.save()` method to our model class: - def save(self, *args, **kwargs): - """ - Use the `pygments` library to create a highlighted HTML - representation of the code snippet. - """ - lexer = get_lexer_by_name(self.language) - linenos = 'table' if self.linenos else False - options = {'title': self.title} if self.title else {} - formatter = HtmlFormatter(style=self.style, linenos=linenos, - full=True, **options) - self.highlighted = highlight(self.code, lexer, formatter) - super().save(*args, **kwargs) +```python +def save(self, *args, **kwargs): + """ + Use the `pygments` library to create a highlighted HTML + representation of the code snippet. + """ + lexer = get_lexer_by_name(self.language) + linenos = "table" if self.linenos else False + options = {"title": self.title} if self.title else {} + formatter = HtmlFormatter(style=self.style, linenos=linenos, full=True, **options) + self.highlighted = highlight(self.code, lexer, formatter) + super().save(*args, **kwargs) +``` When that's all done we'll need to update our database tables. Normally we'd create a database migration in order to do that, but for the purposes of this tutorial, let's just delete the database and start again. - rm -f db.sqlite3 - rm -r snippets/migrations - python manage.py makemigrations snippets - python manage.py migrate +```bash +rm -f db.sqlite3 +rm -r snippets/migrations +python manage.py makemigrations snippets +python manage.py migrate +``` You might also want to create a few different users, to use for testing the API. The quickest way to do this will be with the `createsuperuser` command. - python manage.py createsuperuser +```bash +python manage.py createsuperuser +``` ## Adding endpoints for our User models Now that we've got some users to work with, we'd better add representations of those users to our API. Creating a new serializer is easy. In `serializers.py` add: - from django.contrib.auth.models import User +```python +from django.contrib.auth.models import User - class UserSerializer(serializers.ModelSerializer): - snippets = serializers.PrimaryKeyRelatedField(many=True, queryset=Snippet.objects.all()) - class Meta: - model = User - fields = ['id', 'username', 'snippets'] +class UserSerializer(serializers.ModelSerializer): + snippets = serializers.PrimaryKeyRelatedField( + many=True, queryset=Snippet.objects.all() + ) + + class Meta: + model = User + fields = ["id", "username", "snippets"] +``` Because `'snippets'` is a *reverse* relationship on the User model, it will not be included by default when using the `ModelSerializer` class, so we needed to add an explicit field for it. We'll also add a couple of views to `views.py`. We'd like to just use read-only views for the user representations, so we'll use the `ListAPIView` and `RetrieveAPIView` generic class-based views. - from django.contrib.auth.models import User +```python +from django.contrib.auth.models import User - class UserList(generics.ListAPIView): - queryset = User.objects.all() - serializer_class = UserSerializer +class UserList(generics.ListAPIView): + queryset = User.objects.all() + serializer_class = UserSerializer - class UserDetail(generics.RetrieveAPIView): - queryset = User.objects.all() - serializer_class = UserSerializer +class UserDetail(generics.RetrieveAPIView): + queryset = User.objects.all() + serializer_class = UserSerializer +``` Make sure to also import the `UserSerializer` class - from snippets.serializers import UserSerializer +```python +from snippets.serializers import UserSerializer +``` Finally we need to add those views into the API, by referencing them from the URL conf. Add the following to the patterns in `snippets/urls.py`. - path('users/', views.UserList.as_view()), - path('users//', views.UserDetail.as_view()), +```python +path("users/", views.UserList.as_view()), +path("users//", views.UserDetail.as_view()), +``` ## Associating Snippets with Users @@ -98,8 +120,10 @@ The way we deal with that is by overriding a `.perform_create()` method on our s On the `SnippetList` view class, add the following method: - def perform_create(self, serializer): - serializer.save(owner=self.request.user) +```python +def perform_create(self, serializer): + serializer.save(owner=self.request.user) +``` The `create()` method of our serializer will now be passed an additional `'owner'` field, along with the validated data from the request. @@ -107,9 +131,12 @@ The `create()` method of our serializer will now be passed an additional `'owner Now that snippets are associated with the user that created them, let's update our `SnippetSerializer` to reflect that. Add the following field to the serializer definition in `serializers.py`: - owner = serializers.ReadOnlyField(source='owner.username') +```python +owner = serializers.ReadOnlyField(source="owner.username") +``` -**Note**: Make sure you also add `'owner',` to the list of fields in the inner `Meta` class. +!!! note + Make sure you also add `'owner',` to the list of fields in the inner `Meta` class. This field is doing something quite interesting. The `source` argument controls which attribute is used to populate a field, and can point at any attribute on the serialized instance. It can also take the dotted notation shown above, in which case it will traverse the given attributes, in a similar way as it is used with Django's template language. @@ -123,11 +150,15 @@ REST framework includes a number of permission classes that we can use to restri First add the following import in the views module - from rest_framework import permissions +```python +from rest_framework import permissions +``` Then, add the following property to **both** the `SnippetList` and `SnippetDetail` view classes. - permission_classes = [permissions.IsAuthenticatedOrReadOnly] +```python +permission_classes = [permissions.IsAuthenticatedOrReadOnly] +``` ## Adding login to the Browsable API @@ -137,13 +168,17 @@ We can add a login view for use with the browsable API, by editing the URLconf i Add the following import at the top of the file: - from django.urls import path, include +```python +from django.urls import path, include +``` And, at the end of the file, add a pattern to include the login and logout views for the browsable API. - urlpatterns += [ - path('api-auth/', include('rest_framework.urls')), - ] +```python +urlpatterns += [ + path("api-auth/", include("rest_framework.urls")), +] +``` The `'api-auth/'` part of pattern can actually be whatever URL you want to use. @@ -159,31 +194,36 @@ To do that we're going to need to create a custom permission. In the snippets app, create a new file, `permissions.py` - from rest_framework import permissions +```python +from rest_framework import permissions - class IsOwnerOrReadOnly(permissions.BasePermission): - """ - Custom permission to only allow owners of an object to edit it. - """ +class IsOwnerOrReadOnly(permissions.BasePermission): + """ + Custom permission to only allow owners of an object to edit it. + """ - def has_object_permission(self, request, view, obj): - # Read permissions are allowed to any request, - # so we'll always allow GET, HEAD or OPTIONS requests. - if request.method in permissions.SAFE_METHODS: - return True + def has_object_permission(self, request, view, obj): + # Read permissions are allowed to any request, + # so we'll always allow GET, HEAD or OPTIONS requests. + if request.method in permissions.SAFE_METHODS: + return True - # Write permissions are only allowed to the owner of the snippet. - return obj.owner == request.user + # Write permissions are only allowed to the owner of the snippet. + return obj.owner == request.user +``` Now we can add that custom permission to our snippet instance endpoint, by editing the `permission_classes` property on the `SnippetDetail` view class: - permission_classes = [permissions.IsAuthenticatedOrReadOnly, - IsOwnerOrReadOnly] +```python +permission_classes = [permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly] +``` Make sure to also import the `IsOwnerOrReadOnly` class. - from snippets.permissions import IsOwnerOrReadOnly +```python +from snippets.permissions import IsOwnerOrReadOnly +``` Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions only appear on a snippet instance endpoint if you're logged in as the same user that created the code snippet. @@ -197,25 +237,29 @@ If we're interacting with the API programmatically we need to explicitly provide If we try to create a snippet without authenticating, we'll get an error: - http POST http://127.0.0.1:8000/snippets/ code="print(123)" +```bash +http POST http://127.0.0.1:8000/snippets/ code="print(123)" - { - "detail": "Authentication credentials were not provided." - } +{ + "detail": "Authentication credentials were not provided." +} +``` We can make a successful request by including the username and password of one of the users we created earlier. - http -a admin:password123 POST http://127.0.0.1:8000/snippets/ code="print(789)" +```bash +http -a admin:password123 POST http://127.0.0.1:8000/snippets/ code="print(789)" - { - "id": 1, - "owner": "admin", - "title": "foo", - "code": "print(789)", - "linenos": false, - "language": "python", - "style": "friendly" - } +{ + "id": 1, + "owner": "admin", + "title": "foo", + "code": "print(789)", + "linenos": false, + "language": "python", + "style": "friendly" +} +``` ## Summary diff --git a/docs/tutorial/5-relationships-and-hyperlinked-apis.md b/docs/tutorial/5-relationships-and-hyperlinked-apis.md index f5aaee2bb..49b069c9e 100644 --- a/docs/tutorial/5-relationships-and-hyperlinked-apis.md +++ b/docs/tutorial/5-relationships-and-hyperlinked-apis.md @@ -6,17 +6,21 @@ At the moment relationships within our API are represented by using primary keys Right now we have endpoints for 'snippets' and 'users', but we don't have a single entry point to our API. To create one, we'll use a regular function-based view and the `@api_view` decorator we introduced earlier. In your `snippets/views.py` add: - from rest_framework.decorators import api_view - from rest_framework.response import Response - from rest_framework.reverse import reverse +```python +from rest_framework.decorators import api_view +from rest_framework.response import Response +from rest_framework.reverse import reverse - @api_view(['GET']) - def api_root(request, format=None): - return Response({ - 'users': reverse('user-list', request=request, format=format), - 'snippets': reverse('snippet-list', request=request, format=format) - }) +@api_view(["GET"]) +def api_root(request, format=None): + return Response( + { + "users": reverse("user-list", request=request, format=format), + "snippets": reverse("snippet-list", request=request, format=format), + } + ) +``` Two things should be noticed here. First, we're using REST framework's `reverse` function in order to return fully-qualified URLs; second, URL patterns are identified by convenience names that we will declare later on in our `snippets/urls.py`. @@ -30,24 +34,31 @@ The other thing we need to consider when creating the code highlight view is tha Instead of using a concrete generic view, we'll use the base class for representing instances, and create our own `.get()` method. In your `snippets/views.py` add: - from rest_framework import renderers +```python +from rest_framework import renderers - class SnippetHighlight(generics.GenericAPIView): - queryset = Snippet.objects.all() - renderer_classes = [renderers.StaticHTMLRenderer] - def get(self, request, *args, **kwargs): - snippet = self.get_object() - return Response(snippet.highlighted) +class SnippetHighlight(generics.GenericAPIView): + queryset = Snippet.objects.all() + renderer_classes = [renderers.StaticHTMLRenderer] + + def get(self, request, *args, **kwargs): + snippet = self.get_object() + return Response(snippet.highlighted) +``` As usual we need to add the new views that we've created in to our URLconf. We'll add a url pattern for our new API root in `snippets/urls.py`: - path('', views.api_root), +```python +path("", views.api_root), +``` And then add a url pattern for the snippet highlights: - path('snippets//highlight/', views.SnippetHighlight.as_view()), +```python +path("snippets//highlight/", views.SnippetHighlight.as_view()), +``` ## Hyperlinking our API @@ -73,42 +84,52 @@ The `HyperlinkedModelSerializer` has the following differences from `ModelSerial We can easily re-write our existing serializers to use hyperlinking. In your `snippets/serializers.py` add: - class SnippetSerializer(serializers.HyperlinkedModelSerializer): - owner = serializers.ReadOnlyField(source='owner.username') - highlight = serializers.HyperlinkedIdentityField(view_name='snippet-highlight', format='html') +```python +class SnippetSerializer(serializers.HyperlinkedModelSerializer): + owner = serializers.ReadOnlyField(source="owner.username") + highlight = serializers.HyperlinkedIdentityField( + view_name="snippet-highlight", format="html" + ) - class Meta: - model = Snippet - fields = ['url', 'id', 'highlight', 'owner', - 'title', 'code', 'linenos', 'language', 'style'] + class Meta: + model = Snippet + fields = [ + "url", + "id", + "highlight", + "owner", + "title", + "code", + "linenos", + "language", + "style", + ] - class UserSerializer(serializers.HyperlinkedModelSerializer): - snippets = serializers.HyperlinkedRelatedField(many=True, view_name='snippet-detail', read_only=True) +class UserSerializer(serializers.HyperlinkedModelSerializer): + snippets = serializers.HyperlinkedRelatedField( + many=True, view_name="snippet-detail", read_only=True + ) - class Meta: - model = User - fields = ['url', 'id', 'username', 'snippets'] + class Meta: + model = User + fields = ["url", "id", "username", "snippets"] +``` Notice that we've also added a new `'highlight'` field. This field is of the same type as the `url` field, except that it points to the `'snippet-highlight'` url pattern, instead of the `'snippet-detail'` url pattern. Because we've included format suffixed URLs such as `'.json'`, we also need to indicate on the `highlight` field that any format suffixed hyperlinks it returns should use the `'.html'` suffix. ---- +!!! note + When you are manually instantiating these serializers inside your views (e.g., in `SnippetDetail` or `SnippetList`), you **must** pass `context={'request': request}` so the serializer knows how to build absolute URLs. For example, instead of: -**Note:** + serializer = SnippetSerializer(snippet) + + You must write: -When you are manually instantiating these serializers inside your views (e.g., in `SnippetDetail` or `SnippetList`), you **must** pass `context={'request': request}` so the serializer knows how to build absolute URLs. For example, instead of: - - serializer = SnippetSerializer(snippet) - -You must write: - - serializer = SnippetSerializer(snippet, context={'request': request}) - -If your view is a subclass of `GenericAPIView`, you may use the `get_serializer_context()` as a convenience method. - ---- + serializer = SnippetSerializer(snippet, context={"request": request}) + + If your view is a subclass of `GenericAPIView`, you may use the `get_serializer_context()` as a convenience method. ## Making sure our URL patterns are named @@ -121,29 +142,29 @@ If we're going to have a hyperlinked API, we need to make sure we name our URL p After adding all those names into our URLconf, our final `snippets/urls.py` file should look like this: - from django.urls import path - from rest_framework.urlpatterns import format_suffix_patterns - from snippets import views +```python +from django.urls import path +from rest_framework.urlpatterns import format_suffix_patterns +from snippets import views - # API endpoints - urlpatterns = format_suffix_patterns([ - path('', views.api_root), - path('snippets/', - views.SnippetList.as_view(), - name='snippet-list'), - path('snippets//', - views.SnippetDetail.as_view(), - name='snippet-detail'), - path('snippets//highlight/', +# API endpoints +urlpatterns = format_suffix_patterns( + [ + path("", views.api_root), + path("snippets/", views.SnippetList.as_view(), name="snippet-list"), + path( + "snippets//", views.SnippetDetail.as_view(), name="snippet-detail" + ), + path( + "snippets//highlight/", views.SnippetHighlight.as_view(), - name='snippet-highlight'), - path('users/', - views.UserList.as_view(), - name='user-list'), - path('users//', - views.UserDetail.as_view(), - name='user-detail') - ]) + name="snippet-highlight", + ), + path("users/", views.UserList.as_view(), name="user-list"), + path("users//", views.UserDetail.as_view(), name="user-detail"), + ] +) +``` ## Adding pagination @@ -151,10 +172,12 @@ The list views for users and code snippets could end up returning quite a lot of We can change the default list style to use pagination, by modifying our `tutorial/settings.py` file slightly. Add the following setting: - REST_FRAMEWORK = { - 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination', - 'PAGE_SIZE': 10 - } +```python +REST_FRAMEWORK = { + "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination", + "PAGE_SIZE": 10, +} +``` Note that settings in REST framework are all namespaced into a single dictionary setting, named `REST_FRAMEWORK`, which helps keep them well separated from your other project settings. diff --git a/docs/tutorial/6-viewsets-and-routers.md b/docs/tutorial/6-viewsets-and-routers.md index 6fa2111e7..2c6760a54 100644 --- a/docs/tutorial/6-viewsets-and-routers.md +++ b/docs/tutorial/6-viewsets-and-routers.md @@ -12,45 +12,50 @@ Let's take our current set of views, and refactor them into view sets. First of all let's refactor our `UserList` and `UserDetail` classes into a single `UserViewSet` class. In the `snippets/views.py` file, we can remove the two view classes and replace them with a single ViewSet class: - from rest_framework import viewsets +```python +from rest_framework import viewsets - class UserViewSet(viewsets.ReadOnlyModelViewSet): - """ - This viewset automatically provides `list` and `retrieve` actions. - """ - queryset = User.objects.all() - serializer_class = UserSerializer +class UserViewSet(viewsets.ReadOnlyModelViewSet): + """ + This viewset automatically provides `list` and `retrieve` actions. + """ + + queryset = User.objects.all() + serializer_class = UserSerializer +``` Here we've used the `ReadOnlyModelViewSet` class to automatically provide the default 'read-only' operations. We're still setting the `queryset` and `serializer_class` attributes exactly as we did when we were using regular views, but we no longer need to provide the same information to two separate classes. Next we're going to replace the `SnippetList`, `SnippetDetail` and `SnippetHighlight` view classes. We can remove the three views, and again replace them with a single class. - from rest_framework import permissions - from rest_framework import renderers - from rest_framework.decorators import action - from rest_framework.response import Response +```python +from rest_framework import permissions +from rest_framework import renderers +from rest_framework.decorators import action +from rest_framework.response import Response - class SnippetViewSet(viewsets.ModelViewSet): - """ - This ViewSet automatically provides `list`, `create`, `retrieve`, - `update` and `destroy` actions. +class SnippetViewSet(viewsets.ModelViewSet): + """ + This ViewSet automatically provides `list`, `create`, `retrieve`, + `update` and `destroy` actions. - Additionally we also provide an extra `highlight` action. - """ - queryset = Snippet.objects.all() - serializer_class = SnippetSerializer - permission_classes = [permissions.IsAuthenticatedOrReadOnly, - IsOwnerOrReadOnly] + Additionally we also provide an extra `highlight` action. + """ - @action(detail=True, renderer_classes=[renderers.StaticHTMLRenderer]) - def highlight(self, request, *args, **kwargs): - snippet = self.get_object() - return Response(snippet.highlighted) + queryset = Snippet.objects.all() + serializer_class = SnippetSerializer + permission_classes = [permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly] - def perform_create(self, serializer): - serializer.save(owner=self.request.user) + @action(detail=True, renderer_classes=[renderers.StaticHTMLRenderer]) + def highlight(self, request, *args, **kwargs): + snippet = self.get_object() + return Response(snippet.highlighted) + + def perform_create(self, serializer): + serializer.save(owner=self.request.user) +``` This time we've used the `ModelViewSet` class in order to get the complete set of default read and write operations. @@ -67,42 +72,40 @@ To see what's going on under the hood let's first explicitly create a set of vie In the `snippets/urls.py` file we bind our `ViewSet` classes into a set of concrete views. - from rest_framework import renderers +```python +from rest_framework import renderers - from snippets.views import api_root, SnippetViewSet, UserViewSet +from snippets.views import api_root, SnippetViewSet, UserViewSet - snippet_list = SnippetViewSet.as_view({ - 'get': 'list', - 'post': 'create' - }) - snippet_detail = SnippetViewSet.as_view({ - 'get': 'retrieve', - 'put': 'update', - 'patch': 'partial_update', - 'delete': 'destroy' - }) - snippet_highlight = SnippetViewSet.as_view({ - 'get': 'highlight' - }, renderer_classes=[renderers.StaticHTMLRenderer]) - user_list = UserViewSet.as_view({ - 'get': 'list' - }) - user_detail = UserViewSet.as_view({ - 'get': 'retrieve' - }) +snippet_list = SnippetViewSet.as_view({"get": "list", "post": "create"}) +snippet_detail = SnippetViewSet.as_view( + {"get": "retrieve", "put": "update", "patch": "partial_update", "delete": "destroy"} +) +snippet_highlight = SnippetViewSet.as_view( + {"get": "highlight"}, renderer_classes=[renderers.StaticHTMLRenderer] +) +user_list = UserViewSet.as_view({"get": "list"}) +user_detail = UserViewSet.as_view({"get": "retrieve"}) +``` Notice how we're creating multiple views from each `ViewSet` class, by binding the HTTP methods to the required action for each view. Now that we've bound our resources into concrete views, we can register the views with the URL conf as usual. - urlpatterns = format_suffix_patterns([ - path('', api_root), - path('snippets/', snippet_list, name='snippet-list'), - path('snippets//', snippet_detail, name='snippet-detail'), - path('snippets//highlight/', snippet_highlight, name='snippet-highlight'), - path('users/', user_list, name='user-list'), - path('users//', user_detail, name='user-detail') - ]) +```python +urlpatterns = format_suffix_patterns( + [ + path("", api_root), + path("snippets/", snippet_list, name="snippet-list"), + path("snippets//", snippet_detail, name="snippet-detail"), + path( + "snippets//highlight/", snippet_highlight, name="snippet-highlight" + ), + path("users/", user_list, name="user-list"), + path("users//", user_detail, name="user-detail"), + ] +) +``` ## Using Routers @@ -110,20 +113,22 @@ Because we're using `ViewSet` classes rather than `View` classes, we actually do Here's our re-wired `snippets/urls.py` file. - from django.urls import path, include - from rest_framework.routers import DefaultRouter +```python +from django.urls import path, include +from rest_framework.routers import DefaultRouter - from snippets import views +from snippets import views - # Create a router and register our ViewSets with it. - router = DefaultRouter() - router.register(r'snippets', views.SnippetViewSet, basename='snippet') - router.register(r'users', views.UserViewSet, basename='user') +# Create a router and register our ViewSets with it. +router = DefaultRouter() +router.register(r"snippets", views.SnippetViewSet, basename="snippet") +router.register(r"users", views.UserViewSet, basename="user") - # The API URLs are now determined automatically by the router. - urlpatterns = [ - path('', include(router.urls)), - ] +# The API URLs are now determined automatically by the router. +urlpatterns = [ + path("", include(router.urls)), +] +``` Registering the ViewSets with the router is similar to providing a urlpattern. We include two arguments - the URL prefix for the views, and the view set itself. diff --git a/docs/tutorial/quickstart.md b/docs/tutorial/quickstart.md index a140dbce0..f0f6e6c4b 100644 --- a/docs/tutorial/quickstart.md +++ b/docs/tutorial/quickstart.md @@ -6,57 +6,65 @@ We're going to create a simple API to allow admin users to view and edit the use Create a new Django project named `tutorial`, then start a new app called `quickstart`. - # Create the project directory - mkdir tutorial - cd tutorial +```bash +# Create the project directory +mkdir tutorial +cd tutorial - # Create a virtual environment to isolate our package dependencies locally - python3 -m venv env - source env/bin/activate # On Windows use `env\Scripts\activate` +# Create a virtual environment to isolate our package dependencies locally +python3 -m venv env +source env/bin/activate # On Windows use `env\Scripts\activate` - # Install Django and Django REST framework into the virtual environment - pip install djangorestframework +# Install Django and Django REST framework into the virtual environment +pip install djangorestframework - # Set up a new project with a single application - django-admin startproject tutorial . # Note the trailing '.' character - cd tutorial - django-admin startapp quickstart - cd .. +# Set up a new project with a single application +django-admin startproject tutorial . # Note the trailing '.' character +cd tutorial +django-admin startapp quickstart +cd .. +``` The project layout should look like: - $ pwd - /tutorial - $ find . - . - ./tutorial - ./tutorial/asgi.py - ./tutorial/__init__.py - ./tutorial/quickstart - ./tutorial/quickstart/migrations - ./tutorial/quickstart/migrations/__init__.py - ./tutorial/quickstart/models.py - ./tutorial/quickstart/__init__.py - ./tutorial/quickstart/apps.py - ./tutorial/quickstart/admin.py - ./tutorial/quickstart/tests.py - ./tutorial/quickstart/views.py - ./tutorial/settings.py - ./tutorial/urls.py - ./tutorial/wsgi.py - ./env - ./env/... - ./manage.py +```bash +$ pwd +/tutorial +$ find . +. +./tutorial +./tutorial/asgi.py +./tutorial/__init__.py +./tutorial/quickstart +./tutorial/quickstart/migrations +./tutorial/quickstart/migrations/__init__.py +./tutorial/quickstart/models.py +./tutorial/quickstart/__init__.py +./tutorial/quickstart/apps.py +./tutorial/quickstart/admin.py +./tutorial/quickstart/tests.py +./tutorial/quickstart/views.py +./tutorial/settings.py +./tutorial/urls.py +./tutorial/wsgi.py +./env +./env/... +./manage.py +``` It may look unusual that the application has been created within the project directory. Using the project's namespace avoids name clashes with external modules (a topic that goes outside the scope of the quickstart). Now sync your database for the first time: - python manage.py migrate +```bash +python manage.py migrate +``` We'll also create an initial user named `admin` with a password. We'll authenticate as that user later in our example. - python manage.py createsuperuser --username admin --email admin@example.com +```bash +python manage.py createsuperuser --username admin --email admin@example.com +``` Once you've set up a database and the initial user is created and ready to go, open up the app's directory and we'll get coding... @@ -64,20 +72,22 @@ Once you've set up a database and the initial user is created and ready to go, o First up we're going to define some serializers. Let's create a new module named `tutorial/quickstart/serializers.py` that we'll use for our data representations. - from django.contrib.auth.models import Group, User - from rest_framework import serializers +```python +from django.contrib.auth.models import Group, User +from rest_framework import serializers - class UserSerializer(serializers.HyperlinkedModelSerializer): - class Meta: - model = User - fields = ['url', 'username', 'email', 'groups'] +class UserSerializer(serializers.HyperlinkedModelSerializer): + class Meta: + model = User + fields = ["url", "username", "email", "groups"] - class GroupSerializer(serializers.HyperlinkedModelSerializer): - class Meta: - model = Group - fields = ['url', 'name'] +class GroupSerializer(serializers.HyperlinkedModelSerializer): + class Meta: + model = Group + fields = ["url", "name"] +``` Notice that we're using hyperlinked relations in this case with `HyperlinkedModelSerializer`. You can also use primary key and various other relationships, but hyperlinking is good RESTful design. @@ -85,28 +95,32 @@ Notice that we're using hyperlinked relations in this case with `HyperlinkedMode Right, we'd better write some views then. Open `tutorial/quickstart/views.py` and get typing. - from django.contrib.auth.models import Group, User - from rest_framework import permissions, viewsets +```python +from django.contrib.auth.models import Group, User +from rest_framework import permissions, viewsets - from tutorial.quickstart.serializers import GroupSerializer, UserSerializer +from tutorial.quickstart.serializers import GroupSerializer, UserSerializer - class UserViewSet(viewsets.ModelViewSet): - """ - API endpoint that allows users to be viewed or edited. - """ - queryset = User.objects.all().order_by('-date_joined') - serializer_class = UserSerializer - permission_classes = [permissions.IsAuthenticated] +class UserViewSet(viewsets.ModelViewSet): + """ + API endpoint that allows users to be viewed or edited. + """ + + queryset = User.objects.all().order_by("-date_joined") + serializer_class = UserSerializer + permission_classes = [permissions.IsAuthenticated] - class GroupViewSet(viewsets.ModelViewSet): - """ - API endpoint that allows groups to be viewed or edited. - """ - queryset = Group.objects.all().order_by('name') - serializer_class = GroupSerializer - permission_classes = [permissions.IsAuthenticated] +class GroupViewSet(viewsets.ModelViewSet): + """ + API endpoint that allows groups to be viewed or edited. + """ + + queryset = Group.objects.all().order_by("name") + serializer_class = GroupSerializer + permission_classes = [permissions.IsAuthenticated] +``` Rather than write multiple views we're grouping together all the common behavior into classes called `ViewSets`. @@ -116,21 +130,23 @@ We can easily break these down into individual views if we need to, but using vi Okay, now let's wire up the API URLs. On to `tutorial/urls.py`... - from django.urls import include, path - from rest_framework import routers +```python +from django.urls import include, path +from rest_framework import routers - from tutorial.quickstart import views +from tutorial.quickstart import views - router = routers.DefaultRouter() - router.register(r'users', views.UserViewSet) - router.register(r'groups', views.GroupViewSet) +router = routers.DefaultRouter() +router.register(r"users", views.UserViewSet) +router.register(r"groups", views.GroupViewSet) - # Wire up our API using automatic URL routing. - # Additionally, we include login URLs for the browsable API. - urlpatterns = [ - path('', include(router.urls)), - path('api-auth/', include('rest_framework.urls', namespace='rest_framework')) - ] +# Wire up our API using automatic URL routing. +# Additionally, we include login URLs for the browsable API. +urlpatterns = [ + path("", include(router.urls)), + path("api-auth/", include("rest_framework.urls", namespace="rest_framework")), +] +``` Because we're using viewsets instead of views, we can automatically generate the URL conf for our API, by simply registering the viewsets with a router class. @@ -139,21 +155,26 @@ Again, if we need more control over the API URLs we can simply drop down to usin Finally, we're including default login and logout views for use with the browsable API. That's optional, but useful if your API requires authentication and you want to use the browsable API. ## Pagination + Pagination allows you to control how many objects per page are returned. To enable it add the following lines to `tutorial/settings.py` - REST_FRAMEWORK = { - 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination', - 'PAGE_SIZE': 10 - } +```python +REST_FRAMEWORK = { + "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination", + "PAGE_SIZE": 10, +} +``` ## Settings Add `'rest_framework'` to `INSTALLED_APPS`. The settings module will be in `tutorial/settings.py` - INSTALLED_APPS = [ - ... - 'rest_framework', - ] +```text +INSTALLED_APPS = [ + ... + 'rest_framework', +] +``` Okay, we're done. @@ -163,46 +184,51 @@ Okay, we're done. We're now ready to test the API we've built. Let's fire up the server from the command line. - python manage.py runserver +```bash +python manage.py runserver +``` We can now access our API, both from the command-line, using tools like `curl`... - bash: curl -u admin -H 'Accept: application/json; indent=4' http://127.0.0.1:8000/users/ - Enter host password for user 'admin': - { - "count": 1, - "next": null, - "previous": null, - "results": [ - { - "url": "http://127.0.0.1:8000/users/1/", - "username": "admin", - "email": "admin@example.com", - "groups": [] - } - ] - } +```bash +bash: curl -u admin -H 'Accept: application/json; indent=4' http://127.0.0.1:8000/users/ +Enter host password for user 'admin': +{ + "count": 1, + "next": null, + "previous": null, + "results": [ + { + "url": "http://127.0.0.1:8000/users/1/", + "username": "admin", + "email": "admin@example.com", + "groups": [] + } + ] +} +``` Or using the [httpie][httpie], command line tool... - bash: http -a admin http://127.0.0.1:8000/users/ - http: password for admin@127.0.0.1:8000:: - $HTTP/1.1 200 OK - ... - { - "count": 1, - "next": null, - "previous": null, - "results": [ - { - "email": "admin@example.com", - "groups": [], - "url": "http://127.0.0.1:8000/users/1/", - "username": "admin" - } - ] - } - +```bash +bash: http -a admin http://127.0.0.1:8000/users/ +http: password for admin@127.0.0.1:8000:: +$HTTP/1.1 200 OK +... +{ + "count": 1, + "next": null, + "previous": null, + "results": [ + { + "email": "admin@example.com", + "groups": [], + "url": "http://127.0.0.1:8000/users/1/", + "username": "admin" + } + ] +} +``` Or directly through the browser, by going to the URL `http://127.0.0.1:8000/users/`... diff --git a/docs_theme/css/copy-button.css b/docs_theme/css/copy-button.css new file mode 100644 index 000000000..589ec9597 --- /dev/null +++ b/docs_theme/css/copy-button.css @@ -0,0 +1,30 @@ +.copy-block-button { + position: absolute; + top: 6px; + right: 6px; + z-index: 10; + white-space: nowrap; /* Prevent text wrap */ +} + +/* Ensure the PRE container provides positioning context */ +pre { + position: relative; + padding-top: 35px; /* Room for the button */ + overflow-x: auto; /* Allow horizontal scrolling */ +} + +/* Code block scrollable */ +pre code { + display: block; + overflow-x: auto; +} + +/* + The MkDocs/DRF theme injects a inside buttons and applies + a text color that overrides btn-inverse defaults. + This override is intentionally scoped and limited to color only. +*/ +.copy-block-button, +.copy-block-button span { + color: #ffffff !important; +} diff --git a/docs_theme/css/default.css b/docs_theme/css/default.css index dfde26293..4552864e1 100644 --- a/docs_theme/css/default.css +++ b/docs_theme/css/default.css @@ -452,4 +452,22 @@ ul.sponsor { margin: 0 -.6rem 1em; padding: 0.4rem 0.6rem; } +.admonition.tip { + border: .075rem solid #1e8d21; +} +.admonition.tip .admonition-title { + background: #1e8d211a; +} +.admonition.warning { + border: .075rem solid #ff9844; +} +.admonition.warning .admonition-title { + background: #ff98441a; +} +.admonition.danger { + border: .075rem solid #f63a3a; +} +.admonition.danger .admonition-title { + background: #f63a3a1a; +} diff --git a/docs_theme/js/copy-button.js b/docs_theme/js/copy-button.js new file mode 100644 index 000000000..979c8a962 --- /dev/null +++ b/docs_theme/js/copy-button.js @@ -0,0 +1,24 @@ +document.addEventListener("DOMContentLoaded", function () { + document.querySelectorAll("pre > code").forEach(function (codeBlock) { + const button = document.createElement("button"); + button.className = "copy-block-button btn btn-inverse btn-mini"; + button.type = "button"; + button.textContent = "Copy"; + + button.addEventListener("click", function () { + navigator.clipboard.writeText(codeBlock.textContent) + .then(() => { + button.textContent = "Copied!"; + setTimeout(() => button.textContent = "Copy", 1200); + }) + .catch(() => { + button.textContent = "Failed"; + setTimeout(() => button.textContent = "Copy", 1200); + }); + }); + + const pre = codeBlock.parentNode; + pre.style.position = "relative"; + pre.appendChild(button); + }); +}); diff --git a/docs_theme/main.html b/docs_theme/main.html index e37309595..a584f9539 100644 --- a/docs_theme/main.html +++ b/docs_theme/main.html @@ -16,6 +16,9 @@ + {% for path in config.extra_css %} + + {% endfor %}