* Add test that verifies that HTML is correctly escaped in Browsable API views
* Fix `urlize_quoted_links` tag to avoid double escaping in autoescape mode
* Fix XSS in default DRF Browsable API template by re-enabling autoescape
* Fix issue1811: take limit_choices_to into account with FK
* Issue 1811: Add tests to illustrate issue
* Filter queryset only if limit_choices_to exists
* Move test_relations_with_limited_querysets file within test_relations_pk
* move limit_choices_to logic from relations.py to utils/field_mapping.py
* move limit_choices_to above other check to avoid conflicts
* compat: (py2) urlparse = urllib.parse (py3)
We were mistakenly importing the 'urlparse' function from the Python 2
'urlparse' module, as opposed to the module itself. Correct this.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #6261
* compat: Remove 'compat.urlparse'
We can just use Django's vendored six library, like we do everywhere
else.
Signed-off-by: Stephen Finucane <stephen@that.guru>
In some cases we end with an operation between two `OperandHolder`.
This didn't work as it didn't knew how to deal with | or &
This fixes by adding those operations.
* Fix typo in generators.py
* Fix typo in inspectors.py
* message line too long
* Change backslash to multiline strings
* Removed trailing whitespace from assertion message
`x and y` actually returns object y when both are true. the means P & IsAuthenticated will fail with TypeError: unsupported operand type(s) for &: 'instance' and 'bool' as IsAuthenticated now returns a CallableBool which does not overload __ror__
* Release notes to 5174a26ec9
* Update version for v3.9.0
* Removed exclude_from_schema per deprecation policy.
* Updated list_route() and detail_route() deprecations.
* Weakened to PendingDeprecationWarning for `base_name`
cc @rpkilby.
* Add (beginning of) 3.9 release announcement.
@tomchristie: Input on OpenAPI and What’s Next very welcome! :)
* Add announcement section for Extra Actions in Browsable API
* Update release notes and add deprecation note for Django Guardian backend.
* Add release note for #6073
* Add release notes to dd19a44583
* Adding release notes
* Update 3.9 announcement
* Add Oct 18 release date
* added ability to add sections to custom action documentation
* added tests to cover docs sections in custom actions
* added method specific docs test for action mapping
* added docs for custom action documentation
* permissions: Allow permissions to be composed
Implement a system to compose permissions with and / or.
This is performed by returning an `OperationHolder` instance that keeps the
permission classes and type of composition (and / or).
When called it will return a AND/OR instance that will then delegate the
permission check to the operands.
* permissions: Add documentation about composed permissions
* Fix documentation typo in permissions
* Add OpenAPIRenderer and generate_schema command
* Add both OpenAPIRenderer and JSONOpenAPIRenderer
* Add flags to generate_schema command
* Fix syntax error
* Pull coreschema references into method, so they are only used if 'OpenAPIRenderer' is in use.
* generate_schema -> generateschema, and fix to OpenAPIRenderer
* Ensure that renderers generate bytes and generateschema outputs text
* Drop unused import
* Add suffix support for actions
Removes the newly introduced `action.name` in favor of leveraging the
View's `.get_view_name()` method, which supports both name and suffix.
* Fix view description func docstrings
* Test action decorator name & suffix kwargs
* Adjust 'extra action' docs
The type bytes is available on all supported Pythons. On Python 2.7, it
is an alias for str, same as six.binary_type. Makes the code more
forward compatible with Python 3.
On all supported Pythons, the io.BytesIO is always a stream
implementation using an in-memory bytes buffer.
Makes code slightly more forward compatible by reducing use of the six
module and promotes more forward compatible practices in the docs.
* Make admin detail link have small width
* Disable admin detail link when no URL
* Add 'AdminRenderer.get_result_url'
Attempts to reverse the result's detail view URL.
* Add failing test for extra action schemas
* Add ViewInspector setter to store instances
* Fix schema disabling for extra actions
* Add docs note about disabling schemas for actions
* View suffix already set by initializer
* Add 'name' and 'description' attributes to ViewSet
ViewSets may now provide their `name` and `description` attributes
directly, instead of relying on view introspection to derive them.
These attributes may also be provided with the view's initkwargs.
The ViewSet `name` and `suffix` initkwargs are mutually exclusive.
The `action` decorator now provides the `name` and `description` to
the view's initkwargs. By default, these values are derived from the
method name and its docstring. The `name` may be overridden by providing
it as an argument to the decorator.
The `get_view_name` and `get_view_description` hooks now provide the
view instance to the handler, instead of the view class. The default
implementations of these handlers now respect the `name`/`description`.
* Add 'extra actions' to ViewSet & browsable APIs
* Update simple router tests
Removed old test logic around link/action decorators from `v2.3`. Also
simplified the test by making the results explicit instead of computed.
* Add method mapping to ViewSet actions
* Document extra action method mapping
* Revert "Non-required fields with 'allow_null=True' should not imply a default value (#5639)"
This reverts commit 905a5579df.
Closes#5708
* Add test for allow_null + required=False
Ref #5708: allow_null should imply default=None, even for non-required fields.
* Re-order allow_null and default in field docs
default is prior to allow_null. allow_null implies an outgoing default=None.
* Adjust allow_null note.
* Always exclude read_only fields from _writable_fields
* Remove `read_only` from `CreateOnlyDefault` example.
In this context (without mentioning `save`) now slightly misleading.
DictFields were incorrectly being output as String in the schema.
This pull request outputs an Object instead and adds a unit test.
Update s/detail_route/action/ after rebase
By default all subclasses of RelatedField are output as string fields in
the schema, which works well for StringRelatedField, SlugRelatedField or
HyperlinkedRelatedField.
Handle the common case of a PrimaryKeyRelatedField pointing to an
AutoField.
This adds `__eq__` to handle `code` in comparisons.
When comparing an ErrorDetail to a string (missing `code` there) the
ErrorDetail's `code` is ignored, but otherwise it is taken into account.
Calling dict.keys() is unnecessary. The two are functionally equivalent
on modern Pythons.
Inspired by Lennart Regebro's talk "Prehistoric Patterns in Python" from
PyCon 2017.
https://www.youtube.com/watch?v=V5-JH23Vk0I
* Update version for 3.7.4 Release
* Add release notes to 01587b9eb1
* Django 2.0 is now final.
* Add trove classifer for Django 2.0
* Finalise release notes for v3.7.4
* Set release date: December 20, 2017
* Update Transifex
* Add release note for #5691
* Move Issue links to bottom
* Add failing test for #5672
* Add get_original_route to complement get_regex_pattern
* [WIP] Fix path handling
* needs more tests
* maybe needs some refactoring
* Add django 2 variant for all tests and fix trailing slash bug
* Add more combinations to mixed path test
* Extract method for `manual_fields` processing
Allows reuse of logic to replace Field instances in a field list by `Field.name`.
Adds a utility function for the logic plus a wrapper method on `AutoSchema`.
Closes#5632
* Manual fields suggestions (#2)
* Use OrderedDict in inspectors
* Move empty check to 'update_fields()'
* Make 'update_fields()' an AutoSchema staticmethod
* Add 'AutoSchema.get_manual_fields()'
* Conform '.get_manual_fields()' to other methods
* Add test for update_fields
* Make sure `manual_fields` is a list.
(As documented to be)
* Add docs for new AutoSchema methods.
* `get_manual_fields`
* `update_fields`
* Add release notes for PR.
* Update assertion style in user logout test
* Apply middlewares to django request object
* Fix test for request auth hiding AttributeErrors
* Re-raise/wrap auth attribute errors
* Fix test for py2k
* Add docs for WrappedAttributeError
* SchemaJSRenderer renders invalid Javascript
Under Py3 the base64.b64encode() method returns a binary object, which gets rendered as `b'...'` in schema.js. This results in the output becoming:
var coreJSON = window.atob('b'eyJf...'');
which is invalid Javascript. Because base64 only uses ASCII characters it is safe to decode('ascii') it. Under Py2 this will result in a unicode object, which is fine. Under Py3 it results in a string, which is also fine. This solves the problem and results in a working schema.js output.
* Add regression test for #5608
* Add regression test for #5608
* Apparently the linter on Travis wants the imports in a different order than on my box...
* Remove trailing whitespace from lines
* Remove trailing nad leading whitespace from files
Allows for cleaner diffs in future changes. For editors that
automatically clean up whitespace on save, will avoid unrelated line
changes in diffs.
The urlparse shim in compat.py duplicates Django's bundled six. Can rely
on upstream instead of duplicating their works. Unifies shim with other
files already using six.
Fixed some regressions where compat was imported during app loading and
led to importing django.contrib.auth.models which ended in a
`AppRegistryNotReady` exception.
Set literals are available on all supported Python versions. They are
idiomatic and always faster:
$ python3 -m timeit '{}'
10000000 loops, best of 3: 0.0357 usec per loop
$ python3 -m timeit 'dict()'
10000000 loops, best of 3: 0.104 usec per loop
$ python3 -m timeit '{1, 2, 3}'
10000000 loops, best of 3: 0.0754 usec per loop
$ python3 -m timeit 'set([1, 2, 3])'
1000000 loops, best of 3: 0.228 usec per loop
Running the tests with bytes warning enabled shows some bytes/str
mixups. Fix them all.
Some examples of mixing usage:
str(b'foo') -- calling str() on bytes
b'foo' == 'foo' -- compare str with bytes
'foo' + b'bar' -- concatenating str and bytes
* Adding rounding parameter to DecimalField.
* Using standard `assert` instead of `self.fail()`.
* add testcase and PEP8 multilines fix
* flake8 fixes
* Use decimal module constants in tests.
* Add docs note for `rounding` parameter.
Closes#5528.
Viewset custom actions (@detail_route etc) OPTIONS (and HEAD) methods were not being excluded from Schema Generations.
This PR adds a test reproducing the reported error and adjusts `EndpointEnumerator.get_allowed_methods()` to filter ViewSet actions in the same way as other `APIView`s
* substitute '@@' code block delimiter with triple back-tick, more consistent with other markdown extensions
* remove development print and allow spaces between triple backtick and syntax name in codeblock
* update comparison content for markdown test
* Fixed issues with schema name collisions
* Fixed mutating issues in python 3
* Optimized solution
* Fixed isort
* Removed not needed cast
* Fix for key collision
* Added preferred key to preserve if available
* Add accidently removed test
* Update remaing `include` calls
Missed as part of #5481 cleanup.
* Provide app_name in include_docs_urls
* Update remaining get_regex_pattern usages
* Allow functools.partial in is_simple_callable check
* Set version number for 3.7.0 release
* Rename release notes section
Moved issue links to top for easier access.
(Can move back later)
* Add release note for #5273
* Add release note for #5440
* Add release note for #5265
Strict JSON handling
* Add release note for #5250
* Add release notes for #5170
* Add release notes for #5443
* Add release notes for #5448
* Add release notes for #5452
* Add release not for #5342
* Add release notes for 5454
* Add release notes for #5058 & #5457
Remove Django 1.8 & 1.9 from README and setup.py
* Release notes for merged 3.6.5 milestone tickets
Tickets migrated to 3.7.0 milestone.
* Add release notes for #5469
* Add release notes from AM 2ndOct
* Add final changes to the release notes.
* Add date and milestone link
Move issue links back to bottom.
* Update translations from transifex
* Begin releae anouncement
* Add release note for #5482
* 3.7 release announcement & related docs.
* Identify code that needs to be pulled out of/removed from compat.py
* Extract modern code from get_names_and_managers in compat.py and remove compat code
* Extract modern code from is_authenticated() in compat.py and remove.
* Extract modern code from is_anonymous() in compat.py and remove
* Extract modern code from get_related_model() from compat.py and remove
* Extract modern code from value_from_object() in compat.py and remove
* Update postgres compat
JSONField now always available.
* Remove DecimalValidator compat
* Remove get_remote_field compat
* Remove template_render compat
Plus isort.
* Remove set_many compat
* Remove include compat
As of Django 1.11 the `authenticate` function accepts a request as an
additional argument. This commit fixes compatibility between newer Django
versions and custom authentication backends which already depend on the request
object.
See also:
[Django 1.11 release](https://docs.djangoproject.com/en/1.11/releases/1.11/)
```
authenticate() now passes a request argument to the authenticate() method of
authentication backends. Support for methods that don’t accept request as the
first positional argument will be removed in Django 2.1.
```
Pull up method from subclass to superclass
The call was added in 426547c61c
to allow for dict-style arguments to ValidationError but does not
apply to other APIException descendants.
* add 'docstrings-with-pygments' feature without packages checks and tests
* move syntax_highlight doc filter in compatibility module and define it conditionally
* typo fixed
* add test for optional code highlight ('pygments' and 'markdown' packages must be installed)
Closes#5237
Generics/ModelViewset performs filtering on: list, retrieve, put, patch and destroy (plus method equivalents).
i.e. on list plus anything that calls `get_object`.
This PR makes schema generation follow that.
It adds `AutoSchema._allows_filters()` which can be overridden in subclasses.
I’ve made this initially “private” so we can make quick changes if needs be in a 3.7.1 etc.
The documentation generator calls view.get_serializer() in order to
inspect it for documentation generation. However, if get_serializer()
throws an APIException (e.g. PermissionDenied), it doesn't get caught at
the call site, but instead propagates up and aborts the entire view.
With the try/except in this commit, the documentation generator instead
gratiously ignores that particular view and moves on to the next one
instead. Practical concequences of this commit is that the docs no
longer break if any view's get_serializer(..) throws an APIException.
* Changes to the paginator defaults and settings
Require a default paginator be specified when using the page size
setting.
https://github.com/encode/django-rest-framework/issues/5168
* DRF-5168 import warnings
missed this in last commit
* Add a system checks file
Add a check for pagination settings for the 3.7 upgrade cycle.
* more compatible import approach
* missing bactic
* revised language and approach to import the system check
Adds a rest framework app config.
* Adjust doc wording
## Description
The `choices` field for the `ChoiceField` class should be able to be edited after `ChoiceField.__init__` is called.
```
field = ChoiceField(choices=[1,2])
field.choices = [1] # Should no longer allow `2` as a choice
```
Currently, you must update `choices`, `grouped_choices`, and `choice_strings_to_values` to achieve this. This P/R keeps `grouped_choices` and `choice_strings_to_values` in sync whenever the `choices` are edited.
* Add tests for schema exclusions
* Move exclusion check to should_include_endpoint
* Update docs
* Switch to using `schema = None`
* Test PendingDeprecationWarnings
* Add note to release notes.
* s/deprecated/pending deprecation/
* Add PR link to release notes
* Correct typo in test class name
* Test 'exclude_from_schema' deprecation warning message (#1)
* Correct deprecation warning message
* Initial Refactor Step
* Add descriptor class
* call from generator
* proxy back to generator for implementation.
* Move `get_link` to descriptor
* Move `get_description` to descriptor
* Remove need for generator in get_description
* Move get_path_fields to descriptor
* Move `get_serializer_fields` to descriptor
* Move `get_pagination_fields` to descriptor
* Move `get_filter_fields` to descriptor
* Move `get_encoding` to descriptor.
* Pass just `url` from SchemaGenerator to descriptor
* Make `view` a property
Encapsulates check for a view instance.
* Adjust API Reference docs
* Add `ManualSchema` class
* Refactor to `ViewInspector` plus `AutoSchema`
The interface then is **just** `get_link()`
* Add `manual_fields` kwarg to AutoSchema
* Add schema decorator for FBVs
* Adjust comments
* Docs: Provide full params in example
Ref feedback b52e372f8f (r137254795)
* Add docstring for ViewInstpector.__get__ descriptor method.
Ref https://github.com/encode/django-rest-framework/pull/5354#discussion_r137265022
* Make `schemas` a package.
* Split generators, inspectors, views.
* Adjust imports
* Rename to EndpointEnumerator
* Adjust ManualSchema to take `fields`
… and `description`.
Allows `url` and `action` to remain dynamic
* Add package/module docstrings
Sometimes, probably in the upgrade from Django 1.9 to 1.10, a post with
empty content is forbidden by javascript, with the message "Please fill
in this field". Filling the form with '{}' allows an application/json
request to be submitted.
The API call itself works perfectly well with a post with empty content:
the interface shouldn't make assumptions about it.
* Add regression test for #2505. Thanks @pySilver!
* Add regression test for #5087
* Revert "Cached the field's root and context property."
This reverts commit 792005806b.
I sometimes have parameter names with a period (.) in them, to represent nested objects, e.g. containerobj.inner_param. The Javascript was throwing an error in the browsable API when interacting with those parameters.