BasicAuthentication and TokenAuthentication have two failure cases when
they are passed technically valid credentials by an API client:
- the passed credentials are not correct
- the credentials are correct but the user is inactive
In both cases, only a human-readable 'detail' is returned in the 401
body, which is translated according to the site settings:
```json
HTTP/1.1 401 Unauthorized
<headers snipped>
{
"detail": "Ungültiges Token"
}
```
The free-form text and its translation make it impossible for an API
consumer to determine the actual reason (inactive user, out of luck; or
wrong credentials, try again).
This PR adds a machine-readable 'status' field to the response, which
can take one of two values:
1. `invalid-credentials` - returned when the passed username, password
or token were incorrect.
2. `inactive-user` - returned when the credentials were valid but the
user account is disabled.
Example:
```json
HTTP/1.1 401 Unauthorized
<headers snipped>
{
"detail": "Ungültiges Token",
"status": "invalid-token"
}
```
As this only adds a machine-readable field for the already exposed
human-readable 'detail' field, there are no new security implications.
* Add retain test data on follow=True
* Simplify TestAPITestClient.test_follow_redirect
Inspired from Django's ClientTest.test_follow_307_and_308_redirect
* Add 307 308 follow redirect test
Hi there,
The code block below show imply `Python` as it lives in `settings.py`
```
INSTALLED_APPS = [
...
'rest_framework',
]
```
This pull request essentially fixes that.
* Fixed missing "fields" meta argument in docs, leading to an assertion error
* Update docs/api-guide/serializers.md
Co-authored-by: Tom Christie <tom@tomchristie.com>
Co-authored-by: Tom Christie <tom@tomchristie.com>
* Tutorial - Adjust quickstart
Add asgi.py file
Also add paragraph for the second user, which is later displayed
* Tutorial - Adjust quickstart
It seems that there is no CLI command to easily create a user
Remove the second user from the Markdown
Image next
* Tutorial - quickstart - Update browsable API image
Only show the admin user
New Image has similar width and is compressed
I might just be misunderstanding something (always a strong possibility!), but it seems to me that the table on the Permissions page is slightly inaccurate.
For `permission_classes`, wouldn't it have global-level permissions for list actions (rather than no permission control, as is currently listed)?
