Updated funding page to represent current scope. (#9686)

* add drf-restwind

* Add images of 3rd party customization packages

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: encode
+custom: https://fund.django-rest-framework.org/topics/funding/

.github/dependabot.yml

@@ -0,0 +1,13 @@
+# Keep GitHub Actions up to date with GitHub's Dependabot...
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    groups:
+      github-actions:
+        patterns:
+          - "*"  # Group all Action updates into a single larger pull request
+    schedule:
+      interval: weekly

.github/stale.yml

@@ -0,0 +1,22 @@
+# Documentation: https://github.com/probot/stale
+
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 1
+
+# Label to use when marking as stale
+staleLabel: stale

.github/workflows/main.yml

@@ -0,0 +1,73 @@
+name: CI
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+
+jobs:
+  tests:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-24.04
+
+    strategy:
+      matrix:
+        python-version:
+        - '3.9'
+        - '3.10'
+        - '3.11'
+        - '3.12'
+        - '3.13'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+        cache: 'pip'
+        cache-dependency-path: 'requirements/*.txt'
+
+    - name: Upgrade packaging tools
+      run: python -m pip install --upgrade pip setuptools virtualenv wheel
+
+    - name: Install dependencies
+      run: python -m pip install --upgrade tox
+
+    - name: Run tox targets for ${{ matrix.python-version }}
+      run: tox run -f py$(echo ${{ matrix.python-version }} | tr -d . | cut -f 1 -d '-')
+
+    - name: Run extra tox targets
+      if: ${{ matrix.python-version == '3.9' }}
+      run: |
+        tox -e base,dist,docs
+
+    - name: Upload coverage
+      uses: codecov/codecov-action@v5
+      with:
+        env_vars: TOXENV,DJANGO
+
+  test-docs:
+    name: Test documentation links
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.9'
+
+    - name: Install dependencies
+      run: pip install -r requirements/requirements-documentation.txt
+    
+    # Start mkdocs server and wait for it to be ready
+    - run: mkdocs serve &
+    - run: WAIT_TIME=0 && until nc -vzw 2 localhost 8000 || [ $WAIT_TIME -eq 5 ]; do sleep $(( WAIT_TIME++ )); done
+    - run: if [ $WAIT_TIME == 5 ]; then echo cannot start mkdocs server on http://localhost:8000; exit 1; fi
+    
+    - name: Check links
+      continue-on-error: true
+      run: pylinkvalidate.py -P http://localhost:8000/
+  
+    - run: echo "Done"

.github/workflows/pre-commit.yml

@@ -0,0 +1,22 @@
+name: pre-commit
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - uses: pre-commit/action@v3.0.1

.gitignore

@@ -2,6 +2,8 @@
 *.db
 *~
 .*
+*.py.bak
+
 
 /site/
 /htmlcov/
@@ -11,6 +13,8 @@
 /*.egg-info/
 /env/
 MANIFEST
+coverage.*
 
+!.github
 !.gitignore
-!.travis.yml
+!.pre-commit-config.yaml

.pre-commit-config.yaml

@@ -0,0 +1,39 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+  - id: check-added-large-files
+  - id: check-case-conflict
+  - id: check-json
+  - id: check-merge-conflict
+  - id: check-symlinks
+  - id: check-toml
+- repo: https://github.com/pycqa/isort
+  rev: 5.13.2
+  hooks:
+  - id: isort
+- repo: https://github.com/PyCQA/flake8
+  rev: 7.0.0
+  hooks:
+  - id: flake8
+    additional_dependencies:
+    - flake8-tidy-imports
+- repo: https://github.com/adamchainz/blacken-docs
+  rev: 1.16.0
+  hooks:
+  - id: blacken-docs
+    exclude: ^(?!docs).*$
+    additional_dependencies:
+    - black==23.1.0
+- repo: https://github.com/codespell-project/codespell
+  # Configuration for codespell is in .codespellrc
+  rev: v2.2.6
+  hooks:
+  - id: codespell
+    exclude: locale|kickstarter-announcement.md|coreapi-0.1.1.js
+
+- repo: https://github.com/asottile/pyupgrade
+  rev: v3.19.1
+  hooks:
+  - id: pyupgrade
+    args: ["--py39-plus", "--keep-percent-format"]

.travis.yml

@@ -1,45 +0,0 @@
-language: python
-
-sudo: false
-
-env:
-    - TOX_ENV=py27-flake8
-    - TOX_ENV=py27-docs
-    - TOX_ENV=py34-django18
-    - TOX_ENV=py33-django18
-    - TOX_ENV=py32-django18
-    - TOX_ENV=py27-django18
-    - TOX_ENV=py34-django17
-    - TOX_ENV=py33-django17
-    - TOX_ENV=py32-django17
-    - TOX_ENV=py27-django17
-    - TOX_ENV=py34-django16
-    - TOX_ENV=py33-django16
-    - TOX_ENV=py32-django16
-    - TOX_ENV=py27-django16
-    - TOX_ENV=py26-django16
-    - TOX_ENV=py34-django15
-    - TOX_ENV=py33-django15
-    - TOX_ENV=py32-django15
-    - TOX_ENV=py27-django15
-    - TOX_ENV=py26-django15
-    - TOX_ENV=py27-django14
-    - TOX_ENV=py26-django14
-    - TOX_ENV=py27-djangomaster
-    - TOX_ENV=py32-djangomaster
-    - TOX_ENV=py33-djangomaster
-    - TOX_ENV=py34-djangomaster
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - env: TOX_ENV=py27-djangomaster
-    - env: TOX_ENV=py32-djangomaster
-    - env: TOX_ENV=py33-djangomaster
-    - env: TOX_ENV=py34-djangomaster
-
-install:
-  - pip install tox
-
-script:
-    - tox -e $TOX_ENV

.tx/config

@@ -1,9 +1,9 @@
 [main]
 host = https://www.transifex.com
+lang_map = sr@latin:sr_Latn, zh-Hans:zh_Hans, zh-Hant:zh_Hant
 
 [django-rest-framework.djangopo]
 file_filter = rest_framework/locale/<lang>/LC_MESSAGES/django.po
 source_file = rest_framework/locale/en_US/LC_MESSAGES/django.po
 source_lang = en_US
 type = PO
-

CONTRIBUTING.md

@@ -1,211 +1,5 @@
 # Contributing to REST framework
 
-> The world can only really be changed one piece at a time.  The art is picking that piece.
->
-> — [Tim Berners-Lee][cite]
+At this point in its lifespan we consider Django REST framework to be essentially feature-complete. We may accept pull requests that track the continued development of Django versions, but would prefer not to accept new features or code formatting changes.
 
-There are many ways you can contribute to Django REST framework.  We'd like it to be a community-led project, so please get involved and help shape the future of the project.
-
-## Community
-
-The most important thing you can do to help push the REST framework project forward is to be actively involved wherever possible.  Code contributions are often overvalued as being the primary way to get involved in a project, we don't believe that needs to be the case.
-
-If you use REST framework, we'd love you to be vocal about your experiences with it - you might consider writing a blog post about using REST framework, or publishing a tutorial about building a project with a particular JavaScript framework.  Experiences from beginners can be particularly helpful because you'll be in the best position to assess which bits of REST framework are more difficult to understand and work with.
-
-Other really great ways you can help move the community forward include helping to answer questions on the [discussion group][google-group], or setting up an [email alert on StackOverflow][so-filter] so that you get notified of any new questions with the `django-rest-framework` tag.
-
-When answering questions make sure to help future contributors find their way around by hyperlinking wherever possible to related threads and tickets, and include backlinks from those items if relevant.
-
-## Code of conduct
-
-Please keep the tone polite & professional.  For some users a discussion on the REST framework mailing list or ticket tracker may be their first engagement with the open source community.  First impressions count, so let's try to make everyone feel welcome.
-
-Be mindful in the language you choose.  As an example, in an environment that is heavily male-dominated, posts that start 'Hey guys,' can come across as unintentionally exclusive.  It's just as easy, and more inclusive to use gender neutral language in those situations.
-
-The [Django code of conduct][code-of-conduct] gives a fuller set of guidelines for participating in community forums.
-
-# Issues
-
-It's really helpful if you can make sure to address issues on the correct channel.  Usage questions should be directed to the [discussion group][google-group].  Feature requests, bug reports and other issues should be raised on the GitHub [issue tracker][issues].
-
-Some tips on good issue reporting:
-
-* When describing issues try to phrase your ticket in terms of the *behavior* you think needs changing rather than the *code* you think need changing.
-* Search the issue list first for related items, and make sure you're running the latest version of REST framework before reporting an issue.
-* If reporting a bug, then try to include a pull request with a failing test case.  This will help us quickly identify if there is a valid issue, and make sure that it gets fixed more quickly if there is one.
-* Feature requests will often be closed with a recommendation that they be implemented outside of the core REST framework library.  Keeping new feature requests implemented as third party libraries allows us to keep down the maintenance overhead of REST framework, so that the focus can be on continued stability, bugfixes, and great documentation.
-* Closing an issue doesn't necessarily mean the end of a discussion.  If you believe your issue has been closed incorrectly, explain why and we'll consider if it needs to be reopened.
-
-## Triaging issues
-
-Getting involved in triaging incoming issues is a good way to start contributing.  Every single ticket that comes into the ticket tracker needs to be reviewed in order to determine what the next steps should be.  Anyone can help out with this, you just need to be willing to
-
-* Read through the ticket - does it make sense, is it missing any context that would help explain it better?
-* Is the ticket reported in the correct place, would it be better suited as a discussion on the discussion group?
-* If the ticket is a bug report, can you reproduce it? Are you able to write a failing test case that demonstrates the issue and that can be submitted as a pull request?
-* If the ticket is a feature request, do you agree with it, and could the feature request instead be implemented as a third party package?
-* If a ticket hasn't had much activity and it addresses something you need, then comment on the ticket and try to find out what's needed to get it moving again.
-
-# Development
-
-To start developing on Django REST framework, clone the repo:
-
-    git clone git@github.com:tomchristie/django-rest-framework.git
-
-Changes should broadly follow the [PEP 8][pep-8] style conventions, and we recommend you set up your editor to automatically indicate non-conforming styles.
-
-## Testing
-
-To run the tests, clone the repository, and then:
-
-    # Setup the virtual environment
-    virtualenv env
-    source env/bin/activate
-    pip install -r requirements.txt
-
-    # Run the tests
-    ./runtests.py
-
-### Test options
-
-Run using a more concise output style.
-
-    ./runtests.py -q
-
-Run the tests using a more concise output style, no coverage, no flake8.
-
-    ./runtests.py --fast
-
-Don't run the flake8 code linting.
-
-    ./runtests.py --nolint
-
-Only run the flake8 code linting, don't run the tests.
-
-    ./runtests.py --lintonly
-
-Run the tests for a given test case.
-
-    ./runtests.py MyTestCase
-
-Run the tests for a given test method.
-
-    ./runtests.py MyTestCase.test_this_method
-
-Shorter form to run the tests for a given test method.
-
-    ./runtests.py test_this_method
-
-Note: The test case and test method matching is fuzzy and will sometimes run other tests that contain a partial string match to the given  command line input.
-
-### Running against multiple environments
-
-You can also use the excellent [tox][tox] testing tool to run the tests against all supported versions of Python and Django.  Install `tox` globally, and then simply run:
-
-    tox
-
-## Pull requests
-
-It's a good idea to make pull requests early on.  A pull request represents the start of a discussion, and doesn't necessarily need to be the final, finished submission.
-
-It's also always best to make a new branch before starting work on a pull request.  This means that you'll be able to later switch back to working on another separate issue without interfering with an ongoing pull requests.
-
-It's also useful to remember that if you have an outstanding pull request then pushing new commits to your GitHub repo will also automatically update the pull requests.
-
-GitHub's documentation for working on pull requests is [available here][pull-requests].
-
-Always run the tests before submitting pull requests, and ideally run `tox` in order to check that your modifications are compatible with both Python 2 and Python 3, and that they run properly on all supported versions of Django.
-
-Once you've made a pull request take a look at the Travis build status in the GitHub interface and make sure the tests are running as you'd expect.
-
-![Travis status][travis-status]
-
-*Above: Travis build notifications*
-
-## Managing compatibility issues
-
-Sometimes, in order to ensure your code works on various different versions of Django, Python or third party libraries, you'll need to run slightly different code depending on the environment.  Any code that branches in this way should be isolated into the `compat.py` module, and should provide a single common interface that the rest of the codebase can use.
-
-# Documentation
-
-The documentation for REST framework is built from the [Markdown][markdown] source files in [the docs directory][docs].
-
-There are many great Markdown editors that make working with the documentation really easy.  The [Mou editor for Mac][mou] is one such editor that comes highly recommended.
-
-## Building the documentation
-
-To build the documentation, install MkDocs with `pip install mkdocs` and then run the following command.
-
-    mkdocs build
-
-This will build the documentation into the `site` directory.
-
-You can build the documentation and open a preview in a browser window by using the `serve` command.
-
-    mkdocs serve
-
-## Language style
-
-Documentation should be in American English.  The tone of the documentation is very important - try to stick to a simple, plain, objective and well-balanced style where possible.
-
-Some other tips:
-
-* Keep paragraphs reasonably short.
-* Don't use abbreviations such as 'e.g.' but instead use the long form, such as 'For example'.
-
-## Markdown style
-
-There are a couple of conventions you should follow when working on the documentation.
-
-##### 1. Headers
-
-Headers should use the hash style.  For example:
-
-    ### Some important topic
-
-The underline style should not be used.  **Don't do this:**
-
-    Some important topic
-    ====================
-
-##### 2. Links
-
-Links should always use the reference style, with the referenced hyperlinks kept at the end of the document.
-
-    Here is a link to [some other thing][other-thing].
-
-    More text...
-
-    [other-thing]: http://example.com/other/thing
-
-This style helps keep the documentation source consistent and readable.
-
-If you are hyperlinking to another REST framework document, you should use a relative link, and link to the `.md` suffix.  For example:
-
-    [authentication]: ../api-guide/authentication.md
-
-Linking in this style means you'll be able to click the hyperlink in your Markdown editor to open the referenced document.  When the documentation is built, these links will be converted into regular links to HTML pages.
-
-##### 3. Notes
-
-If you want to draw attention to a note or warning, use a pair of enclosing lines, like so:
-
-    ---
-
-    **Note:** A useful documentation note.
-
-    ---
-
-
-[cite]: http://www.w3.org/People/Berners-Lee/FAQ.html
-[code-of-conduct]: https://www.djangoproject.com/conduct/
-[google-group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
-[so-filter]: http://stackexchange.com/filters/66475/rest-framework
-[issues]: https://github.com/tomchristie/django-rest-framework/issues?state=open
-[pep-8]: http://www.python.org/dev/peps/pep-0008/
-[travis-status]: ../img/travis-status.png
-[pull-requests]: https://help.github.com/articles/using-pull-requests
-[tox]: http://tox.readthedocs.org/en/latest/
-[markdown]: http://daringfireball.net/projects/markdown/basics
-[docs]: https://github.com/tomchristie/django-rest-framework/tree/master/docs
-[mou]: http://mouapp.com/
+The [Contributing guide in the documentation](https://www.django-rest-framework.org/community/contributing/) gives some more information on our process and code of conduct.

LICENSE.md

@@ -1,16 +1,21 @@
 # License
 
-Copyright (c) 2011-2015, Tom Christie
+Copyright © 2011-present, [Encode OSS Ltd](https://www.encode.io/).
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 
-Redistributions of source code must retain the above copyright notice, this
-list of conditions and the following disclaimer.
-Redistributions in binary form must reproduce the above copyright notice, this
-list of conditions and the following disclaimer in the documentation and/or
-other materials provided with the distribution.
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

MANIFEST.in

@@ -1,6 +1,8 @@
 include README.md
 include LICENSE.md
-recursive-include rest_framework/static *.js *.css *.png *.eot *.svg *.ttf *.woff
-recursive-include rest_framework/templates *.html
-recursive-exclude * __pycache__
-recursive-exclude * *.py[co]
+recursive-include tests/ *
+recursive-include rest_framework/static *.js *.css *.map *.png *.ico *.eot *.svg *.ttf *.woff *.woff2
+recursive-include rest_framework/templates *.html schema.js
+recursive-include rest_framework/locale *.mo
+global-exclude __pycache__
+global-exclude *.py[co]

PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,5 @@
+*Note*: Before submitting a code change, please review our [contributing guidelines](https://www.django-rest-framework.org/community/contributing/#pull-requests).
+
+## Description
+
+Please describe your pull request. If it fixes a bug or resolves a feature request, be sure to link to that issue. When linking to an issue, please use `refs #...` in the description of the pull request.

README.md

@@ -1,17 +1,36 @@
 # [Django REST framework][docs]
 
-[![build-status-image]][travis]
+[![build-status-image]][build-status]
+[![coverage-status-image]][codecov]
 [![pypi-version]][pypi]
 
 **Awesome web-browsable Web APIs.**
 
-Full documentation for the project is available at [http://www.django-rest-framework.org][docs].
+Full documentation for the project is available at [https://www.django-rest-framework.org/][docs].
 
 ---
 
-**Note**: We have now released Django REST framework 3.1. For older codebases you may want to refer to the version 2.4.4 [source code](https://github.com/tomchristie/django-rest-framework/tree/version-2.4.x), and [documentation](http://tomchristie.github.io/rest-framework-2-docs/).
+# Funding
 
-For more details see the [3.1 release notes][3.1-announcement]
+REST framework is a *collaboratively funded project*. If you use
+REST framework commercially we strongly encourage you to invest in its
+continued development by [signing up for a paid plan][funding].
+
+The initial aim is to provide a single full-time position on REST framework.
+*Every single sign-up makes a significant impact towards making that possible.*
+
+[![][sentry-img]][sentry-url]
+[![][stream-img]][stream-url]
+[![][spacinov-img]][spacinov-url]
+[![][retool-img]][retool-url]
+[![][bitio-img]][bitio-url]
+[![][posthog-img]][posthog-url]
+[![][cryptapi-img]][cryptapi-url]
+[![][fezto-img]][fezto-url]
+[![][svix-img]][svix-url]
+[![][zuplo-img]][zuplo-url]
+
+Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry][sentry-url], [Stream][stream-url], [Spacinov][spacinov-url], [Retool][retool-url], [bit.io][bitio-url], [PostHog][posthog-url], [CryptAPI][cryptapi-url], [FEZTO][fezto-url], [Svix][svix-url], and [Zuplo][zuplo-url].
 
 ---
 
@@ -21,22 +40,25 @@ Django REST framework is a powerful and flexible toolkit for building Web APIs.
 
 Some reasons you might want to use REST framework:
 
-* The [Web browsable API][sandbox] is a huge usability win for your developers.
+* The Web browsable API is a huge usability win for your developers.
 * [Authentication policies][authentication] including optional packages for [OAuth1a][oauth1-section] and [OAuth2][oauth2-section].
 * [Serialization][serializers] that supports both [ORM][modelserializer-section] and [non-ORM][serializer-section] data sources.
 * Customizable all the way down - just use [regular function-based views][functionview-section] if you don't need the [more][generic-views] [powerful][viewsets] [features][routers].
 * [Extensive documentation][docs], and [great community support][group].
 
-There is a live example API for testing purposes, [available here][sandbox].
-
 **Below**: *Screenshot from the browsable API*
 
 ![Screenshot][image]
 
+----
+
 # Requirements
 
-* Python (2.6.5+, 2.7, 3.2, 3.3, 3.4)
-* Django (1.4.11+, 1.5.6+, 1.6.3+, 1.7, 1.8)
+* Python 3.9+
+* Django 4.2, 5.0, 5.1, 5.2
+
+We **highly recommend** and only officially support the latest patch release of
+each Python and Django series.
 
 # Installation
 
@@ -45,11 +67,12 @@ Install using `pip`...
     pip install djangorestframework
 
 Add `'rest_framework'` to your `INSTALLED_APPS` setting.
-
-    INSTALLED_APPS = (
-        ...
-        'rest_framework',
-    )
+```python
+INSTALLED_APPS = [
+    ...
+    'rest_framework',
+]
+```
 
 # Example
 
@@ -59,21 +82,24 @@ Startup up a new project like so...
 
     pip install django
     pip install djangorestframework
-    django-admin.py startproject example .
-    ./manage.py syncdb
+    django-admin startproject example .
+    ./manage.py migrate
+    ./manage.py createsuperuser
+
 
 Now edit the `example/urls.py` module in your project:
 
 ```python
-from django.conf.urls import url, include
 from django.contrib.auth.models import User
-from rest_framework import serializers, viewsets, routers
+from django.urls import include, path
+from rest_framework import routers, serializers, viewsets
+
 
 # Serializers define the API representation.
 class UserSerializer(serializers.HyperlinkedModelSerializer):
     class Meta:
         model = User
-        fields = ('url', 'username', 'email', 'is_staff')
+        fields = ['url', 'username', 'email', 'is_staff']
 
 
 # ViewSets define the view behavior.
@@ -86,12 +112,11 @@ class UserViewSet(viewsets.ModelViewSet):
 router = routers.DefaultRouter()
 router.register(r'users', UserViewSet)
 
-
 # Wire up our API using automatic URL routing.
 # Additionally, we include login URLs for the browsable API.
 urlpatterns = [
-    url(r'^', include(router.urls)),
-    url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
+    path('', include(router.urls)),
+    path('api-auth/', include('rest_framework.urls', namespace='rest_framework')),
 ]
 ```
 
@@ -100,16 +125,16 @@ We'd also like to configure a couple of settings for our API.
 Add the following to your `settings.py` module:
 
 ```python
-INSTALLED_APPS = (
+INSTALLED_APPS = [
     ...  # Make sure to include the default installed apps here.
     'rest_framework',
-)
+]
 
 REST_FRAMEWORK = {
     # Use Django's standard `django.contrib.auth` permissions,
     # or allow read-only access for unauthenticated users.
     'DEFAULT_PERMISSION_CLASSES': [
-        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
+        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
     ]
 }
 ```
@@ -120,17 +145,17 @@ That's it, we're done!
 
 You can now open the API in your browser at `http://127.0.0.1:8000/`, and view your new 'users' API. If you use the `Login` control in the top right corner you'll also be able to add, create and delete users from the system.
 
-You can also interact with the API using command line tools such as [`curl`](http://curl.haxx.se/). For example, to list the users endpoint:
+You can also interact with the API using command line tools such as [`curl`](https://curl.haxx.se/). For example, to list the users endpoint:
 
     $ curl -H 'Accept: application/json; indent=4' -u admin:password http://127.0.0.1:8000/users/
-	[
-	    {
-	        "url": "http://127.0.0.1:8000/users/1/",
-	        "username": "admin",
-	        "email": "admin@example.com",
-	        "is_staff": true,
-	    }
-	]
+    [
+        {
+            "url": "http://127.0.0.1:8000/users/1/",
+            "username": "admin",
+            "email": "admin@example.com",
+            "is_staff": true,
+        }
+    ]
 
 Or to create a new user:
 
@@ -144,39 +169,58 @@ Or to create a new user:
 
 # Documentation & Support
 
-Full documentation for the project is available at [http://www.django-rest-framework.org][docs].
+Full documentation for the project is available at [https://www.django-rest-framework.org/][docs].
 
-For questions and support, use the [REST framework discussion group][group], or `#restframework` on freenode IRC.
-
-You may also want to [follow the author on Twitter][twitter].
+For questions and support, use the [REST framework discussion group][group], or `#restframework` on libera.chat IRC.
 
 # Security
 
-If you believe you’ve found something in Django REST framework which has security implications, please **do not raise the issue in a public forum**.
+Please see the [security policy][security-policy].
 
-Send a description of the issue via email to [rest-framework-security@googlegroups.com][security-mail].  The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.
-
-
-[build-status-image]: https://secure.travis-ci.org/tomchristie/django-rest-framework.svg?branch=master
-[travis]: http://travis-ci.org/tomchristie/django-rest-framework?branch=master
-[pypi-version]: https://pypip.in/version/djangorestframework/badge.svg
-[pypi]: https://pypi.python.org/pypi/djangorestframework
-[twitter]: https://twitter.com/_tomchristie
+[build-status-image]: https://github.com/encode/django-rest-framework/actions/workflows/main.yml/badge.svg
+[build-status]: https://github.com/encode/django-rest-framework/actions/workflows/main.yml
+[coverage-status-image]: https://img.shields.io/codecov/c/github/encode/django-rest-framework/master.svg
+[codecov]: https://codecov.io/github/encode/django-rest-framework?branch=master
+[pypi-version]: https://img.shields.io/pypi/v/djangorestframework.svg
+[pypi]: https://pypi.org/project/djangorestframework/
 [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
-[sandbox]: http://restframework.herokuapp.com/
 
-[oauth1-section]: http://www.django-rest-framework.org/api-guide/authentication/#django-rest-framework-oauth
-[oauth2-section]: http://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit
-[serializer-section]: http://www.django-rest-framework.org/api-guide/serializers/#serializers
-[modelserializer-section]: http://www.django-rest-framework.org/api-guide/serializers/#modelserializer
-[functionview-section]: http://www.django-rest-framework.org/api-guide/views/#function-based-views
-[generic-views]: http://www.django-rest-framework.org/api-guide/generic-views/
-[viewsets]: http://www.django-rest-framework.org/api-guide/viewsets/
-[routers]: http://www.django-rest-framework.org/api-guide/routers/
-[serializers]: http://www.django-rest-framework.org/api-guide/serializers/
-[authentication]: http://www.django-rest-framework.org/api-guide/authentication/
-[image]: http://www.django-rest-framework.org/img/quickstart.png
+[funding]: https://fund.django-rest-framework.org/topics/funding/
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
 
-[docs]: http://www.django-rest-framework.org/
-[security-mail]: mailto:rest-framework-security@googlegroups.com
-[3.1-announcement]: http://www.django-rest-framework.org/topics/3.1-announcement/
+[sentry-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/sentry-readme.png
+[stream-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/stream-readme.png
+[spacinov-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/spacinov-readme.png
+[retool-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/retool-readme.png
+[bitio-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/bitio-readme.png
+[posthog-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/posthog-readme.png
+[cryptapi-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/cryptapi-readme.png
+[fezto-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/fezto-readme.png
+[svix-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/svix-premium.png
+[zuplo-img]: https://raw.githubusercontent.com/encode/django-rest-framework/master/docs/img/premium/zuplo-readme.png
+
+[sentry-url]: https://getsentry.com/welcome/
+[stream-url]: https://getstream.io/?utm_source=DjangoRESTFramework&utm_medium=Webpage_Logo_Ad&utm_content=Developer&utm_campaign=DjangoRESTFramework_Jan2022_HomePage
+[spacinov-url]: https://www.spacinov.com/
+[retool-url]: https://retool.com/?utm_source=djangorest&utm_medium=sponsorship
+[bitio-url]: https://bit.io/jobs?utm_source=DRF&utm_medium=sponsor&utm_campaign=DRF_sponsorship
+[posthog-url]: https://posthog.com?utm_source=drf&utm_medium=sponsorship&utm_campaign=open-source-sponsorship
+[cryptapi-url]: https://cryptapi.io
+[fezto-url]: https://www.fezto.xyz/?utm_source=DjangoRESTFramework
+[svix-url]: https://www.svix.com/?utm_source=django-REST&utm_medium=sponsorship
+[zuplo-url]: https://zuplo.link/django-gh
+
+[oauth1-section]: https://www.django-rest-framework.org/api-guide/authentication/#django-rest-framework-oauth
+[oauth2-section]: https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit
+[serializer-section]: https://www.django-rest-framework.org/api-guide/serializers/#serializers
+[modelserializer-section]: https://www.django-rest-framework.org/api-guide/serializers/#modelserializer
+[functionview-section]: https://www.django-rest-framework.org/api-guide/views/#function-based-views
+[generic-views]: https://www.django-rest-framework.org/api-guide/generic-views/
+[viewsets]: https://www.django-rest-framework.org/api-guide/viewsets/
+[routers]: https://www.django-rest-framework.org/api-guide/routers/
+[serializers]: https://www.django-rest-framework.org/api-guide/serializers/
+[authentication]: https://www.django-rest-framework.org/api-guide/authentication/
+[image]: https://www.django-rest-framework.org/img/quickstart.png
+
+[docs]: https://www.django-rest-framework.org/
+[security-policy]: https://github.com/encode/django-rest-framework/security/policy

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Please report security issues by emailing security@encode.io**.
+
+The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.

codecov.yml

@@ -0,0 +1,11 @@
+coverage:
+  precision: 2
+  round: down
+  range: "80...100"
+
+  status:
+    project: yes
+    patch: no
+    changes: no
+
+comment: off

docs/api-guide/authentication.md

@@ -1,4 +1,7 @@
-source: authentication.py
+---
+source:
+    - authentication.py
+---
 
 # Authentication
 
@@ -8,9 +11,9 @@ source: authentication.py
 
 Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with.  The [permission] and [throttling] policies can then use those credentials to determine if the request should be permitted.
 
-REST framework provides a number of authentication schemes out of the box, and also allows you to implement custom schemes.
+REST framework provides several authentication schemes out of the box, and also allows you to implement custom schemes.
 
-Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed.
+Authentication always runs at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed.
 
 The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class.
 
@@ -20,7 +23,7 @@ The `request.auth` property is used for any additional authentication informatio
 
 **Note:** Don't forget that **authentication by itself won't allow or disallow an incoming request**, it simply identifies the credentials that the request was made with.
 
-For information on how to setup the permission polices for your API please see the [permissions documentation][permission].
+For information on how to set up the permission policies for your API please see the [permissions documentation][permission].
 
 ---
 
@@ -37,14 +40,14 @@ The value of `request.user` and `request.auth` for unauthenticated requests can
 The default authentication schemes may be set globally, using the `DEFAULT_AUTHENTICATION_CLASSES` setting.  For example.
 
     REST_FRAMEWORK = {
-        'DEFAULT_AUTHENTICATION_CLASSES': (
+        'DEFAULT_AUTHENTICATION_CLASSES': [
             'rest_framework.authentication.BasicAuthentication',
             'rest_framework.authentication.SessionAuthentication',
-        )
+        ]
     }
 
 You can also set the authentication scheme on a per-view or per-viewset basis,
-using the `APIView` class based views.
+using the `APIView` class-based views.
 
     from rest_framework.authentication import SessionAuthentication, BasicAuthentication
     from rest_framework.permissions import IsAuthenticated
@@ -52,25 +55,25 @@ using the `APIView` class based views.
     from rest_framework.views import APIView
 
     class ExampleView(APIView):
-        authentication_classes = (SessionAuthentication, BasicAuthentication)
-        permission_classes = (IsAuthenticated,)
+        authentication_classes = [SessionAuthentication, BasicAuthentication]
+        permission_classes = [IsAuthenticated]
 
         def get(self, request, format=None):
             content = {
-                'user': unicode(request.user),  # `django.contrib.auth.User` instance.
-                'auth': unicode(request.auth),  # None
+                'user': str(request.user),  # `django.contrib.auth.User` instance.
+                'auth': str(request.auth),  # None
             }
             return Response(content)
 
 Or, if you're using the `@api_view` decorator with function based views.
 
     @api_view(['GET'])
-    @authentication_classes((SessionAuthentication, BasicAuthentication))
-    @permission_classes((IsAuthenticated,))
+    @authentication_classes([SessionAuthentication, BasicAuthentication])
+    @permission_classes([IsAuthenticated])
     def example_view(request, format=None):
         content = {
-            'user': unicode(request.user),  # `django.contrib.auth.User` instance.
-            'auth': unicode(request.auth),  # None
+            'user': str(request.user),  # `django.contrib.auth.User` instance.
+            'auth': str(request.auth),  # None
         }
         return Response(content)
 
@@ -87,6 +90,12 @@ The kind of response that will be used depends on the authentication scheme.  Al
 
 Note that when a request may successfully authenticate, but still be denied permission to perform the request, in which case a `403 Permission Denied` response will always be used, regardless of the authentication scheme.
 
+## Django 5.1+ `LoginRequiredMiddleware`
+
+If you're running Django 5.1+ and use the [`LoginRequiredMiddleware`][login-required-middleware], please note that all views from DRF are opted-out of this middleware.  This is because the authentication in DRF is based authentication and permissions classes, which may be determined after the middleware has been applied.  Additionally, when the request is not authenticated, the middleware redirects the user to the login page, which is not suitable for API requests, where it's preferable to return a 401 status code.
+
+REST framework offers an equivalent mechanism for DRF views via the global settings, `DEFAULT_AUTHENTICATION_CLASSES` and `DEFAULT_PERMISSION_CLASSES`.  They should be changed accordingly if you need to enforce that API requests are logged in.
+
 ## Apache mod_wsgi specific configuration
 
 Note that if deploying to [Apache using mod_wsgi][mod_wsgi_official], the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.
@@ -117,37 +126,44 @@ Unauthenticated responses that are denied permission will result in an `HTTP 401
 
 ## TokenAuthentication
 
+---
+
+**Note:** The token authentication provided by Django REST framework is a fairly simple implementation.
+
+For an implementation which allows more than one token per user, has some tighter security implementation details, and supports token expiry, please see the [Django REST Knox][django-rest-knox] third party package.
+
+---
+
 This authentication scheme uses a simple token-based HTTP Authentication scheme.  Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.
 
 To use the `TokenAuthentication` scheme you'll need to [configure the authentication classes](#setting-the-authentication-scheme) to include `TokenAuthentication`, and additionally include `rest_framework.authtoken` in your `INSTALLED_APPS` setting:
 
-    INSTALLED_APPS = (
+    INSTALLED_APPS = [
         ...
         'rest_framework.authtoken'
-    )
+    ]
 
----
-
-**Note:** Make sure to run `manage.py syncdb` after changing your settings. The `rest_framework.authtoken` app provides both Django (from v1.7) and South database migrations. See [Schema migrations](#schema-migrations) below.
-
----
+Make sure to run `manage.py migrate` after changing your settings.
 
+The `rest_framework.authtoken` app provides Django database migrations.
 
 You'll also need to create tokens for your users.
 
     from rest_framework.authtoken.models import Token
 
     token = Token.objects.create(user=...)
-    print token.key
+    print(token.key)
 
 For clients to authenticate, the token key should be included in the `Authorization` HTTP header.  The key should be prefixed by the string literal "Token", with whitespace separating the two strings.  For example:
 
     Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
 
+*If you want to use a different keyword in the header, such as `Bearer`, simply subclass `TokenAuthentication` and set the `keyword` class variable.*
+
 If successfully authenticated, `TokenAuthentication` provides the following credentials.
 
 * `request.user` will be a Django `User` instance.
-* `request.auth` will be a `rest_framework.authtoken.models.BasicToken` instance.
+* `request.auth` will be a `rest_framework.authtoken.models.Token` instance.
 
 Unauthenticated responses that are denied permission will result in an `HTTP 401 Unauthorized` response with an appropriate WWW-Authenticate header.  For example:
 
@@ -163,7 +179,9 @@ The `curl` command line tool may be useful for testing token authenticated APIs.
 
 ---
 
-#### Generating Tokens
+### Generating Tokens
+
+#### By using signals
 
 If you want every user to have an automatically generated Token, you can simply catch the User's `post_save` signal.
 
@@ -187,11 +205,13 @@ If you've already created some users, you can generate tokens for all existing u
     for user in User.objects.all():
         Token.objects.get_or_create(user=user)
 
+#### By exposing an api endpoint
+
 When using `TokenAuthentication`, you may want to provide a mechanism for clients to obtain a token given the username and password.  REST framework provides a built-in view to provide this behavior.  To use it, add the `obtain_auth_token` view to your URLconf:
 
     from rest_framework.authtoken import views
     urlpatterns += [
-        url(r'^api-token-auth/', views.obtain_auth_token)
+        path('api-token-auth/', views.obtain_auth_token)
     ]
 
 Note that the URL part of the pattern can be whatever you want to use.
@@ -200,39 +220,65 @@ The `obtain_auth_token` view will return a JSON response when valid `username` a
 
     { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' }
 
-Note that the default `obtain_auth_token` view explicitly uses JSON requests and responses, rather than using default renderer and parser classes in your settings.  If you need a customized version of the `obtain_auth_token` view, you can do so by overriding the `ObtainAuthToken` view class, and using that in your url conf instead.
+Note that the default `obtain_auth_token` view explicitly uses JSON requests and responses, rather than using default renderer and parser classes in your settings.
 
-#### Schema migrations
+By default, there are no permissions or throttling applied to the `obtain_auth_token` view. If you do wish to apply throttling you'll need to override the view class,
+and include them using the `throttle_classes` attribute.
 
-The `rest_framework.authtoken` app includes both Django native migrations (for Django versions >1.7) and South migrations (for Django versions <1.7) that will create the authtoken table.
+If you need a customized version of the `obtain_auth_token` view, you can do so by subclassing the `ObtainAuthToken` view class, and using that in your url conf instead.
 
-----
+For example, you may return additional user information beyond the `token` value:
 
-**Note**: From REST Framework v2.4.0 using South with Django <1.7 requires upgrading South v1.0+
+    from rest_framework.authtoken.views import ObtainAuthToken
+    from rest_framework.authtoken.models import Token
+    from rest_framework.response import Response
 
-----
+    class CustomAuthToken(ObtainAuthToken):
+
+        def post(self, request, *args, **kwargs):
+            serializer = self.serializer_class(data=request.data,
+                                               context={'request': request})
+            serializer.is_valid(raise_exception=True)
+            user = serializer.validated_data['user']
+            token, created = Token.objects.get_or_create(user=user)
+            return Response({
+                'token': token.key,
+                'user_id': user.pk,
+                'email': user.email
+            })
+
+And in your `urls.py`:
+
+    urlpatterns += [
+        path('api-token-auth/', CustomAuthToken.as_view())
+    ]
 
 
-If you're using a [custom user model][custom-user-model] you'll need to make sure that any initial migration that creates the user table runs before the authtoken table is created.
+#### With Django admin
 
-You can do so by inserting a `needed_by` attribute in your user migration:
+It is also possible to create Tokens manually through the admin interface. In case you are using a large user base, we recommend that you monkey patch the `TokenAdmin` class to customize it to your needs, more specifically by declaring the `user` field as `raw_field`.
 
-    class Migration:
+`your_app/admin.py`:
 
-        needed_by = (
-            ('authtoken', '0001_initial'),
-        )
+    from rest_framework.authtoken.admin import TokenAdmin
 
-        def forwards(self):
-            ...
+    TokenAdmin.raw_id_fields = ['user']
 
-For more details, see the [south documentation on dependencies][south-dependencies].
 
-Also note that if you're using a `post_save` signal to create tokens, then the first time you create the database tables, you'll need to ensure any migrations are run prior to creating any superusers.  For example:
+#### Using Django manage.py command
+
+Since version 3.6.4 it's possible to generate a user token using the following command:
+
+    ./manage.py drf_create_token <username>
+
+this command will return the API token for the given user, creating it if it doesn't exist:
+
+    Generated token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b for user user1
+
+In case you want to regenerate the token (for example if it has been compromised or leaked) you can pass an additional parameter:
+
+    ./manage.py drf_create_token -r <username>
 
-    python manage.py syncdb --noinput  # Won't create a superuser just yet, due to `--noinput`.
-    python manage.py migrate
-    python manage.py createsuperuser
 
 ## SessionAuthentication
 
@@ -245,7 +291,33 @@ If successfully authenticated, `SessionAuthentication` provides the following cr
 
 Unauthenticated responses that are denied permission will result in an `HTTP 403 Forbidden` response.
 
-If you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `PATCH`, `POST` or `DELETE` requests.  See the [Django CSRF documentation][csrf-ajax] for more details.
+If you're using an AJAX-style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `PATCH`, `POST` or `DELETE` requests.  See the [Django CSRF documentation][csrf-ajax] for more details.
+
+**Warning**: Always use Django's standard login view when creating login pages. This will ensure your login views are properly protected.
+
+CSRF validation in REST framework works slightly differently from standard Django due to the need to support both session and non-session based authentication to the same views. This means that only authenticated requests require CSRF tokens, and anonymous requests may be sent without CSRF tokens. This behavior is not suitable for login views, which should always have CSRF validation applied.
+
+
+## RemoteUserAuthentication
+
+This authentication scheme allows you to delegate authentication to your web server, which sets the `REMOTE_USER`
+environment variable.
+
+To use it, you must have `django.contrib.auth.backends.RemoteUserBackend` (or a subclass) in your
+`AUTHENTICATION_BACKENDS` setting. By default, `RemoteUserBackend` creates `User` objects for usernames that don't
+already exist. To change this and other behavior, consult the
+[Django documentation](https://docs.djangoproject.com/en/stable/howto/auth-remote-user/).
+
+If successfully authenticated, `RemoteUserAuthentication` provides the following credentials:
+
+* `request.user` will be a Django `User` instance.
+* `request.auth` will be `None`.
+
+Consult your web server's documentation for information about configuring an authentication method, for example:
+
+* [Apache Authentication How-To](https://httpd.apache.org/docs/2.4/howto/auth.html)
+* [NGINX (Restricting Access)](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/)
+
 
 # Custom authentication
 
@@ -256,23 +328,29 @@ In some circumstances instead of returning `None`, you may want to raise an `Aut
 Typically the approach you should take is:
 
 * If authentication is not attempted, return `None`.  Any other authentication schemes also in use will still be checked.
-* If authentication is attempted but fails, raise a `AuthenticationFailed` exception.  An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes.
+* If authentication is attempted but fails, raise an `AuthenticationFailed` exception.  An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes.
 
 You *may* also override the `.authenticate_header(self, request)` method.  If implemented, it should return a string that will be used as the value of the `WWW-Authenticate` header in a `HTTP 401 Unauthorized` response.
 
 If the `.authenticate_header()` method is not overridden, the authentication scheme will return `HTTP 403 Forbidden` responses when an unauthenticated request is denied access.
 
+---
+
+**Note:** When your custom authenticator is invoked by the request object's `.user` or `.auth` properties, you may see an `AttributeError` re-raised as a `WrappedAttributeError`. This is necessary to prevent the original exception from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from your custom authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. These errors should be fixed or otherwise handled by your authenticator.
+
+---
+
 ## Example
 
-The following example will authenticate any incoming request as the user given by the username in a custom request header named 'X_USERNAME'.
+The following example will authenticate any incoming request as the user given by the username in a custom request header named 'X-USERNAME'.
 
-	from django.contrib.auth.models import User
+    from django.contrib.auth.models import User
     from rest_framework import authentication
     from rest_framework import exceptions
 
     class ExampleAuthentication(authentication.BaseAuthentication):
         def authenticate(self, request):
-            username = request.META.get('X_USERNAME')
+            username = request.META.get('HTTP_X_USERNAME')
             if not username:
                 return None
 
@@ -287,13 +365,17 @@ The following example will authenticate any incoming request as the user given b
 
 # Third party packages
 
-The following third party packages are also available.
+The following third-party packages are also available.
+
+## django-rest-knox
+
+[Django-rest-knox][django-rest-knox] library provides models and views to handle token-based authentication in a more secure and extensible way than the built-in TokenAuthentication scheme - with Single Page Applications and Mobile clients in mind. It provides per-client tokens, and views to generate them when provided some other authentication (usually basic authentication), to delete the token (providing a server enforced logout) and to delete all tokens (logs out all clients that a user is logged into).
 
 ## Django OAuth Toolkit
 
-The [Django OAuth Toolkit][django-oauth-toolkit] package provides OAuth 2.0 support, and works with Python 2.7 and Python 3.3+. The package is maintained by [Evonove][evonove] and uses the excellent [OAuthLib][oauthlib].  The package is well documented, and well supported and is currently our **recommended package for OAuth 2.0 support**.
+The [Django OAuth Toolkit][django-oauth-toolkit] package provides OAuth 2.0 support and works with Python 3.4+. The package is maintained by [jazzband][jazzband] and uses the excellent [OAuthLib][oauthlib].  The package is well documented, and well supported and is currently our **recommended package for OAuth 2.0 support**.
 
-#### Installation & configuration
+### Installation & configuration
 
 Install using `pip`.
 
@@ -301,15 +383,15 @@ Install using `pip`.
 
 Add the package to your `INSTALLED_APPS` and modify your REST framework settings.
 
-    INSTALLED_APPS = (
+    INSTALLED_APPS = [
         ...
         'oauth2_provider',
-    )
+    ]
 
     REST_FRAMEWORK = {
-        'DEFAULT_AUTHENTICATION_CLASSES': (
-            'oauth2_provider.ext.rest_framework.OAuth2Authentication',
-        )
+        'DEFAULT_AUTHENTICATION_CLASSES': [
+            'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
+        ]
     }
 
 For more details see the [Django REST framework - Getting started][django-oauth-toolkit-getting-started] documentation.
@@ -318,9 +400,9 @@ For more details see the [Django REST framework - Getting started][django-oauth-
 
 The [Django REST framework OAuth][django-rest-framework-oauth] package provides both OAuth1 and OAuth2 support for REST framework.
 
-This package was previously included directly in REST framework but is now supported and maintained as a third party package.
+This package was previously included directly in the REST framework but is now supported and maintained as a third-party package.
 
-#### Installation & configuration
+### Installation & configuration
 
 Install the package using `pip`.
 
@@ -328,17 +410,9 @@ Install the package using `pip`.
 
 For details on configuration and usage see the Django REST framework OAuth documentation for [authentication][django-rest-framework-oauth-authentication] and [permissions][django-rest-framework-oauth-permissions].
 
-## Digest Authentication
-
-HTTP digest authentication is a widely implemented scheme that was intended to replace HTTP basic authentication, and which provides a simple encrypted authentication mechanism. [Juan Riaza][juanriaza] maintains the [djangorestframework-digestauth][djangorestframework-digestauth] package which provides HTTP digest authentication support for REST framework.
-
-## Django OAuth2 Consumer
-
-The [Django OAuth2 Consumer][doac] library from [Rediker Software][rediker] is another package that provides [OAuth 2.0 support for REST framework][doac-rest-framework].  The package includes token scoping permissions on tokens, which allows finer-grained access to your API.
-
 ## JSON Web Token Authentication
 
-JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. [Blimp][blimp] maintains the [djangorestframework-jwt][djangorestframework-jwt] package which provides a JWT Authentication class as well as a mechanism for clients to obtain a JWT given the username and password.
+JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. A package for JWT authentication is [djangorestframework-simplejwt][djangorestframework-simplejwt] which provides some features as well as a pluggable token blacklist app.
 
 ## Hawk HTTP Authentication
 
@@ -346,53 +420,81 @@ The [HawkREST][hawkrest] library builds on the [Mohawk][mohawk] library to let y
 
 ## HTTP Signature Authentication
 
-HTTP Signature (currently a [IETF draft][http-signature-ietf-draft]) provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to [Amazon's HTTP Signature scheme][amazon-http-signature], used by many of its services, it permits stateless, per-request authentication. [Elvio Toccalino][etoccalino] maintains the [djangorestframework-httpsignature][djangorestframework-httpsignature] package which provides an easy to use HTTP Signature Authentication mechanism.
+HTTP Signature (currently a [IETF draft][http-signature-ietf-draft]) provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to [Amazon's HTTP Signature scheme][amazon-http-signature], used by many of its services, it permits stateless, per-request authentication. [Elvio Toccalino][etoccalino] maintains the [djangorestframework-httpsignature][djangorestframework-httpsignature] (outdated) package which provides an easy-to-use HTTP Signature Authentication mechanism. You can use the updated fork version of [djangorestframework-httpsignature][djangorestframework-httpsignature], which is [drf-httpsig][drf-httpsig].
 
 ## Djoser
 
-[Djoser][djoser] library provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. The package works with a custom user model and it uses token based authentication. This is a ready to use REST implementation of Django authentication system.
+[Djoser][djoser] library provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. The package works with a custom user model and uses token-based authentication. This is a ready to use REST implementation of the Django authentication system.
 
-## django-rest-auth
+## django-rest-auth / dj-rest-auth
 
-[Django-rest-auth][django-rest-auth] library provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. By having these API endpoints, your client apps such as AngularJS, iOS, Android, and others can communicate to your Django backend site independently via REST APIs for user management.
+This library provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc. By having these API endpoints, your client apps such as AngularJS, iOS, Android, and others can communicate to your Django backend site independently via REST APIs for user management.
 
-[cite]: http://jacobian.org/writing/rest-worst-practices/
-[http401]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
-[http403]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4
-[basicauth]: http://tools.ietf.org/html/rfc2617
-[oauth]: http://oauth.net/2/
+
+There are currently two forks of this project.
+
+* [Django-rest-auth][django-rest-auth] is the original project, [but is not currently receiving updates](https://github.com/Tivix/django-rest-auth/issues/568).
+* [Dj-rest-auth][dj-rest-auth] is a newer fork of the project.
+
+## drf-social-oauth2
+
+[Drf-social-oauth2][drf-social-oauth2] is a framework that helps you authenticate with major social oauth2 vendors, such as Facebook, Google, Twitter, Orcid, etc. It generates tokens in a JWTed way with an easy setup.
+
+## drfpasswordless
+
+[drfpasswordless][drfpasswordless] adds (Medium, Square Cash inspired) passwordless support to Django REST Framework's TokenAuthentication scheme. Users log in and sign up with a token sent to a contact point like an email address or a mobile number.
+
+## django-rest-authemail
+
+[django-rest-authemail][django-rest-authemail] provides a RESTful API interface for user signup and authentication. Email addresses are used for authentication, rather than usernames.  API endpoints are available for signup, signup email verification, login, logout, password reset, password reset verification, email change, email change verification, password change, and user detail.  A fully functional example project and detailed instructions are included.
+
+## Django-Rest-Durin
+
+[Django-Rest-Durin][django-rest-durin] is built with the idea to have one library that does token auth for multiple Web/CLI/Mobile API clients via one interface but allows different token configuration for each API Client that consumes the API. It provides support for multiple tokens per user via custom models, views, permissions that work with Django-Rest-Framework. The token expiration time can be different per API client and is customizable via the Django Admin Interface.
+
+More information can be found in the [Documentation](https://django-rest-durin.readthedocs.io/en/latest/index.html).
+
+## django-pyoidc
+
+[dango-pyoidc][django_pyoidc] adds support for OpenID Connect (OIDC) authentication. This allows you to delegate user management to an Identity Provider, which can be used to implement Single-Sign-On (SSO). It provides support for most uses-cases, such as customizing how token info are mapped to user models, using OIDC audiences for access control, etc.
+
+More information can be found in the [Documentation](https://django-pyoidc.readthedocs.io/latest/index.html).
+
+[cite]: https://jacobian.org/writing/rest-worst-practices/
+[http401]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
+[http403]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4
+[basicauth]: https://tools.ietf.org/html/rfc2617
 [permission]: permissions.md
 [throttling]: throttling.md
-[csrf-ajax]: https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
-[mod_wsgi_official]: http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization
-[custom-user-model]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#specifying-a-custom-user-model
-[south-dependencies]: http://south.readthedocs.org/en/latest/dependencies.html
-[django-oauth-toolkit-getting-started]: https://django-oauth-toolkit.readthedocs.org/en/latest/rest-framework/getting_started.html
-[django-rest-framework-oauth]: http://jpadilla.github.io/django-rest-framework-oauth/
-[django-rest-framework-oauth-authentication]: http://jpadilla.github.io/django-rest-framework-oauth/authentication/
-[django-rest-framework-oauth-permissions]: http://jpadilla.github.io/django-rest-framework-oauth/permissions/
+[csrf-ajax]: https://docs.djangoproject.com/en/stable/howto/csrf/#using-csrf-protection-with-ajax
+[mod_wsgi_official]: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIPassAuthorization.html
+[django-oauth-toolkit-getting-started]: https://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html
+[django-rest-framework-oauth]: https://jpadilla.github.io/django-rest-framework-oauth/
+[django-rest-framework-oauth-authentication]: https://jpadilla.github.io/django-rest-framework-oauth/authentication/
+[django-rest-framework-oauth-permissions]: https://jpadilla.github.io/django-rest-framework-oauth/permissions/
 [juanriaza]: https://github.com/juanriaza
 [djangorestframework-digestauth]: https://github.com/juanriaza/django-rest-framework-digestauth
-[oauth-1.0a]: http://oauth.net/core/1.0a
-[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus
-[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
-[django-oauth2-provider-docs]: https://django-oauth2-provider.readthedocs.org/en/latest/
-[rfc6749]: http://tools.ietf.org/html/rfc6749
+[oauth-1.0a]: https://oauth.net/core/1.0a/
 [django-oauth-toolkit]: https://github.com/evonove/django-oauth-toolkit
-[evonove]: https://github.com/evonove/
+[jazzband]: https://github.com/jazzband/
 [oauthlib]: https://github.com/idan/oauthlib
-[doac]: https://github.com/Rediker-Software/doac
-[rediker]: https://github.com/Rediker-Software
-[doac-rest-framework]: https://github.com/Rediker-Software/doac/blob/master/docs/integrations.md#
-[blimp]: https://github.com/GetBlimp
-[djangorestframework-jwt]: https://github.com/GetBlimp/django-rest-framework-jwt
+[djangorestframework-simplejwt]: https://github.com/davesque/django-rest-framework-simplejwt
 [etoccalino]: https://github.com/etoccalino/
 [djangorestframework-httpsignature]: https://github.com/etoccalino/django-rest-framework-httpsignature
-[amazon-http-signature]: http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
+[drf-httpsig]: https://github.com/ahknight/drf-httpsig
+[amazon-http-signature]: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
 [http-signature-ietf-draft]: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
-[hawkrest]: http://hawkrest.readthedocs.org/en/latest/
+[hawkrest]: https://hawkrest.readthedocs.io/en/latest/
 [hawk]: https://github.com/hueniverse/hawk
-[mohawk]: http://mohawk.readthedocs.org/en/latest/
-[mac]: http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05
+[mohawk]: https://mohawk.readthedocs.io/en/latest/
+[mac]: https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05
 [djoser]: https://github.com/sunscrapers/djoser
 [django-rest-auth]: https://github.com/Tivix/django-rest-auth
+[dj-rest-auth]: https://github.com/jazzband/dj-rest-auth
+[drf-social-oauth2]: https://github.com/wagnerdelima/drf-social-oauth2
+[django-rest-knox]: https://github.com/James1345/django-rest-knox
+[drfpasswordless]: https://github.com/aaronn/django-rest-framework-passwordless
+[django-rest-authemail]: https://github.com/celiao/django-rest-authemail
+[django-rest-durin]: https://github.com/eshaan7/django-rest-durin
+[login-required-middleware]: https://docs.djangoproject.com/en/stable/ref/middleware/#django.contrib.auth.middleware.LoginRequiredMiddleware
+[django-pyoidc] : https://github.com/makinacorpus/django_pyoidc

docs/api-guide/caching.md

@@ -0,0 +1,91 @@
+# Caching
+
+> A certain woman had a very sharp consciousness but almost no
+> memory ... She remembered enough to work, and she worked hard.
+> - Lydia Davis
+
+Caching in REST Framework works well with the cache utilities
+provided in Django.
+
+---
+
+## Using cache with apiview and viewsets
+
+Django provides a [`method_decorator`][decorator] to use
+decorators with class based views. This can be used with
+other cache decorators such as [`cache_page`][page],
+[`vary_on_cookie`][cookie] and [`vary_on_headers`][headers].
+
+```python
+from django.utils.decorators import method_decorator
+from django.views.decorators.cache import cache_page
+from django.views.decorators.vary import vary_on_cookie, vary_on_headers
+
+from rest_framework.response import Response
+from rest_framework.views import APIView
+from rest_framework import viewsets
+
+
+class UserViewSet(viewsets.ViewSet):
+    # With cookie: cache requested url for each user for 2 hours
+    @method_decorator(cache_page(60 * 60 * 2))
+    @method_decorator(vary_on_cookie)
+    def list(self, request, format=None):
+        content = {
+            "user_feed": request.user.get_user_feed(),
+        }
+        return Response(content)
+
+
+class ProfileView(APIView):
+    # With auth: cache requested url for each user for 2 hours
+    @method_decorator(cache_page(60 * 60 * 2))
+    @method_decorator(vary_on_headers("Authorization"))
+    def get(self, request, format=None):
+        content = {
+            "user_feed": request.user.get_user_feed(),
+        }
+        return Response(content)
+
+
+class PostView(APIView):
+    # Cache page for the requested url
+    @method_decorator(cache_page(60 * 60 * 2))
+    def get(self, request, format=None):
+        content = {
+            "title": "Post title",
+            "body": "Post content",
+        }
+        return Response(content)
+```
+
+
+## Using cache with @api_view decorator
+
+When using @api_view decorator, the Django-provided method-based cache decorators such as [`cache_page`][page],
+[`vary_on_cookie`][cookie] and [`vary_on_headers`][headers] can be called directly.
+
+```python
+from django.views.decorators.cache import cache_page
+from django.views.decorators.vary import vary_on_cookie
+
+from rest_framework.decorators import api_view
+from rest_framework.response import Response
+
+
+@cache_page(60 * 15)
+@vary_on_cookie
+@api_view(["GET"])
+def get_user_list(request):
+    content = {"user_feed": request.user.get_user_feed()}
+    return Response(content)
+```
+
+
+**NOTE:** The [`cache_page`][page] decorator only caches the
+`GET` and `HEAD` responses with status 200.
+
+[page]: https://docs.djangoproject.com/en/dev/topics/cache/#the-per-view-cache
+[cookie]: https://docs.djangoproject.com/en/dev/topics/http/decorators/#django.views.decorators.vary.vary_on_cookie
+[headers]: https://docs.djangoproject.com/en/dev/topics/http/decorators/#django.views.decorators.vary.vary_on_headers
+[decorator]: https://docs.djangoproject.com/en/dev/topics/class-based-views/intro/#decorating-the-class

docs/api-guide/content-negotiation.md

@@ -1,4 +1,7 @@
-source: negotiation.py
+---
+source:
+    - negotiation.py
+---
 
 # Content negotiation
 
@@ -6,7 +9,7 @@ source: negotiation.py
 >
 > — [RFC 2616][cite], Fielding et al.
 
-[cite]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec12.html
+[cite]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec12.html
 
 Content negotiation is the process of selecting one of multiple possible representations to return to a client, based on client or server preferences.
 
@@ -77,9 +80,9 @@ The default content negotiation class may be set globally, using the `DEFAULT_CO
         'DEFAULT_CONTENT_NEGOTIATION_CLASS': 'myapp.negotiation.IgnoreClientContentNegotiation',
     }
 
-You can also set the content negotiation used for an individual view, or viewset, using the `APIView` class based views.
+You can also set the content negotiation used for an individual view, or viewset, using the `APIView` class-based views.
 
-	from myapp.negotiation import IgnoreClientContentNegotiation
+    from myapp.negotiation import IgnoreClientContentNegotiation
     from rest_framework.response import Response
     from rest_framework.views import APIView
 
@@ -94,4 +97,4 @@ You can also set the content negotiation used for an individual view, or viewset
                 'accepted media type': request.accepted_renderer.media_type
             })
 
-[accept-header]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
+[accept-header]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

docs/api-guide/exceptions.md

@@ -1,4 +1,7 @@
-source: exceptions.py
+---
+source:
+    - exceptions.py
+---
 
 # Exceptions
 
@@ -35,7 +38,7 @@ Might receive an error response indicating that the `DELETE` method is not allow
 
 Validation errors are handled slightly differently, and will include the field names as the keys in the response. If the validation error was not specific to a particular field then it will use the "non_field_errors" key, or whatever string value has been set for the `NON_FIELD_ERRORS_KEY` setting.
 
-Any example validation error might look like this:
+An example validation error might look like this:
 
     HTTP/1.1 400 Bad Request
     Content-Type: application/json
@@ -47,7 +50,7 @@ Any example validation error might look like this:
 
 You can implement custom exception handling by creating a handler function that converts exceptions raised in your API views into response objects.  This allows you to control the style of error responses used by your API.
 
-The function must take a pair of arguments, this first is the exception to be handled, and the second is a dictionary containing any extra context such as the view currently being handled. The exception handler function should either return a `Response` object, or return `None` if the exception cannot be handled.  If the handler returns `None` then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response.
+The function must take a pair of arguments, the first is the exception to be handled, and the second is a dictionary containing any extra context such as the view currently being handled. The exception handler function should either return a `Response` object, or return `None` if the exception cannot be handled.  If the handler returns `None` then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response.
 
 For example, you might want to ensure that all error responses include the HTTP status code in the body of the response, like so:
 
@@ -98,7 +101,7 @@ Note that the exception handler will only be called for responses generated by r
 
 The **base class** for all exceptions raised inside an `APIView` class or `@api_view`.
 
-To provide a custom exception, subclass `APIException` and set the `.status_code` and `.default_detail` properties on the class.
+To provide a custom exception, subclass `APIException` and set the `.status_code`, `.default_detail`, and `.default_code` attributes on the class.
 
 For example, if your API relies on a third party service that may sometimes be unreachable, you might want to implement an exception for the "503 Service Unavailable" HTTP response code.  You could do this like so:
 
@@ -107,10 +110,42 @@ For example, if your API relies on a third party service that may sometimes be u
     class ServiceUnavailable(APIException):
         status_code = 503
         default_detail = 'Service temporarily unavailable, try again later.'
+        default_code = 'service_unavailable'
+
+#### Inspecting API exceptions
+
+There are a number of different properties available for inspecting the status
+of an API exception. You can use these to build custom exception handling
+for your project.
+
+The available attributes and methods are:
+
+* `.detail` - Return the textual description of the error.
+* `.get_codes()` - Return the code identifier of the error.
+* `.get_full_details()` - Return both the textual description and the code identifier.
+
+In most cases the error detail will be a simple item:
+
+    >>> print(exc.detail)
+    You do not have permission to perform this action.
+    >>> print(exc.get_codes())
+    permission_denied
+    >>> print(exc.get_full_details())
+    {'message':'You do not have permission to perform this action.','code':'permission_denied'}
+
+In the case of validation errors the error detail will be either a list or
+dictionary of items:
+
+    >>> print(exc.detail)
+    {"name":"This field is required.","age":"A valid integer is required."}
+    >>> print(exc.get_codes())
+    {"name":"required","age":"invalid"}
+    >>> print(exc.get_full_details())
+    {"name":{"message":"This field is required.","code":"required"},"age":{"message":"A valid integer is required.","code":"invalid"}}
 
 ## ParseError
 
-**Signature:** `ParseError(detail=None)`
+**Signature:** `ParseError(detail=None, code=None)`
 
 Raised if the request contains malformed data when accessing `request.data`.
 
@@ -118,7 +153,7 @@ By default this exception results in a response with the HTTP status code "400 B
 
 ## AuthenticationFailed
 
-**Signature:** `AuthenticationFailed(detail=None)`
+**Signature:** `AuthenticationFailed(detail=None, code=None)`
 
 Raised when an incoming request includes incorrect authentication.
 
@@ -126,7 +161,7 @@ By default this exception results in a response with the HTTP status code "401 U
 
 ## NotAuthenticated
 
-**Signature:** `NotAuthenticated(detail=None)`
+**Signature:** `NotAuthenticated(detail=None, code=None)`
 
 Raised when an unauthenticated request fails the permission checks.
 
@@ -134,7 +169,7 @@ By default this exception results in a response with the HTTP status code "401 U
 
 ## PermissionDenied
 
-**Signature:** `PermissionDenied(detail=None)`
+**Signature:** `PermissionDenied(detail=None, code=None)`
 
 Raised when an authenticated request fails the permission checks.
 
@@ -142,15 +177,15 @@ By default this exception results in a response with the HTTP status code "403 F
 
 ## NotFound
 
-**Signature:** `NotFound(detail=None)`
+**Signature:** `NotFound(detail=None, code=None)`
 
-Raised when a resource does not exists at the given URL. This exception is equivalent to the standard `Http404` Django exception.
+Raised when a resource does not exist at the given URL. This exception is equivalent to the standard `Http404` Django exception.
 
 By default this exception results in a response with the HTTP status code "404 Not Found".
 
 ## MethodNotAllowed
 
-**Signature:** `MethodNotAllowed(method, detail=None)`
+**Signature:** `MethodNotAllowed(method, detail=None, code=None)`
 
 Raised when an incoming request occurs that does not map to a handler method on the view.
 
@@ -158,7 +193,7 @@ By default this exception results in a response with the HTTP status code "405 M
 
 ## NotAcceptable
 
-**Signature:** `NotAcceptable(detail=None)`
+**Signature:** `NotAcceptable(detail=None, code=None)`
 
 Raised when an incoming request occurs with an `Accept` header that cannot be satisfied by any of the available renderers.
 
@@ -166,7 +201,7 @@ By default this exception results in a response with the HTTP status code "406 N
 
 ## UnsupportedMediaType
 
-**Signature:** `UnsupportedMediaType(media_type, detail=None)`
+**Signature:** `UnsupportedMediaType(media_type, detail=None, code=None)`
 
 Raised if there are no parsers that can handle the content type of the request data when accessing `request.data`.
 
@@ -174,7 +209,7 @@ By default this exception results in a response with the HTTP status code "415 U
 
 ## Throttled
 
-**Signature:** `Throttled(wait=None, detail=None)`
+**Signature:** `Throttled(wait=None, detail=None, code=None)`
 
 Raised when an incoming request fails the throttling checks.
 
@@ -182,12 +217,11 @@ By default this exception results in a response with the HTTP status code "429 T
 
 ## ValidationError
 
-**Signature:** `ValidationError(detail)`
+**Signature:** `ValidationError(detail=None, code=None)`
 
 The `ValidationError` exception is slightly different from the other `APIException` classes:
 
-* The `detail` argument is mandatory, not optional.
-* The `detail` argument may be a list or dictionary of error details, and may also be a nested data structure.
+* The `detail` argument may be a list or dictionary of error details, and may also be a nested data structure. By using a dictionary, you can specify field-level errors while performing object-level validation in the `validate()` method of a serializer. For example. `raise serializers.ValidationError({'name': 'Please enter a valid name.'})`
 * By convention you should import the serializers module and use a fully qualified `ValidationError` style, in order to differentiate it from Django's built-in validation error. For example. `raise serializers.ValidationError('This field must be an integer value.')`
 
 The `ValidationError` class should be used for serializer and field validation, and by validator classes. It is also raised when calling `serializer.is_valid` with the `raise_exception` keyword argument:
@@ -198,5 +232,42 @@ The generic views use the `raise_exception=True` flag, which means that you can
 
 By default this exception results in a response with the HTTP status code "400 Bad Request".
 
-[cite]: http://www.doughellmann.com/articles/how-tos/python-exception-handling/index.html
+
+---
+
+# Generic Error Views
+
+Django REST Framework provides two error views suitable for providing generic JSON `500` Server Error and
+`400` Bad Request responses. (Django's default error views provide HTML responses, which may not be appropriate for an
+API-only application.)
+
+Use these as per [Django's Customizing error views documentation][django-custom-error-views].
+
+## `rest_framework.exceptions.server_error`
+
+Returns a response with status code `500` and `application/json` content type.
+
+Set as `handler500`:
+
+    handler500 = 'rest_framework.exceptions.server_error'
+
+## `rest_framework.exceptions.bad_request`
+
+Returns a response with status code `400` and `application/json` content type.
+
+Set as `handler400`:
+
+    handler400 = 'rest_framework.exceptions.bad_request'
+
+# Third party packages
+
+The following third-party packages are also available.
+
+## DRF Standardized Errors
+
+The [drf-standardized-errors][drf-standardized-errors] package provides an exception handler that generates the same format for all 4xx and 5xx responses. It is a drop-in replacement for the default exception handler and allows customizing the error response format without rewriting the whole exception handler. The standardized error response format is easier to document and easier to handle by API consumers.
+
+[cite]: https://doughellmann.com/blog/2009/06/19/python-exception-handling-techniques/
 [authentication]: authentication.md
+[django-custom-error-views]: https://docs.djangoproject.com/en/dev/topics/http/views/#customizing-error-views
+[drf-standardized-errors]: https://github.com/ghazi-git/drf-standardized-errors

docs/api-guide/fields.md

@@ -1,4 +1,7 @@
-source: fields.py
+---
+source:
+    - fields.py
+---
 
 # Serializer fields
 
@@ -20,6 +23,8 @@ Each serializer field class constructor takes at least these arguments.  Some Fi
 
 ### `read_only`
 
+Read-only fields are included in the API output, but should not be included in the input during create or update operations. Any 'read_only' fields that are incorrectly included in the serializer input will be ignored.
+
 Set this to `True` to ensure that the field is used when serializing a representation, but is not used when creating or updating an instance during deserialization.
 
 Defaults to `False`
@@ -37,25 +42,50 @@ Set to false if this field is not required to be present during deserialization.
 
 Setting this to `False` also allows the object attribute or dictionary key to be omitted from output when serializing the instance. If the key is not present it will simply not be included in the output representation.
 
-Defaults to `True`.
+Defaults to `True`. If you're using [Model Serializer](https://www.django-rest-framework.org/api-guide/serializers/#modelserializer) default value will be `False` if you have specified `blank=True` or `default` or `null=True` at your field in your `Model`.
+
+### `default`
+
+If set, this gives the default value that will be used for the field if no input value is supplied. If not set the default behavior is to not populate the attribute at all.
+
+The `default` is not applied during partial update operations. In the partial update case only fields that are provided in the incoming data will have a validated value returned.
+
+May be set to a function or other callable, in which case the value will be evaluated each time it is used. When called, it will receive no arguments. If the callable has a `requires_context = True` attribute, then the serializer field will be passed as an argument.
+
+For example:
+
+    class CurrentUserDefault:
+        """
+        May be applied as a `default=...` value on a serializer field.
+        Returns the current user.
+        """
+        requires_context = True
+
+        def __call__(self, serializer_field):
+            return serializer_field.context['request'].user
+
+When serializing the instance, default will be used if the object attribute or dictionary key is not present in the instance.
+
+Note that setting a `default` value implies that the field is not required. Including both the `default` and `required` keyword arguments is invalid and will raise an error.
 
 ### `allow_null`
 
 Normally an error will be raised if `None` is passed to a serializer field. Set this keyword argument to `True` if `None` should be considered a valid value.
 
+Note that, without an explicit `default`, setting this argument to `True` will imply a `default` value of `null` for serialization output, but does not imply a default for input deserialization.
+
 Defaults to `False`
 
-### `default`
-
-If set, this gives the default value that will be used for the field if no input value is supplied.  If not set the default behavior is to not populate the attribute at all.
-
-May be set to a function or other callable, in which case the value will be evaluated each time it is used.
-
-Note that setting a `default` value implies that the field is not required. Including both the `default` and `required` keyword arguments is invalid and will raise an error.
-
 ### `source`
 
-The name of the attribute that will be used to populate the field.  May be a method that only takes a `self` argument, such as `URLField('get_absolute_url')`, or may use dotted notation to traverse attributes, such as `EmailField(source='user.email')`.
+The name of the attribute that will be used to populate the field.  May be a method that only takes a `self` argument, such as `URLField(source='get_absolute_url')`, or may use dotted notation to traverse attributes, such as `EmailField(source='user.email')`.
+
+When serializing fields with dotted notation, it may be necessary to provide a `default` value if any object is not present or is empty during attribute traversal. Beware of possible n+1 problems when using source attribute if you are accessing a relational orm model. For example:
+
+    class CommentSerializer(serializers.Serializer):
+        email = serializers.EmailField(source="user.email")
+
+This case would require user object to be fetched from database when it is not prefetched. If that is not wanted, be sure to be using `prefetch_related` and `select_related` methods appropriately. For more information about the methods refer to [django documentation][django-docs-select-related].
 
 The value `source='*'` has a special meaning, and is used to indicate that the entire object should be passed through to the field.  This can be useful for creating nested representations, or for fields which require access to the complete object in order to determine the output representation.
 
@@ -79,13 +109,19 @@ A text string that may be used as a description of the field in HTML form fields
 
 ### `initial`
 
-A value that should be used for pre-populating the value of HTML form fields.
+A value that should be used for pre-populating the value of HTML form fields. You may pass a callable to it, just as
+you may do with any regular Django `Field`:
+
+    import datetime
+    from rest_framework import serializers
+    class ExampleSerializer(serializers.Serializer):
+        day = serializers.DateField(initial=datetime.date.today)
 
 ### `style`
 
-A dictionary of key-value pairs that can be used to control how renderers should render the field. The API for this should still be considered experimental, and will be formalized with the 3.1 release.
+A dictionary of key-value pairs that can be used to control how renderers should render the field.
 
-Two options are currently used in HTML form generation, `'input_type'` and `'base_template'`.
+Two examples here are `'input_type'` and `'base_template'`:
 
     # Use <input type="password"> for the input.
     password = serializers.CharField(
@@ -94,11 +130,11 @@ Two options are currently used in HTML form generation, `'input_type'` and `'bas
 
     # Use a radio input instead of a select input.
     color_channel = serializers.ChoiceField(
-        choices=['red', 'green', 'blue']
-        style = {'base_template': 'radio.html'}
-    }
+        choices=['red', 'green', 'blue'],
+        style={'base_template': 'radio.html'}
+    )
 
-**Note**: The `style` argument replaces the old-style version 2.x `widget` keyword argument. Because REST framework 3 now uses templated HTML form generation, the `widget` option that was used to support Django built-in widgets can no longer be supported. Version 3.1 is planned to include public API support for customizing HTML form generation.
+For more details see the [HTML & Forms][html-and-forms] documentation.
 
 ---
 
@@ -110,18 +146,19 @@ A boolean representation.
 
 When using HTML encoded form input be aware that omitting a value will always be treated as setting a field to `False`, even if it has a `default=True` option specified. This is because HTML checkbox inputs represent the unchecked state by omitting the value, so REST framework treats omission as if it is an empty checkbox input.
 
+Note that Django 2.1 removed the `blank` kwarg from `models.BooleanField`.
+Prior to Django 2.1 `models.BooleanField` fields were always `blank=True`. Thus
+since Django 2.1 default `serializers.BooleanField` instances will be generated
+without the `required` kwarg (i.e. equivalent to `required=True`) whereas with
+previous versions of Django, default `BooleanField` instances will be generated
+with a `required=False` option.  If you want to control this behavior manually,
+explicitly declare the `BooleanField` on the serializer class, or use the
+`extra_kwargs` option to set the `required` flag.
+
 Corresponds to `django.db.models.fields.BooleanField`.
 
 **Signature:** `BooleanField()`
 
-## NullBooleanField
-
-A boolean representation that also accepts `None` as a valid value.
-
-Corresponds to `django.db.models.fields.NullBooleanField`.
-
-**Signature:** `NullBooleanField()`
-
 ---
 
 # String fields
@@ -134,10 +171,10 @@ Corresponds to `django.db.models.fields.CharField` or `django.db.models.fields.T
 
 **Signature:** `CharField(max_length=None, min_length=None, allow_blank=False, trim_whitespace=True)`
 
-- `max_length` - Validates that the input contains no more than this number of characters.
-- `min_length` - Validates that the input contains no fewer than this number of characters.
-- `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
-- `trim_whitespace` - If set to `True` then leading and trailing whitespace is trimmed. Defaults to `True`.
+* `max_length` - Validates that the input contains no more than this number of characters.
+* `min_length` - Validates that the input contains no fewer than this number of characters.
+* `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
+* `trim_whitespace` - If set to `True` then leading and trailing whitespace is trimmed. Defaults to `True`.
 
 The `allow_null` option is also available for string fields, although its usage is discouraged in favor of `allow_blank`. It is valid to set both `allow_blank=True` and `allow_null=True`, but doing so means that there will be two differing types of empty value permissible for string representations, which can lead to data inconsistencies and subtle application bugs.
 
@@ -183,6 +220,40 @@ A field that ensures the input is a valid UUID string. The `to_internal_value` m
 
     "de305d54-75b4-431b-adb2-eb6b9e546013"
 
+**Signature:** `UUIDField(format='hex_verbose')`
+
+* `format`: Determines the representation format of the uuid value
+    * `'hex_verbose'` - The canonical hex representation, including hyphens: `"5ce0e9a5-5ffa-654b-cee0-1238041fb31a"`
+    * `'hex'` - The compact hex representation of the UUID, not including hyphens: `"5ce0e9a55ffa654bcee01238041fb31a"`
+    * `'int'` - A 128 bit integer representation of the UUID: `"123456789012312313134124512351145145114"`
+    * `'urn'` - RFC 4122 URN representation of the UUID: `"urn:uuid:5ce0e9a5-5ffa-654b-cee0-1238041fb31a"`
+  Changing the `format` parameters only affects representation values. All formats are accepted by `to_internal_value`
+
+## FilePathField
+
+A field whose choices are limited to the filenames in a certain directory on the filesystem
+
+Corresponds to `django.forms.fields.FilePathField`.
+
+**Signature:** `FilePathField(path, match=None, recursive=False, allow_files=True, allow_folders=False, required=None, **kwargs)`
+
+* `path` - The absolute filesystem path to a directory from which this FilePathField should get its choice.
+* `match` - A regular expression, as a string, that FilePathField will use to filter filenames.
+* `recursive` - Specifies whether all subdirectories of path should be included.  Default is `False`.
+* `allow_files` - Specifies whether files in the specified location should be included. Default is `True`. Either this or `allow_folders` must be `True`.
+* `allow_folders` - Specifies whether folders in the specified location should be included. Default is `False`. Either this or `allow_files` must be `True`.
+
+## IPAddressField
+
+A field that ensures the input is a valid IPv4 or IPv6 string.
+
+Corresponds to `django.forms.fields.IPAddressField` and `django.forms.fields.GenericIPAddressField`.
+
+**Signature**: `IPAddressField(protocol='both', unpack_ipv4=False, **options)`
+
+* `protocol` Limits valid inputs to the specified protocol. Accepted values are 'both' (default), 'IPv4' or 'IPv6'. Matching is case-insensitive.
+* `unpack_ipv4` Unpacks IPv4 mapped addresses like ::ffff:192.0.2.1. If this option is enabled that address would be unpacked to 192.0.2.1. Default is disabled. Can only be used when protocol is set to 'both'.
+
 ---
 
 # Numeric fields
@@ -195,8 +266,8 @@ Corresponds to `django.db.models.fields.IntegerField`, `django.db.models.fields.
 
 **Signature**: `IntegerField(max_value=None, min_value=None)`
 
-- `max_value` Validate that the number provided is no greater than this value.
-- `min_value` Validate that the number provided is no less than this value.
+* `max_value` Validate that the number provided is no greater than this value.
+* `min_value` Validate that the number provided is no less than this value.
 
 ## FloatField
 
@@ -206,8 +277,8 @@ Corresponds to `django.db.models.fields.FloatField`.
 
 **Signature**: `FloatField(max_value=None, min_value=None)`
 
-- `max_value` Validate that the number provided is no greater than this value.
-- `min_value` Validate that the number provided is no less than this value.
+* `max_value` Validate that the number provided is no greater than this value.
+* `min_value` Validate that the number provided is no less than this value.
 
 ## DecimalField
 
@@ -217,11 +288,14 @@ Corresponds to `django.db.models.fields.DecimalField`.
 
 **Signature**: `DecimalField(max_digits, decimal_places, coerce_to_string=None, max_value=None, min_value=None)`
 
-- `max_digits` The maximum number of digits allowed in the number. Note that this number must be greater than or equal to decimal_places.
-- `decimal_places` The number of decimal places to store with the number.
-- `coerce_to_string` Set to `True` if string values should be returned for the representation, or `False` if `Decimal` objects should be returned. Defaults to the same value as the `COERCE_DECIMAL_TO_STRING` settings key, which will be `True` unless overridden. If `Decimal` objects are returned by the serializer, then the final output format will be determined by the renderer.
-- `max_value` Validate that the number provided is no greater than this value.
-- `min_value` Validate that the number provided is no less than this value.
+* `max_digits` The maximum number of digits allowed in the number. It must be either `None` or an integer greater than or equal to `decimal_places`.
+* `decimal_places` The number of decimal places to store with the number.
+* `coerce_to_string` Set to `True` if string values should be returned for the representation, or `False` if `Decimal` objects should be returned. Defaults to the same value as the `COERCE_DECIMAL_TO_STRING` settings key, which will be `True` unless overridden. If `Decimal` objects are returned by the serializer, then the final output format will be determined by the renderer. Note that setting `localize` will force the value to `True`.
+* `max_value` Validate that the number provided is no greater than this value. Should be an integer or `Decimal` object.
+* `min_value` Validate that the number provided is no less than this value. Should be an integer or `Decimal` object.
+* `localize` Set to `True` to enable localization of input and output based on the current locale. This will also force `coerce_to_string` to `True`. Defaults to `False`. Note that data formatting is enabled if you have set `USE_L10N=True` in your settings file.
+* `rounding` Sets the rounding mode used when quantizing to the configured precision. Valid values are [`decimal` module rounding modes][python-decimal-rounding-modes]. Defaults to `None`.
+* `normalize_output` Will normalize the decimal value when serialized. This will strip all trailing zeroes and change the value's precision to the minimum required precision to be able to represent the value without losing data. Defaults to `False`.
 
 #### Example usage
 
@@ -233,10 +307,6 @@ And to validate numbers up to anything less than one billion with a resolution o
 
     serializers.DecimalField(max_digits=19, decimal_places=10)
 
-This field also takes an optional argument, `coerce_to_string`. If set to `True` the representation will be output as a string. If set to `False` the representation will be left as a `Decimal` instance and the final representation will be determined by the renderer.
-
-If unset, this will default to the same value as the `COERCE_DECIMAL_TO_STRING` setting, which is `True` unless set otherwise.
-
 ---
 
 # Date and time fields
@@ -247,18 +317,17 @@ A date and time representation.
 
 Corresponds to `django.db.models.fields.DateTimeField`.
 
-**Signature:** `DateTimeField(format=None, input_formats=None)`
+**Signature:** `DateTimeField(format=api_settings.DATETIME_FORMAT, input_formats=None, default_timezone=None)`
 
-* `format` - A string representing the output format.  If not specified, this defaults to the same value as the `DATETIME_FORMAT` settings key, which will be `'iso-8601'` unless set. Setting to a format string indicates that `to_representation` return values should be coerced to string output. Format strings are described below. Setting this value to `None` indicates that Python `datetime` objects should be returned by `to_representation`. In this case the datetime encoding will be determined by the renderer.
+* `format` - A string representing the output format. If not specified, this defaults to the same value as the `DATETIME_FORMAT` settings key, which will be `'iso-8601'` unless set. Setting to a format string indicates that `to_representation` return values should be coerced to string output. Format strings are described below. Setting this value to `None` indicates that Python `datetime` objects should be returned by `to_representation`. In this case the datetime encoding will be determined by the renderer.
 * `input_formats` - A list of strings representing the input formats which may be used to parse the date.  If not specified, the `DATETIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
+* `default_timezone` - A `tzinfo` subclass (`zoneinfo` or `pytz`) representing the timezone. If not specified and the `USE_TZ` setting is enabled, this defaults to the [current timezone][django-current-timezone]. If `USE_TZ` is disabled, then datetime objects will be naive.
 
 #### `DateTimeField` format strings.
 
 Format strings may either be [Python strftime formats][strftime] which explicitly specify the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000Z'`)
 
-When a value of `None` is used for the format `datetime` objects will be returned by `to_representation` and the final output representation will determined by the renderer class.
-
-In the case of JSON this means the default datetime representation uses the [ECMA 262 date time string specification][ecma262].  This is a subset of ISO 8601 which uses millisecond precision, and includes the 'Z' suffix for the UTC timezone, for example: `2013-01-29T12:34:56.123Z`.
+When a value of `None` is used for the format `datetime` objects will be returned by `to_representation` and the final output representation will be determined by the renderer class.
 
 #### `auto_now` and `auto_now_add` model fields.
 
@@ -278,7 +347,7 @@ A date representation.
 
 Corresponds to `django.db.models.fields.DateField`
 
-**Signature:** `DateField(format=None, input_formats=None)`
+**Signature:** `DateField(format=api_settings.DATE_FORMAT, input_formats=None)`
 
 * `format` - A string representing the output format.  If not specified, this defaults to the same value as the `DATE_FORMAT` settings key, which will be `'iso-8601'` unless set. Setting to a format string indicates that `to_representation` return values should be coerced to string output. Format strings are described below. Setting this value to `None` indicates that Python `date` objects should be returned by `to_representation`. In this case the date encoding will be determined by the renderer.
 * `input_formats` - A list of strings representing the input formats which may be used to parse the date.  If not specified, the `DATE_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
@@ -293,15 +362,28 @@ A time representation.
 
 Corresponds to `django.db.models.fields.TimeField`
 
-**Signature:** `TimeField(format=None, input_formats=None)`
+**Signature:** `TimeField(format=api_settings.TIME_FORMAT, input_formats=None)`
 
 * `format` - A string representing the output format.  If not specified, this defaults to the same value as the `TIME_FORMAT` settings key, which will be `'iso-8601'` unless set. Setting to a format string indicates that `to_representation` return values should be coerced to string output. Format strings are described below. Setting this value to `None` indicates that Python `time` objects should be returned by `to_representation`. In this case the time encoding will be determined by the renderer.
 * `input_formats` - A list of strings representing the input formats which may be used to parse the date.  If not specified, the `TIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
 
-#### `TimeField` format strings
+#### `TimeField` format strings
 
 Format strings may either be [Python strftime formats][strftime] which explicitly specify the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style times should be used. (eg `'12:34:56.000000'`)
 
+## DurationField
+
+A Duration representation.
+Corresponds to `django.db.models.fields.DurationField`
+
+The `validated_data` for these fields will contain a `datetime.timedelta` instance.
+The representation is a string following this format `'[DD] [HH:[MM:]]ss[.uuuuuu]'`.
+
+**Signature:** `DurationField(max_value=None, min_value=None)`
+
+* `max_value` Validate that the duration provided is no greater than this value.
+* `min_value` Validate that the duration provided is no less than this value.
+
 ---
 
 # Choice selection fields
@@ -314,8 +396,10 @@ Used by `ModelSerializer` to automatically generate fields if the corresponding
 
 **Signature:** `ChoiceField(choices)`
 
-- `choices` - A list of valid values, or a list of `(key, display_name)` tuples.
-- `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
+* `choices` - A list of valid values, or a list of `(key, display_name)` tuples.
+* `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
+* `html_cutoff` - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Can be used to ensure that automatically generated ChoiceFields with very large possible selections do not prevent a template from rendering. Defaults to `None`.
+* `html_cutoff_text` - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to `"More than {count} items…"`
 
 Both the `allow_blank` and `allow_null` are valid options on `ChoiceField`, although it is highly recommended that you only use one and not both. `allow_blank` should be preferred for textual choices, and `allow_null` should be preferred for numeric or other non-textual choices.
 
@@ -325,8 +409,10 @@ A field that can accept a set of zero, one or many values, chosen from a limited
 
 **Signature:** `MultipleChoiceField(choices)`
 
-- `choices` - A list of valid values, or a list of `(key, display_name)` tuples.
-- `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
+* `choices` - A list of valid values, or a list of `(key, display_name)` tuples.
+* `allow_blank` - If set to `True` then the empty string should be considered a valid value. If set to `False` then the empty string is considered invalid and will raise a validation error. Defaults to `False`.
+* `html_cutoff` - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Can be used to ensure that automatically generated ChoiceFields with very large possible selections do not prevent a template from rendering. Defaults to `None`.
+* `html_cutoff_text` - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to `"More than {count} items…"`
 
 As with `ChoiceField`, both the `allow_blank` and `allow_null` options are valid, although it is highly recommended that you only use one and not both. `allow_blank` should be preferred for textual choices, and `allow_null` should be preferred for numeric or other non-textual choices.
 
@@ -347,9 +433,9 @@ Corresponds to `django.forms.fields.FileField`.
 
 **Signature:** `FileField(max_length=None, allow_empty_file=False, use_url=UPLOADED_FILES_USE_URL)`
 
- - `max_length` - Designates the maximum length for the file name.
- - `allow_empty_file` - Designates if empty files are allowed.
-- `use_url` - If set to `True` then URL string values will be used for the output representation. If set to `False` then filename string values will be used for the output representation. Defaults to the value of the `UPLOADED_FILES_USE_URL` settings key, which is `True` unless set otherwise.
+* `max_length` - Designates the maximum length for the file name.
+* `allow_empty_file` - Designates if empty files are allowed.
+* `use_url` - If set to `True` then URL string values will be used for the output representation. If set to `False` then filename string values will be used for the output representation. Defaults to the value of the `UPLOADED_FILES_USE_URL` settings key, which is `True` unless set otherwise.
 
 ## ImageField
 
@@ -359,9 +445,9 @@ Corresponds to `django.forms.fields.ImageField`.
 
 **Signature:** `ImageField(max_length=None, allow_empty_file=False, use_url=UPLOADED_FILES_USE_URL)`
 
- - `max_length` - Designates the maximum length for the file name.
- - `allow_empty_file` - Designates if empty files are allowed.
-- `use_url` - If set to `True` then URL string values will be used for the output representation. If set to `False` then filename string values will be used for the output representation. Defaults to the value of the `UPLOADED_FILES_USE_URL` settings key, which is `True` unless set otherwise.
+* `max_length` - Designates the maximum length for the file name.
+* `allow_empty_file` - Designates if empty files are allowed.
+* `use_url` - If set to `True` then URL string values will be used for the output representation. If set to `False` then filename string values will be used for the output representation. Defaults to the value of the `UPLOADED_FILES_USE_URL` settings key, which is `True` unless set otherwise.
 
 Requires either the `Pillow` package or `PIL` package.  The `Pillow` package is recommended, as `PIL` is no longer actively maintained.
 
@@ -373,9 +459,12 @@ Requires either the `Pillow` package or `PIL` package.  The `Pillow` package is
 
 A field class that validates a list of objects.
 
-**Signature**: `ListField(child)`
+**Signature**: `ListField(child=<A_FIELD_INSTANCE>, allow_empty=True, min_length=None, max_length=None)`
 
-- `child` - A field instance that should be used for validating the objects in the list. If this argument is not provided then objects in the list will not be validated.
+* `child` - A field instance that should be used for validating the objects in the list. If this argument is not provided then objects in the list will not be validated.
+* `allow_empty` - Designates if empty lists are allowed.
+* `min_length` - Validates that the list contains no fewer than this number of elements.
+* `max_length` - Validates that the list contains no more than this number of elements.
 
 For example, to validate a list of integers you might use something like the following:
 
@@ -394,9 +483,10 @@ We can now reuse our custom `StringListField` class throughout our application,
 
 A field class that validates a dictionary of objects. The keys in `DictField` are always assumed to be string values.
 
-**Signature**: `DictField(child)`
+**Signature**: `DictField(child=<A_FIELD_INSTANCE>, allow_empty=True)`
 
-- `child` - A field instance that should be used for validating the values in the dictionary. If this argument is not provided then values in the mapping will not be validated.
+* `child` - A field instance that should be used for validating the values in the dictionary. If this argument is not provided then values in the mapping will not be validated.
+* `allow_empty` - Designates if empty dictionaries are allowed.
 
 For example, to create a field that validates a mapping of strings to strings, you would write something like this:
 
@@ -407,6 +497,26 @@ You can also use the declarative style, as with `ListField`. For example:
     class DocumentField(DictField):
         child = CharField()
 
+## HStoreField
+
+A preconfigured `DictField` that is compatible with Django's postgres `HStoreField`.
+
+**Signature**: `HStoreField(child=<A_FIELD_INSTANCE>, allow_empty=True)`
+
+* `child` - A field instance that is used for validating the values in the dictionary. The default child field accepts both empty strings and null values.
+* `allow_empty` - Designates if empty dictionaries are allowed.
+
+Note that the child field **must** be an instance of `CharField`, as the hstore extension stores values as strings.
+
+## JSONField
+
+A field class that validates that the incoming data structure consists of valid JSON primitives. In its alternate binary mode, it will represent and validate JSON-encoded binary strings.
+
+**Signature**: `JSONField(binary, encoder)`
+
+* `binary` - If set to `True` then the field will output and validate a JSON encoded string, rather than a primitive data structure. Defaults to `False`.
+* `encoder` - Use this JSON encoder to serialize input object. Defaults to `None`.
+
 ---
 
 # Miscellaneous fields
@@ -419,12 +529,12 @@ This field is used by default with `ModelSerializer` when including field names
 
 **Signature**: `ReadOnlyField()`
 
-For example, is `has_expired` was a property on the `Account` model, then the following serializer would automatically generate it as a `ReadOnlyField`:
+For example, if `has_expired` was a property on the `Account` model, then the following serializer would automatically generate it as a `ReadOnlyField`:
 
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
             model = Account
-            fields = ('id', 'account_name', 'has_expired')
+            fields = ['id', 'account_name', 'has_expired']
 
 ## HiddenField
 
@@ -440,6 +550,12 @@ The `HiddenField` class is usually only needed if you have some validation that
 
 For further examples on `HiddenField` see the [validators](validators.md) documentation.
 
+---
+
+**Note:** `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request).
+
+---
+
 ## ModelField
 
 A generic field that can be tied to any arbitrary model field. The `ModelField` class delegates the task of serialization/deserialization to its associated model field.  This field can be used to create serializer fields for custom model fields, without having to create a new custom serializer field.
@@ -456,7 +572,7 @@ This is a read-only field. It gets its value by calling a method on the serializ
 
 **Signature**: `SerializerMethodField(method_name=None)`
 
-- `method_name` - The name of the method on the serializer to be called. If not included this defaults to `get_<field_name>`.
+* `method_name` - The name of the method on the serializer to be called. If not included this defaults to `get_<field_name>`.
 
 The serializer method referred to by the `method_name` argument should accept a single argument (in addition to `self`), which is the object being serialized. It should return whatever you want to be included in the serialized representation of the object. For example:
 
@@ -469,6 +585,7 @@ The serializer method referred to by the `method_name` argument should accept a
 
         class Meta:
             model = User
+            fields = '__all__'
 
         def get_days_since_joined(self, obj):
             return (now() - obj.date_joined).days
@@ -481,15 +598,15 @@ If you want to create a custom field, you'll need to subclass `Field` and then o
 
 The `.to_representation()` method is called to convert the initial datatype into a primitive, serializable datatype.
 
-The `to_internal_value()` method is called to restore a primitive datatype into its internal python representation. This method should raise a `serializers.ValidationError` if the data is invalid.
-
-Note that the `WritableField` class that was present in version 2.x no longer exists. You should subclass `Field` and override `to_internal_value()` if the field supports data input.
+The `.to_internal_value()` method is called to restore a primitive datatype into its internal python representation. This method should raise a `serializers.ValidationError` if the data is invalid.
 
 ## Examples
 
+### A Basic Custom Field
+
 Let's look at an example of serializing a class that represents an RGB color value:
 
-    class Color(object):
+    class Color:
         """
         A color represented in the RGB colorspace.
         """
@@ -502,8 +619,8 @@ Let's look at an example of serializing a class that represents an RGB color val
         """
         Color objects are serialized into 'rgb(#, #, #)' notation.
         """
-        def to_representation(self, obj):
-            return "rgb(%d, %d, %d)" % (obj.red, obj.green, obj.blue)
+        def to_representation(self, value):
+            return "rgb(%d, %d, %d)" % (value.red, value.green, value.blue)
 
         def to_internal_value(self, data):
             data = data.strip('rgb(').rstrip(')')
@@ -512,27 +629,27 @@ Let's look at an example of serializing a class that represents an RGB color val
 
 By default field values are treated as mapping to an attribute on the object.  If you need to customize how the field value is accessed and set you need to override `.get_attribute()` and/or `.get_value()`.
 
-As an example, let's create a field that can be used represent the class name of the object being serialized:
+As an example, let's create a field that can be used to represent the class name of the object being serialized:
 
     class ClassNameField(serializers.Field):
-        def get_attribute(self, obj):
+        def get_attribute(self, instance):
             # We pass the object instance onto `to_representation`,
             # not just the field attribute.
-            return obj
+            return instance
 
-        def to_representation(self, obj):
+        def to_representation(self, value):
             """
-            Serialize the object's class name.
+            Serialize the value's class name.
             """
-            return obj.__class__.__name__
+            return value.__class__.__name__
 
-#### Raising validation errors
+### Raising validation errors
 
 Our `ColorField` class above currently does not perform any data validation.
 To indicate invalid data, we should raise a `serializers.ValidationError`, like so:
 
     def to_internal_value(self, data):
-        if not isinstance(data, six.text_type):
+        if not isinstance(data, str):
             msg = 'Incorrect type. Expected a string, but got %s'
             raise ValidationError(msg % type(data).__name__)
 
@@ -556,8 +673,7 @@ The `.fail()` method is a shortcut for raising `ValidationError` that takes a me
     }
 
     def to_internal_value(self, data):
-        if not isinstance(data, six.text_type):
-            msg = 'Incorrect type. Expected a string, but got %s'
+        if not isinstance(data, str):
             self.fail('incorrect_type', input_type=type(data).__name__)
 
         if not re.match(r'^rgb\([0-9]+,[0-9]+,[0-9]+\)$', data):
@@ -571,7 +687,138 @@ The `.fail()` method is a shortcut for raising `ValidationError` that takes a me
 
         return Color(red, green, blue)
 
-This style keeps you error messages more cleanly separated from your code, and should be preferred.
+This style keeps your error messages cleaner and more separated from your code, and should be preferred.
+
+### Using `source='*'`
+
+Here we'll take an example of a _flat_ `DataPoint` model with `x_coordinate` and `y_coordinate` attributes.
+
+    class DataPoint(models.Model):
+        label = models.CharField(max_length=50)
+        x_coordinate = models.SmallIntegerField()
+        y_coordinate = models.SmallIntegerField()
+
+Using a custom field and `source='*'` we can provide a nested representation of
+the coordinate pair:
+
+    class CoordinateField(serializers.Field):
+
+        def to_representation(self, value):
+            ret = {
+                "x": value.x_coordinate,
+                "y": value.y_coordinate
+            }
+            return ret
+
+        def to_internal_value(self, data):
+            ret = {
+                "x_coordinate": data["x"],
+                "y_coordinate": data["y"],
+            }
+            return ret
+
+
+    class DataPointSerializer(serializers.ModelSerializer):
+        coordinates = CoordinateField(source='*')
+
+        class Meta:
+            model = DataPoint
+            fields = ['label', 'coordinates']
+
+Note that this example doesn't handle validation. Partly for that reason, in a
+real project, the coordinate nesting might be better handled with a nested serializer
+using `source='*'`, with two `IntegerField` instances, each with their own `source`
+pointing to the relevant field.
+
+The key points from the example, though, are:
+
+* `to_representation` is passed the entire `DataPoint` object and must map from that
+to the desired output.
+
+        >>> instance = DataPoint(label='Example', x_coordinate=1, y_coordinate=2)
+        >>> out_serializer = DataPointSerializer(instance)
+        >>> out_serializer.data
+        ReturnDict([('label', 'Example'), ('coordinates', {'x': 1, 'y': 2})])
+
+* Unless our field is to be read-only, `to_internal_value` must map back to a dict
+suitable for updating our target object. With `source='*'`, the return from
+`to_internal_value` will update the root validated data dictionary, rather than a single key.
+
+        >>> data = {
+        ...     "label": "Second Example",
+        ...     "coordinates": {
+        ...         "x": 3,
+        ...         "y": 4,
+        ...     }
+        ... }
+        >>> in_serializer = DataPointSerializer(data=data)
+        >>> in_serializer.is_valid()
+        True
+        >>> in_serializer.validated_data
+        OrderedDict([('label', 'Second Example'),
+                     ('y_coordinate', 4),
+                     ('x_coordinate', 3)])
+
+For completeness lets do the same thing again but with the nested serializer
+approach suggested above:
+
+    class NestedCoordinateSerializer(serializers.Serializer):
+        x = serializers.IntegerField(source='x_coordinate')
+        y = serializers.IntegerField(source='y_coordinate')
+
+
+    class DataPointSerializer(serializers.ModelSerializer):
+        coordinates = NestedCoordinateSerializer(source='*')
+
+        class Meta:
+            model = DataPoint
+            fields = ['label', 'coordinates']
+
+Here the mapping between the target and source attribute pairs (`x` and
+`x_coordinate`, `y` and `y_coordinate`) is handled in the `IntegerField`
+declarations. It's our `NestedCoordinateSerializer` that takes `source='*'`.
+
+Our new `DataPointSerializer` exhibits the same behavior as the custom field
+approach.
+
+Serializing:
+
+    >>> out_serializer = DataPointSerializer(instance)
+    >>> out_serializer.data
+    ReturnDict([('label', 'testing'),
+                ('coordinates', OrderedDict([('x', 1), ('y', 2)]))])
+
+Deserializing:
+
+    >>> in_serializer = DataPointSerializer(data=data)
+    >>> in_serializer.is_valid()
+    True
+    >>> in_serializer.validated_data
+    OrderedDict([('label', 'still testing'),
+                 ('x_coordinate', 3),
+                 ('y_coordinate', 4)])
+
+But we also get the built-in validation for free:
+
+    >>> invalid_data = {
+    ...     "label": "still testing",
+    ...     "coordinates": {
+    ...         "x": 'a',
+    ...         "y": 'b',
+    ...     }
+    ... }
+    >>> invalid_serializer = DataPointSerializer(data=invalid_data)
+    >>> invalid_serializer.is_valid()
+    False
+    >>> invalid_serializer.errors
+    ReturnDict([('coordinates',
+                 {'x': ['A valid integer is required.'],
+                  'y': ['A valid integer is required.']})])
+
+For this reason, the nested serializer approach would be the first to try. You
+would use the custom field approach when the nested serializer becomes infeasible
+or overly complex.
+
 
 # Third party packages
 
@@ -585,27 +832,29 @@ The [drf-compound-fields][drf-compound-fields] package provides "compound" seria
 
 The [drf-extra-fields][drf-extra-fields] package provides extra serializer fields for REST framework, including `Base64ImageField` and `PointField` classes.
 
-## djangrestframework-recursive
+## djangorestframework-recursive
 
 the [djangorestframework-recursive][djangorestframework-recursive] package provides a `RecursiveField` for serializing and deserializing recursive structures
 
 ## django-rest-framework-gis
 
-The [django-rest-framework-gis][django-rest-framework-gis] package provides geographic addons for django rest framework like a  `GeometryField` field and a GeoJSON serializer.
+The [django-rest-framework-gis][django-rest-framework-gis] package provides geographic addons for django rest framework like a `GeometryField` field and a GeoJSON serializer.
 
 ## django-rest-framework-hstore
 
 The [django-rest-framework-hstore][django-rest-framework-hstore] package provides an `HStoreField` to support [django-hstore][django-hstore] `DictionaryField` model field.
 
-[cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data
-[FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS
-[ecma262]: http://ecma-international.org/ecma-262/5.1/#sec-15.9.1.15
-[strftime]: http://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
-[django-widgets]: https://docs.djangoproject.com/en/dev/ref/forms/widgets/
-[iso8601]: http://www.w3.org/TR/NOTE-datetime
-[drf-compound-fields]: http://drf-compound-fields.readthedocs.org
+[cite]: https://docs.djangoproject.com/en/stable/ref/forms/api/#django.forms.Form.cleaned_data
+[html-and-forms]: ../topics/html-and-forms.md
+[FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS
+[strftime]: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-behavior
+[iso8601]: https://www.w3.org/TR/NOTE-datetime
+[drf-compound-fields]: https://drf-compound-fields.readthedocs.io
 [drf-extra-fields]: https://github.com/Hipo/drf-extra-fields
 [djangorestframework-recursive]: https://github.com/heywbj/django-rest-framework-recursive
 [django-rest-framework-gis]: https://github.com/djangonauts/django-rest-framework-gis
 [django-rest-framework-hstore]: https://github.com/djangonauts/django-rest-framework-hstore
 [django-hstore]: https://github.com/djangonauts/django-hstore
+[python-decimal-rounding-modes]: https://docs.python.org/3/library/decimal.html#rounding-modes
+[django-current-timezone]: https://docs.djangoproject.com/en/stable/topics/i18n/timezones/#default-time-zone-and-current-time-zone
+[django-docs-select-related]: https://docs.djangoproject.com/en/3.1/ref/models/querysets/#django.db.models.query.QuerySet.select_related

docs/api-guide/filtering.md

@@ -1,4 +1,7 @@
-source: filters.py
+---
+source:
+    - filters.py
+---
 
 # Filtering
 
@@ -42,7 +45,7 @@ Another style of filtering might involve restricting the queryset based on some
 
 For example if your URL config contained an entry like this:
 
-    url('^purchases/(?P<username>.+)/$', PurchaseList.as_view()),
+    re_path('^purchases/(?P<username>.+)/$', PurchaseList.as_view()),
 
 You could then write a view that returned a purchase queryset filtered by the username portion of the URL:
 
@@ -72,7 +75,7 @@ We can override `.get_queryset()` to deal with URLs such as `http://example.com/
             by filtering against a `username` query parameter in the URL.
             """
             queryset = Purchase.objects.all()
-            username = self.request.query_params.get('username', None)
+            username = self.request.query_params.get('username')
             if username is not None:
                 queryset = queryset.filter(purchaser__username=username)
             return queryset
@@ -83,26 +86,30 @@ We can override `.get_queryset()` to deal with URLs such as `http://example.com/
 
 As well as being able to override the default queryset, REST framework also includes support for generic filtering backends that allow you to easily construct complex searches and filters.
 
+Generic filters can also present themselves as HTML controls in the browsable API and admin API.
+
+![Filter Example](../img/filter-controls.png)
+
 ## Setting filter backends
 
-The default filter backends may be set globally, using the `DEFAULT_FILTER_BACKENDS` setting.  For example.
+The default filter backends may be set globally, using the `DEFAULT_FILTER_BACKENDS` setting. For example.
 
     REST_FRAMEWORK = {
-        'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
+        'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend']
     }
 
 You can also set the filter backends on a per-view, or per-viewset basis,
-using the `GenericAPIView` class based views.
+using the `GenericAPIView` class-based views.
 
+    import django_filters.rest_framework
     from django.contrib.auth.models import User
-	from myapp.serializers import UserSerializer
-    from rest_framework import filters
-	from rest_framework import generics
+    from myapp.serializers import UserSerializer
+    from rest_framework import generics
 
     class UserListView(generics.ListAPIView):
         queryset = User.objects.all()
-        serializer = UserSerializer
-        filter_backends = (filters.DjangoFilterBackend,)
+        serializer_class = UserSerializer
+        filter_backends = [django_filters.rest_framework.DjangoFilterBackend]
 
 ## Filtering and object lookups
 
@@ -123,7 +130,7 @@ Note that you can use both an overridden `.get_queryset()` and generic filtering
         """
         model = Product
         serializer_class = ProductSerializer
-        filter_class = ProductFilter
+        filterset_class = ProductFilter
 
         def get_queryset(self):
             user = self.request.user
@@ -135,112 +142,69 @@ Note that you can use both an overridden `.get_queryset()` and generic filtering
 
 ## DjangoFilterBackend
 
-The `DjangoFilterBackend` class supports highly customizable field filtering, using the [django-filter package][django-filter].
+The [`django-filter`][django-filter-docs] library includes a `DjangoFilterBackend` class which
+supports highly customizable field filtering for REST framework.
 
-To use REST framework's `DjangoFilterBackend`, first install `django-filter`.
+To use `DjangoFilterBackend`, first install `django-filter`.
 
     pip install django-filter
 
+Then add `'django_filters'` to Django's `INSTALLED_APPS`:
 
-#### Specifying filter fields
+    INSTALLED_APPS = [
+        ...
+        'django_filters',
+        ...
+    ]
 
-If all you need is simple equality-based filtering, you can set a `filter_fields` attribute on the view, or viewset, listing the set of fields you wish to filter against.
+You should now either add the filter backend to your settings:
+
+    REST_FRAMEWORK = {
+        'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend']
+    }
+
+Or add the filter backend to an individual View or ViewSet.
+
+    from django_filters.rest_framework import DjangoFilterBackend
+
+    class UserListView(generics.ListAPIView):
+        ...
+        filter_backends = [DjangoFilterBackend]
+
+If all you need is simple equality-based filtering, you can set a `filterset_fields` attribute on the view, or viewset, listing the set of fields you wish to filter against.
 
     class ProductList(generics.ListAPIView):
         queryset = Product.objects.all()
         serializer_class = ProductSerializer
-        filter_fields = ('category', 'in_stock')
+        filter_backends = [DjangoFilterBackend]
+        filterset_fields = ['category', 'in_stock']
 
 This will automatically create a `FilterSet` class for the given fields, and will allow you to make requests such as:
 
     http://example.com/api/products?category=clothing&in_stock=True
 
-#### Specifying a FilterSet
+For more advanced filtering requirements you can specify a `FilterSet` class that should be used by the view.
+You can read more about `FilterSet`s in the [django-filter documentation][django-filter-docs].
+It's also recommended that you read the section on [DRF integration][django-filter-drf-docs].
 
-For more advanced filtering requirements you can specify a `FilterSet` class that should be used by the view.  For example:
-
-    import django_filters
-    from myapp.models import Product
-    from myapp.serializers import ProductSerializer
-    from rest_framework import generics
-
-    class ProductFilter(django_filters.FilterSet):
-        min_price = django_filters.NumberFilter(name="price", lookup_type='gte')
-        max_price = django_filters.NumberFilter(name="price", lookup_type='lte')
-        class Meta:
-            model = Product
-            fields = ['category', 'in_stock', 'min_price', 'max_price']
-
-    class ProductList(generics.ListAPIView):
-        queryset = Product.objects.all()
-        serializer_class = ProductSerializer
-        filter_class = ProductFilter
-
-
-Which will allow you to make requests such as:
-
-    http://example.com/api/products?category=clothing&max_price=10.00
-
-You can also span relationships using `django-filter`, let's assume that each
-product has foreign key to `Manufacturer` model, so we create filter that
-filters using `Manufacturer` name. For example:
-
-    import django_filters
-    from myapp.models import Product
-    from myapp.serializers import ProductSerializer
-    from rest_framework import generics
-
-    class ProductFilter(django_filters.FilterSet):
-        class Meta:
-            model = Product
-            fields = ['category', 'in_stock', 'manufacturer__name']
-
-This enables us to make queries like:
-
-    http://example.com/api/products?manufacturer__name=foo
-
-This is nice, but it exposes the Django's double underscore convention as part of the API.  If you instead want to explicitly name the filter argument you can instead explicitly include it on the `FilterSet` class:
-
-    import django_filters
-    from myapp.models import Product
-    from myapp.serializers import ProductSerializer
-    from rest_framework import generics
-
-    class ProductFilter(django_filters.FilterSet):
-        manufacturer = django_filters.CharFilter(name="manufacturer__name")
-
-        class Meta:
-            model = Product
-            fields = ['category', 'in_stock', 'manufacturer']
-
-And now you can execute:
-
-    http://example.com/api/products?manufacturer=foo
-
-For more details on using filter sets see the [django-filter documentation][django-filter-docs].
-
----
-
-**Hints & Tips**
-
-* By default filtering is not enabled.  If you want to use `DjangoFilterBackend` remember to make sure it is installed by using the `'DEFAULT_FILTER_BACKENDS'` setting.
-* When using boolean fields, you should use the values `True` and `False` in the URL query parameters, rather than `0`, `1`, `true` or `false`.  (The allowed boolean values are currently hardwired in Django's [NullBooleanSelect implementation][nullbooleanselect].)
-* `django-filter` supports filtering across relationships, using Django's double-underscore syntax.
-* For Django 1.3 support, make sure to install `django-filter` version 0.5.4, as later versions drop support for 1.3.
-
----
 
 ## SearchFilter
 
 The `SearchFilter` class supports simple single query parameter based searching, and is based on the [Django admin's search functionality][search-django-admin].
 
+When in use, the browsable API will include a `SearchFilter` control:
+
+![Search Filter](../img/search-filter.png)
+
 The `SearchFilter` class will only be applied if the view has a `search_fields` attribute set.  The `search_fields` attribute should be a list of names of text type fields on the model, such as `CharField` or `TextField`.
 
+    from rest_framework import filters
+
     class UserListView(generics.ListAPIView):
         queryset = User.objects.all()
-        serializer = UserSerializer
-        filter_backends = (filters.SearchFilter,)
-        search_fields = ('username', 'email')
+        serializer_class = UserSerializer
+        filter_backends = [filters.SearchFilter]
+        search_fields = ['username', 'email']
 
 This will allow the client to filter the items in the list by making queries such as:
 
@@ -248,21 +212,40 @@ This will allow the client to filter the items in the list by making queries suc
 
 You can also perform a related lookup on a ForeignKey or ManyToManyField with the lookup API double-underscore notation:
 
-    search_fields = ('username', 'email', 'profile__profession')
+    search_fields = ['username', 'email', 'profile__profession']
 
-By default, searches will use case-insensitive partial matches.  The search parameter may contain multiple search terms, which should be whitespace and/or comma separated.  If multiple search terms are used then objects will be returned in the list only if all the provided terms are matched.
+For [JSONField][JSONField] and [HStoreField][HStoreField] fields you can filter based on nested values within the data structure using the same double-underscore notation:
 
-The search behavior may be restricted by prepending various characters to the `search_fields`.
+    search_fields = ['data__breed', 'data__owner__other_pets__0__name']
 
-* '^' Starts-with search.
-* '=' Exact matches.
-* '@' Full-text search.  (Currently only supported Django's MySQL backend.)
+By default, searches will use case-insensitive partial matches. The search parameter may contain multiple search terms, which should be whitespace and/or comma separated. If multiple search terms are used then objects will be returned in the list only if all the provided terms are matched. Searches may contain _quoted phrases_ with spaces, each phrase is considered as a single search term.
+
+
+The search behavior may be specified by prefixing field names in `search_fields` with one of the following characters (which is equivalent to adding `__<lookup>` to the field):
+
+| Prefix | Lookup        |                    |
+| ------ | --------------| ------------------ |
+| `^`    | `istartswith` | Starts-with search.|
+| `=`    | `iexact`      | Exact matches.     |
+| `$`    | `iregex`      | Regex search.      |
+| `@`    | `search`      | Full-text search (Currently only supported Django's [PostgreSQL backend][postgres-search]). |
+| None   | `icontains`   | Contains search (Default).  |
 
 For example:
 
-    search_fields = ('=username', '=email')
+    search_fields = ['=username', '=email']
 
-By default, the search parameter is named `'search`', but this may be overridden with the `SEARCH_PARAM` setting.
+By default, the search parameter is named `'search'`, but this may be overridden with the `SEARCH_PARAM` setting.
+
+To dynamically change search fields based on request content, it's possible to subclass the `SearchFilter` and override the `get_search_fields()` function. For example, the following subclass will only search on `title` if the query parameter `title_only` is in the request:
+
+    from rest_framework import filters
+
+    class CustomSearchFilter(filters.SearchFilter):
+        def get_search_fields(self, view, request):
+            if request.query_params.get('title_only'):
+                return ['title']
+            return super().get_search_fields(view, request)
 
 For more details, see the [Django documentation][search-django-admin].
 
@@ -270,7 +253,11 @@ For more details, see the [Django documentation][search-django-admin].
 
 ## OrderingFilter
 
-The `OrderingFilter` class supports simple query parameter controlled ordering of results.  By default, the query parameter is named `'ordering'`, but this may by overridden with the `ORDERING_PARAM` setting.
+The `OrderingFilter` class supports simple query parameter controlled ordering of results.
+
+![Ordering Filter](../img/ordering-filter.png)
+
+By default, the query parameter is named `'ordering'`, but this may be overridden with the `ORDERING_PARAM` setting.
 
 For example, to order users by username:
 
@@ -286,13 +273,13 @@ Multiple orderings may also be specified:
 
 ### Specifying which fields may be ordered against
 
-It's recommended that you explicitly specify which fields the API should allowing in the ordering filter.  You can do this by setting an `ordering_fields` attribute on the view, like so:
+It's recommended that you explicitly specify which fields the API should allow in the ordering filter.  You can do this by setting an `ordering_fields` attribute on the view, like so:
 
     class UserListView(generics.ListAPIView):
         queryset = User.objects.all()
         serializer_class = UserSerializer
-        filter_backends = (filters.OrderingFilter,)
-        ordering_fields = ('username', 'email')
+        filter_backends = [filters.OrderingFilter]
+        ordering_fields = ['username', 'email']
 
 This helps prevent unexpected data leakage, such as allowing users to order against a password hash field or other sensitive data.
 
@@ -303,7 +290,7 @@ If you are confident that the queryset being used by the view doesn't contain an
     class BookingsListView(generics.ListAPIView):
         queryset = Booking.objects.all()
         serializer_class = BookingSerializer
-        filter_backends = (filters.OrderingFilter,)
+        filter_backends = [filters.OrderingFilter]
         ordering_fields = '__all__'
 
 ### Specifying a default ordering
@@ -315,57 +302,14 @@ Typically you'd instead control this by setting `order_by` on the initial querys
     class UserListView(generics.ListAPIView):
         queryset = User.objects.all()
         serializer_class = UserSerializer
-        filter_backends = (filters.OrderingFilter,)
-        ordering_fields = ('username', 'email')
-        ordering = ('username',)
+        filter_backends = [filters.OrderingFilter]
+        ordering_fields = ['username', 'email']
+        ordering = ['username']
 
 The `ordering` attribute may be either a string or a list/tuple of strings.
 
 ---
 
-## DjangoObjectPermissionsFilter
-
-The `DjangoObjectPermissionsFilter` is intended to be used together with the [`django-guardian`][guardian] package, with custom `'view'` permissions added.  The filter will ensure that querysets only returns objects for which the user has the appropriate view permission.
-
-This filter class must be used with views that provide either a `queryset` or a `model` attribute.
-
-If you're using `DjangoObjectPermissionsFilter`, you'll probably also want to add an appropriate object permissions class, to ensure that users can only operate on instances if they have the appropriate object permissions.  The easiest way to do this is to subclass `DjangoObjectPermissions` and add `'view'` permissions to the `perms_map` attribute.
-
-A complete example using both `DjangoObjectPermissionsFilter` and `DjangoObjectPermissions` might look something like this.
-
-**permissions.py**:
-
-    class CustomObjectPermissions(permissions.DjangoObjectPermissions):
-		"""
-		Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
-		"""
-        perms_map = {
-            'GET': ['%(app_label)s.view_%(model_name)s'],
-            'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
-            'HEAD': ['%(app_label)s.view_%(model_name)s'],
-            'POST': ['%(app_label)s.add_%(model_name)s'],
-            'PUT': ['%(app_label)s.change_%(model_name)s'],
-            'PATCH': ['%(app_label)s.change_%(model_name)s'],
-            'DELETE': ['%(app_label)s.delete_%(model_name)s'],
-        }
-
-**views.py**:
-
-    class EventViewSet(viewsets.ModelViewSet):
-    	"""
-    	Viewset that only lists events if user has 'view' permissions, and only
-    	allows operations on individual events if user has appropriate 'view', 'add',
-    	'change' or 'delete' permissions.
-		"""
-        queryset = Event.objects.all()
-        serializer = EventSerializer
-        filter_backends = (filters.DjangoObjectPermissionsFilter,)
-        permission_classes = (myapp.permissions.CustomObjectPermissions,)
-
-For more information on adding `'view'` permissions for models, see the [relevant section][view-permissions] of the `django-guardian` documentation, and [this blogpost][view-permissions-blogpost].
-
----
-
 # Custom generic filtering
 
 You can also provide your own generic filtering backend, or write an installable app for other developers to use.
@@ -387,6 +331,14 @@ For example, you might need to restrict users to only being able to see objects
 
 We could achieve the same behavior by overriding `get_queryset()` on the views, but using a filter backend allows you to more easily add this restriction to multiple views, or to apply it across the entire API.
 
+## Customizing the interface
+
+Generic filters may also present an interface in the browsable API. To do so you should implement a `to_html()` method which returns a rendered HTML representation of the filter. This method should have the following signature:
+
+`to_html(self, request, queryset, view)`
+
+The method should return a rendered HTML string.
+
 # Third party packages
 
 The following third party packages provide additional filter implementations.
@@ -399,13 +351,22 @@ The [django-rest-framework-filters package][django-rest-framework-filters] works
 
 The [djangorestframework-word-filter][django-rest-framework-word-search-filter] developed as alternative to `filters.SearchFilter` which will search full word in text, or exact match.
 
-[cite]: https://docs.djangoproject.com/en/dev/topics/db/queries/#retrieving-specific-objects-with-filters
-[django-filter]: https://github.com/alex/django-filter
-[django-filter-docs]: https://django-filter.readthedocs.org/en/latest/index.html
-[guardian]: https://django-guardian.readthedocs.org/
-[view-permissions]: https://django-guardian.readthedocs.org/en/latest/userguide/assign.html
-[view-permissions-blogpost]: http://blog.nyaruka.com/adding-a-view-permission-to-django-models
-[nullbooleanselect]: https://github.com/django/django/blob/master/django/forms/widgets.py
-[search-django-admin]: https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.search_fields
+## Django URL Filter
+
+[django-url-filter][django-url-filter] provides a safe way to filter data via human-friendly URLs. It works very similar to DRF serializers and fields in a sense that they can be nested except they are called filtersets and filters. That provides easy way to filter related data. Also this library is generic-purpose so it can be used to filter other sources of data and not only Django `QuerySet`s.
+
+## drf-url-filters
+
+[drf-url-filter][drf-url-filter] is a simple Django app to apply filters on drf `ModelViewSet`'s `Queryset` in a clean, simple and configurable way. It also supports validations on incoming query params and their values. A beautiful python package `Voluptuous` is being used for validations on the incoming query parameters. The best part about voluptuous is you can define your own validations as per your query params requirements.
+
+[cite]: https://docs.djangoproject.com/en/stable/topics/db/queries/#retrieving-specific-objects-with-filters
+[django-filter-docs]: https://django-filter.readthedocs.io/en/latest/index.html
+[django-filter-drf-docs]: https://django-filter.readthedocs.io/en/latest/guide/rest_framework.html
+[search-django-admin]: https://docs.djangoproject.com/en/stable/ref/contrib/admin/#django.contrib.admin.ModelAdmin.search_fields
 [django-rest-framework-filters]: https://github.com/philipn/django-rest-framework-filters
 [django-rest-framework-word-search-filter]: https://github.com/trollknurr/django-rest-framework-word-search-filter
+[django-url-filter]: https://github.com/miki725/django-url-filter
+[drf-url-filter]: https://github.com/manjitkumar/drf-url-filters
+[HStoreField]: https://docs.djangoproject.com/en/3.0/ref/contrib/postgres/fields/#hstorefield
+[JSONField]: https://docs.djangoproject.com/en/3.0/ref/contrib/postgres/fields/#jsonfield
+[postgres-search]: https://docs.djangoproject.com/en/stable/ref/contrib/postgres/search/

docs/api-guide/format-suffixes.md

@@ -1,4 +1,7 @@
-source: urlpatterns.py
+---
+source:
+    - urlpatterns.py
+---
 
 # Format suffixes
 
@@ -20,8 +23,8 @@ Returns a URL pattern list which includes format suffix patterns appended to eac
 Arguments:
 
 * **urlpatterns**: Required.  A URL pattern list.
-* **suffix_required**:  Optional.  A boolean indicating if suffixes in the URLs should be optional or mandatory.  Defaults to `False`, meaning that suffixes are optional by default.
-* **allowed**:  Optional.  A list or tuple of valid format suffixes.  If not provided, a wildcard format suffix pattern will be used.
+* **suffix_required**: Optional.  A boolean indicating if suffixes in the URLs should be optional or mandatory.  Defaults to `False`, meaning that suffixes are optional by default.
+* **allowed**: Optional.  A list or tuple of valid format suffixes.  If not provided, a wildcard format suffix pattern will be used.
 
 Example:
 
@@ -29,20 +32,20 @@ Example:
     from blog import views
 
     urlpatterns = [
-        url(r'^/$', views.apt_root),
-        url(r'^comments/$', views.comment_list),
-        url(r'^comments/(?P<pk>[0-9]+)/$', views.comment_detail)
+        path('', views.apt_root),
+        path('comments/', views.comment_list),
+        path('comments/<int:pk>/', views.comment_detail)
     ]
 
     urlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html'])
 
 When using `format_suffix_patterns`, you must make sure to add the `'format'` keyword argument to the corresponding views.  For example:
 
-    @api_view(('GET', 'POST'))
+    @api_view(['GET', 'POST'])
     def comment_list(request, format=None):
         # do stuff...
 
-Or with class based views:
+Or with class-based views:
 
     class CommentList(APIView):
         def get(self, request, format=None):
@@ -59,7 +62,7 @@ Also note that `format_suffix_patterns` does not support descending into `includ
 
 If using the `i18n_patterns` function provided by Django, as well as `format_suffix_patterns` you should make sure that the `i18n_patterns` function is applied as the final, or outermost function. For example:
 
-    url patterns = [
+    urlpatterns = [
         …
     ]
 
@@ -69,6 +72,16 @@ If using the `i18n_patterns` function provided by Django, as well as `format_suf
 
 ---
 
+## Query parameter formats
+
+An alternative to the format suffixes is to include the requested format in a query parameter. REST framework provides this option by default, and it is used in the browsable API to switch between differing available representations.
+
+To select a representation using its short format, use the `format` query parameter. For example: `http://example.com/organizations/?format=csv`.
+
+The name of this query parameter can be modified using the `URL_FORMAT_OVERRIDE` setting. Set the value to `None` to disable this behavior.
+
+---
+
 ## Accept headers vs. format suffixes
 
 There seems to be a view among some of the Web community that filename extensions are not a RESTful pattern, and that `HTTP Accept` headers should always be used instead.
@@ -80,4 +93,4 @@ It is actually a misconception.  For example, take the following quote from Roy
 The quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern.
 
 [cite]: http://tech.groups.yahoo.com/group/rest-discuss/message/5857
-[cite2]: http://tech.groups.yahoo.com/group/rest-discuss/message/14844
+[cite2]: https://groups.yahoo.com/neo/groups/rest-discuss/conversations/topics/14844

docs/api-guide/generic-views.md

@@ -1,5 +1,8 @@
-source: mixins.py
-        generics.py
+---
+source:
+    - mixins.py
+    - generics.py
+---
 
 # Generic views
 
@@ -7,7 +10,7 @@ source: mixins.py
 >
 > — [Django Documentation][cite]
 
-One of the key benefits of class based views is the way they allow you to compose bits of reusable behavior.  REST framework takes advantage of this by providing a number of pre-built views that provide for commonly used patterns.
+One of the key benefits of class-based views is the way they allow you to compose bits of reusable behavior.  REST framework takes advantage of this by providing a number of pre-built views that provide for commonly used patterns.
 
 The generic views provided by REST framework allow you to quickly build API views that map closely to your database models.
 
@@ -25,23 +28,14 @@ Typically when using the generic views, you'll override the view, and set severa
     class UserList(generics.ListCreateAPIView):
         queryset = User.objects.all()
         serializer_class = UserSerializer
-        permission_classes = (IsAdminUser,)
-        paginate_by = 100
+        permission_classes = [IsAdminUser]
 
 For more complex cases you might also want to override various methods on the view class.  For example.
 
     class UserList(generics.ListCreateAPIView):
         queryset = User.objects.all()
         serializer_class = UserSerializer
-        permission_classes = (IsAdminUser,)
-
-        def get_paginate_by(self):
-            """
-            Use smaller pagination for HTML representations.
-            """
-            if self.request.accepted_renderer.format == 'html':
-                return 20
-            return 100
+        permission_classes = [IsAdminUser]
 
         def list(self, request):
             # Note the use of `get_queryset()` instead of `self.queryset`
@@ -51,7 +45,7 @@ For more complex cases you might also want to override various methods on the vi
 
 For very simple cases you might want to pass through any class attributes using the `.as_view()` method.  For example, your URLconf might include something like the following entry:
 
-    url(r'^/users/', ListCreateAPIView.as_view(queryset=User.objects.all(), serializer_class=UserSerializer), name='user-list')
+    path('users/', ListCreateAPIView.as_view(queryset=User.objects.all(), serializer_class=UserSerializer), name='user-list')
 
 ---
 
@@ -71,16 +65,14 @@ The following attributes control the basic view behavior.
 
 * `queryset` - The queryset that should be used for returning objects from this view.  Typically, you must either set this attribute, or override the `get_queryset()` method. If you are overriding a view method, it is important that you call `get_queryset()` instead of accessing this property directly, as `queryset` will get evaluated once, and those results will be cached for all subsequent requests.
 * `serializer_class` - The serializer class that should be used for validating and deserializing input, and for serializing output.  Typically, you must either set this attribute, or override the `get_serializer_class()` method.
-* `lookup_field` - The model field that should be used to for performing object lookup of individual model instances.  Defaults to `'pk'`.  Note that when using hyperlinked APIs you'll need to ensure that *both* the API views *and* the serializer classes set the lookup fields if you need to use a custom value.
+* `lookup_field` - The model field that should be used for performing object lookup of individual model instances.  Defaults to `'pk'`.  Note that when using hyperlinked APIs you'll need to ensure that *both* the API views *and* the serializer classes set the lookup fields if you need to use a custom value.
 * `lookup_url_kwarg` - The URL keyword argument that should be used for object lookup.  The URL conf should include a keyword argument corresponding to this value.  If unset this defaults to using the same value as `lookup_field`.
 
 **Pagination**:
 
 The following attributes are used to control pagination when used with list views.
 
-* `pagination_class` - The pagination class that should be used when paginating list results. Defaults to the same value as the `DEFAULT_PAGINATION_CLASS` setting, which is `'rest_framework.pagination.PageNumberPagination'`.
-
-Note that usage of the `paginate_by`, `paginate_by_param` and `page_kwarg` attributes are now pending deprecation. The `pagination_serializer_class` attribute and `DEFAULT_PAGINATION_SERIALIZER_CLASS` setting have been removed completely. Pagination settings should instead be controlled by overriding a pagination class and setting any configuration attributes there. See the pagination documentation for more details.
+* `pagination_class` - The pagination class that should be used when paginating list results. Defaults to the same value as the `DEFAULT_PAGINATION_CLASS` setting, which is `'rest_framework.pagination.PageNumberPagination'`. Setting `pagination_class=None` will disable pagination on this view.
 
 **Filtering**:
 
@@ -104,6 +96,12 @@ For example:
         user = self.request.user
         return user.accounts.all()
 
+---
+
+**Note:** If the `serializer_class` used in the generic view spans orm relations, leading to an n+1 problem, you could optimize your queryset in this method using `select_related` and `prefetch_related`. To get more information about n+1 problem and use cases of the mentioned methods refer to related section in [django documentation][django-docs-select-related].
+
+---
+
 #### `get_object(self)`
 
 Returns an object instance that should be used for detail views.  Defaults to using the `lookup_field` parameter to filter the base queryset.
@@ -124,21 +122,24 @@ For example:
 
 Note that if your API doesn't include any object level permissions, you may optionally exclude the `self.check_object_permissions`, and simply return the object from the `get_object_or_404` lookup.
 
-#### `get_filter_backends(self)`
+#### `filter_queryset(self, queryset)`
 
-Returns the classes that should be used to filter the queryset. Defaults to returning the `filter_backends` attribute.
-
-May be overridden to provide more complex behavior with filters, such as using different (or even exclusive) lists of filter_backends depending on different criteria.
+Given a queryset, filter it with whichever filter backends are in use, returning a new queryset.
 
 For example:
 
-    def get_filter_backends(self):
-        if "geo_route" in self.request.query_params:
-            return (GeoRouteFilter, CategoryFilter)
-        elif "geo_point" in self.request.query_params:
-            return (GeoPointFilter, CategoryFilter)
+    def filter_queryset(self, queryset):
+        filter_backends = [CategoryFilter]
 
-        return (CategoryFilter,)
+        if 'geo_route' in self.request.query_params:
+            filter_backends = [GeoRouteFilter, CategoryFilter]
+        elif 'geo_point' in self.request.query_params:
+            filter_backends = [GeoPointFilter, CategoryFilter]
+
+        for backend in list(filter_backends):
+            queryset = backend().filter_queryset(self.request, queryset, view=self)
+
+        return queryset
 
 #### `get_serializer_class(self)`
 
@@ -153,19 +154,6 @@ For example:
             return FullAccountSerializer
         return BasicAccountSerializer
 
-#### `get_paginate_by(self)`
-
-Returns the page size to use with pagination.  By default this uses the `paginate_by` attribute, and may be overridden by the client if the `paginate_by_param` attribute is set.
-
-You may want to override this method to provide more complex behavior, such as modifying page sizes based on the media type of the response.
-
-For example:
-
-    def get_paginate_by(self):
-        if self.request.accepted_renderer.format == 'html':
-            return 20
-        return 100
-
 **Save and deletion hooks**:
 
 The following methods are provided by the mixin classes, and provide easy overriding of the object save or deletion behavior.
@@ -185,14 +173,20 @@ These override points are also particularly useful for adding behavior that occu
         instance = serializer.save()
         send_email_confirmation(user=self.request.user, modified=instance)
 
-**Note**: These methods replace the old-style version 2.x `pre_save`, `post_save`, `pre_delete` and `post_delete` methods, which are no longer available.
+You can also use these hooks to provide additional validation, by raising a `ValidationError()`. This can be useful if you need some validation logic to apply at the point of database save. For example:
+
+    def perform_create(self, serializer):
+        queryset = SignupRequest.objects.filter(user=self.request.user)
+        if queryset.exists():
+            raise ValidationError('You have already signed up')
+        serializer.save(user=self.request.user)
 
 **Other methods**:
 
 You won't typically need to override the following methods, although you might need to call into them if you're writing custom views using `GenericAPIView`.
 
 * `get_serializer_context(self)` - Returns a dictionary containing any extra context that should be supplied to the serializer.  Defaults to including `'request'`, `'view'` and `'format'` keys.
-* `get_serializer(self, instance=None, data=None, files=None, many=False, partial=False, allow_add_remove=False)` - Returns a serializer instance.
+* `get_serializer(self, instance=None, data=None, many=False, partial=False)` - Returns a serializer instance.
 * `get_paginated_response(self, data)` - Returns a paginated style `Response` object.
 * `paginate_queryset(self, queryset)` - Paginate a queryset if required, either returning a page object, or `None` if pagination is not configured for this view.
 * `filter_queryset(self, queryset)` - Given a queryset, filter it with whichever filter backends are in use, returning a new queryset.
@@ -223,7 +217,7 @@ If the request data provided for creating the object was invalid, a `400 Bad Req
 
 Provides a `.retrieve(request, *args, **kwargs)` method, that implements returning an existing model instance in a response.
 
-If an object can be retrieved this returns a `200 OK` response, with a serialized representation of the object as the body of the response.  Otherwise it will return a `404 Not Found`.
+If an object can be retrieved this returns a `200 OK` response, with a serialized representation of the object as the body of the response.  Otherwise, it will return a `404 Not Found`.
 
 ## UpdateModelMixin
 
@@ -233,8 +227,6 @@ Also provides a `.partial_update(request, *args, **kwargs)` method, which is sim
 
 If an object is updated this returns a `200 OK` response, with a serialized representation of the object as the body of the response.
 
-If an object is created, for example when making a `DELETE` request followed by a `PUT` request to the same URL, this returns a `201 Created` response, with a serialized representation of the object as the body of the response.
-
 If the request data provided for updating the object was invalid, a `400 Bad Request` response will be returned, with the error details as the body of the response.
 
 ## DestroyModelMixin
@@ -333,7 +325,7 @@ Often you'll want to use the existing generic views, but use some slightly custo
 
 For example, if you need to lookup objects based on multiple fields in the URL conf, you could create a mixin class like the following:
 
-    class MultipleFieldLookupMixin(object):
+    class MultipleFieldLookupMixin:
         """
         Apply this mixin to any view or viewset to get multiple field filtering
         based on a `lookup_fields` attribute, instead of the default single field filtering.
@@ -343,15 +335,18 @@ For example, if you need to lookup objects based on multiple fields in the URL c
             queryset = self.filter_queryset(queryset)  # Apply any filter backends
             filter = {}
             for field in self.lookup_fields:
-                filter[field] = self.kwargs[field]
-            return get_object_or_404(queryset, **filter)  # Lookup the object
+                if self.kwargs.get(field): # Ignore empty fields.
+                    filter[field] = self.kwargs[field]
+            obj = get_object_or_404(queryset, **filter)  # Lookup the object
+            self.check_object_permissions(self.request, obj)
+            return obj
 
 You can then simply apply this mixin to a view or viewset anytime you need to apply the custom behavior.
 
     class RetrieveUserView(MultipleFieldLookupMixin, generics.RetrieveAPIView):
         queryset = User.objects.all()
         serializer_class = UserSerializer
-        lookup_fields = ('account', 'username')
+        lookup_fields = ['account', 'username']
 
 Using custom mixins is a good option if you have custom behavior that needs to be used.
 
@@ -387,16 +382,17 @@ If you need to generic PUT-as-create behavior you may want to include something
 
 The following third party packages provide additional generic view implementations.
 
-## Django REST Framework bulk
+## Django Rest Multiple Models
 
-The [django-rest-framework-bulk package][django-rest-framework-bulk] implements generic view mixins as well as some common concrete generic views to allow to apply bulk operations via API requests.
+[Django Rest Multiple Models][django-rest-multiple-models] provides a generic view (and mixin) for sending multiple serialized models and/or querysets via a single API request.
 
 
-[cite]: https://docs.djangoproject.com/en/dev/ref/class-based-views/#base-vs-generic-views
+[cite]: https://docs.djangoproject.com/en/stable/ref/class-based-views/#base-vs-generic-views
 [GenericAPIView]: #genericapiview
 [ListModelMixin]: #listmodelmixin
 [CreateModelMixin]: #createmodelmixin
 [RetrieveModelMixin]: #retrievemodelmixin
 [UpdateModelMixin]: #updatemodelmixin
 [DestroyModelMixin]: #destroymodelmixin
-[django-rest-framework-bulk]: https://github.com/miki725/django-rest-framework-bulk
+[django-rest-multiple-models]: https://github.com/MattBroach/DjangoRestMultipleModels
+[django-docs-select-related]: https://docs.djangoproject.com/en/3.1/ref/models/querysets/#django.db.models.query.QuerySet.select_related

docs/api-guide/metadata.md

@@ -1,4 +1,7 @@
-source: metadata.py
+---
+source:
+    - metadata.py
+---
 
 # Metadata
 
@@ -67,8 +70,8 @@ If you have specific requirements for creating schema endpoints that are accesse
 
 For example, the following additional route could be used on a viewset to provide a linkable schema endpoint.
 
-    @list_route(methods=['GET'])
-    def schema(self, request):
+    @action(methods=['GET'], detail=False)
+    def api_schema(self, request):
         meta = self.metadata_class()
         data = meta.determine_metadata(request, self)
         return Response(data)
@@ -98,6 +101,24 @@ The following class could be used to limit the information that is returned to `
                 'description': view.get_view_description()
             }
 
-[cite]: http://tools.ietf.org/html/rfc7231#section-4.3.7
+Then configure your settings to use this custom class:
+
+    REST_FRAMEWORK = {
+        'DEFAULT_METADATA_CLASS': 'myproject.apps.core.MinimalMetadata'
+    }
+
+# Third party packages
+
+The following third party packages provide additional metadata implementations.
+
+## DRF-schema-adapter
+
+[drf-schema-adapter][drf-schema-adapter] is a set of tools that makes it easier to provide schema information to frontend frameworks and libraries. It provides a metadata mixin as well as 2 metadata classes and several adapters suitable to generate [json-schema][json-schema] as well as schema information readable by various libraries.
+
+You can also write your own adapter to work with your specific frontend.
+If you wish to do so, it also provides an exporter that can export those schema information to json files.
+
+[cite]: https://tools.ietf.org/html/rfc7231#section-4.3.7
 [no-options]: https://www.mnot.net/blog/2012/10/29/NO_OPTIONS
-[json-schema]: http://json-schema.org/
+[json-schema]: https://json-schema.org/
+[drf-schema-adapter]: https://github.com/drf-forms/drf-schema-adapter

docs/api-guide/pagination.md

@@ -1,4 +1,7 @@
-source: pagination.py
+---
+source:
+    - pagination.py
+---
 
 # Pagination
 
@@ -15,16 +18,21 @@ The pagination API can support either:
 
 The built-in styles currently all use links included as part of the content of the response. This style is more accessible when using the browsable API.
 
-Pagination is only performed automatically if you're using the generic views or viewsets. If you're using a regular `APIView`, you'll need to call into the pagination API yourself to ensure you return a paginated response. See the source code for the `mixins.ListMixin` and `generics.GenericAPIView` classes for an example.
+Pagination is only performed automatically if you're using the generic views or viewsets. If you're using a regular `APIView`, you'll need to call into the pagination API yourself to ensure you return a paginated response. See the source code for the `mixins.ListModelMixin` and `generics.GenericAPIView` classes for an example.
+
+Pagination can be turned off by setting the pagination class to `None`.
 
 ## Setting the pagination style
 
-The default pagination style may be set globally, using the `DEFAULT_PAGINATION_CLASS` settings key. For example, to use the built-in limit/offset pagination, you would do:
+The pagination style may be set globally, using the `DEFAULT_PAGINATION_CLASS` and `PAGE_SIZE` setting keys. For example, to use the built-in limit/offset pagination, you would do something like this:
 
     REST_FRAMEWORK = {
-        'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'
+        'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination',
+        'PAGE_SIZE': 100
     }
 
+Note that you need to set both the pagination class, and the page size that should be used.  Both `DEFAULT_PAGINATION_CLASS` and `PAGE_SIZE` are `None` by default.
+
 You can also set the pagination class on an individual view by using the `pagination_class` attribute. Typically you'll want to use the same pagination style throughout your API, although you might want to vary individual aspects of the pagination, such as default or maximum page size, on a per-view basis.
 
 ## Modifying the pagination style
@@ -41,18 +49,18 @@ If you want to modify particular aspects of the pagination style, you'll want to
         page_size_query_param = 'page_size'
         max_page_size = 1000
 
-You can then apply your new style to a view using the `.pagination_class` attribute:
+You can then apply your new style to a view using the `pagination_class` attribute:
 
     class BillingRecordsView(generics.ListAPIView):
         queryset = Billing.objects.all()
-        serializer = BillingRecordsSerializer
+        serializer_class = BillingRecordsSerializer
         pagination_class = LargeResultsSetPagination
 
 Or apply the style globally, using the `DEFAULT_PAGINATION_CLASS` settings key. For example:
 
     REST_FRAMEWORK = {
         'DEFAULT_PAGINATION_CLASS': 'apps.core.pagination.StandardResultsSetPagination'
-        }
+    }
 
 ---
 
@@ -70,7 +78,7 @@ This pagination style accepts a single number page number in the request query p
 
     HTTP 200 OK
     {
-        "count": 1023
+        "count": 1023,
         "next": "https://api.example.org/accounts/?page=5",
         "previous": "https://api.example.org/accounts/?page=3",
         "results": [
@@ -80,7 +88,7 @@ This pagination style accepts a single number page number in the request query p
 
 #### Setup
 
-To enable the `PageNumberPagination` style globally, use the following configuration, modifying the `PAGE_SIZE` as desired:
+To enable the `PageNumberPagination` style globally, use the following configuration, and set the `PAGE_SIZE` as desired:
 
     REST_FRAMEWORK = {
         'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
@@ -95,6 +103,7 @@ The `PageNumberPagination` class includes a number of attributes that may be ove
 
 To set these attributes you should override the `PageNumberPagination` class, and then enable your custom pagination class as above.
 
+* `django_paginator_class` - The Django Paginator class to use. Default is `django.core.paginator.Paginator`, which should be fine for most use cases.
 * `page_size` - A numeric value indicating the page size. If set, this overrides the `PAGE_SIZE` setting. Defaults to the same value as the `PAGE_SIZE` settings key.
 * `page_query_param` - A string value indicating the name of the query parameter to use for the pagination control.
 * `page_size_query_param` - If set, this is a string value indicating the name of a query parameter that allows the client to set the page size on a per-request basis. Defaults to `None`, indicating that the client may not control the requested page size.
@@ -106,7 +115,7 @@ To set these attributes you should override the `PageNumberPagination` class, an
 
 ## LimitOffsetPagination
 
-This pagination style mirrors the syntax used when looking up multiple database records. The client includes both a "limit" and an 
+This pagination style mirrors the syntax used when looking up multiple database records. The client includes both a "limit" and an
 "offset" query parameter. The limit indicates the maximum number of items to return, and is equivalent to the `page_size` in other styles. The offset indicates the starting position of the query in relation to the complete set of unpaginated items.
 
 **Request**:
@@ -117,7 +126,7 @@ This pagination style mirrors the syntax used when looking up multiple database
 
     HTTP 200 OK
     {
-        "count": 1023
+        "count": 1023,
         "next": "https://api.example.org/accounts/?limit=100&offset=500",
         "previous": "https://api.example.org/accounts/?limit=100&offset=300",
         "results": [
@@ -173,9 +182,13 @@ Proper usage of cursor pagination should have an ordering field that satisfies t
 * Should be an unchanging value, such as a timestamp, slug, or other field that is only set once, on creation.
 * Should be unique, or nearly unique. Millisecond precision timestamps are a good example. This implementation of cursor pagination uses a smart "position plus offset" style that allows it to properly support not-strictly-unique values as the ordering.
 * Should be a non-nullable value that can be coerced to a string.
+* Should not be a float. Precision errors easily lead to incorrect results.
+  Hint: use decimals instead.
+  (If you already have a float field and must paginate on that, an
+  [example `CursorPagination` subclass that uses decimals to limit precision is available here][float_cursor_pagination_example].)
 * The field should have a database index.
 
-Using an ordering field that does not satisfy these constraints will generally still work, but you'll be loosing some of the benefits of cursor pagination.
+Using an ordering field that does not satisfy these constraints will generally still work, but you'll be losing some of the benefits of cursor pagination.
 
 For more technical details on the implementation we use for cursor pagination, the ["Building cursors for the Disqus API"][disqus-cursor-api] blog post gives a good overview of the basic approach.
 
@@ -205,29 +218,29 @@ To set these attributes you should override the `CursorPagination` class, and th
 
 # Custom pagination styles
 
-To create a custom pagination serializer class you should subclass `pagination.BasePagination` and override the `paginate_queryset(self, queryset, request, view=None)` and `get_paginated_response(self, data)` methods:
+To create a custom pagination serializer class, you should inherit the subclass `pagination.BasePagination`, override the `paginate_queryset(self, queryset, request, view=None)`, and `get_paginated_response(self, data)` methods:
 
-* The `paginate_queryset` method is passed the initial queryset and should return an iterable object that contains only the data in the requested page.
-* The `get_paginated_response` method is passed the serialized page data and should return a `Response` instance.
+* The `paginate_queryset` method is passed to the initial queryset and should return an iterable object. That object contains only the data in the requested page.
+* The `get_paginated_response` method is passed to the serialized page data and should return a `Response` instance.
 
 Note that the `paginate_queryset` method may set state on the pagination instance, that may later be used by the `get_paginated_response` method.
 
 ## Example
 
-Suppose we want to replace the default pagination output style with a modified format that  includes the next and previous links under in a nested 'links' key. We could specify a custom pagination class like so:
+Suppose we want to replace the default pagination output style with a modified format that includes the next and previous links under in a nested 'links' key. We could specify a custom pagination class like so:
 
     class CustomPagination(pagination.PageNumberPagination):
         def get_paginated_response(self, data):
             return Response({
                 'links': {
-                   'next': self.get_next_link(),
-                   'previous': self.get_previous_link()
+                    'next': self.get_next_link(),
+                    'previous': self.get_previous_link()
                 },
                 'count': self.page.paginator.count,
                 'results': data
             })
 
-We'd then need to setup the custom class in our configuration:
+We'd then need to set up the custom class in our configuration:
 
     REST_FRAMEWORK = {
         'DEFAULT_PAGINATION_CLASS': 'my_project.apps.core.pagination.CustomPagination',
@@ -236,29 +249,6 @@ We'd then need to setup the custom class in our configuration:
 
 Note that if you care about how the ordering of keys is displayed in responses in the browsable API you might choose to use an `OrderedDict` when constructing the body of paginated responses, but this is optional.
 
-## Header based pagination
-
-Let's modify the built-in `PageNumberPagination` style, so that instead of include the pagination links in the body of the response, we'll instead include a `Link` header, in a [similar style to the GitHub API][github-link-pagination].
-
-    class LinkHeaderPagination(pagination.PageNumberPagination):
-        def get_paginated_response(self, data):
-            next_url = self.get_next_link()
-            previous_url = self.get_previous_link()
-
-            if next_url is not None and previous_url is not None:
-                link = '<{next_url}; rel="next">, <{previous_url}; rel="prev">'
-            elif next_url is not None:
-                link = '<{next_url}; rel="next">'
-            elif previous_url is not None:
-                link = '<{previous_url}; rel="prev">'
-            else:
-                link = ''
-
-            link = link.format(next_url=next_url, previous_url=previous_url)
-            headers = {'Link': link} if link else {}
-
-            return Response(data, headers=headers)
-
 ## Using your custom pagination class
 
 To have your custom pagination class be used by default, use the `DEFAULT_PAGINATION_CLASS` setting:
@@ -270,11 +260,9 @@ To have your custom pagination class be used by default, use the `DEFAULT_PAGINA
 
 API responses for list endpoints will now include a `Link` header, instead of including the pagination links as part of the body of the response, for example:
 
----
-
 ![Link Header][link-header]
 
-*A custom pagination style, using the 'Link' header'*
+*A custom pagination style, using the 'Link' header*
 
 ---
 
@@ -309,9 +297,20 @@ The following third party packages are also available.
 
 The [`DRF-extensions` package][drf-extensions] includes a [`PaginateByMaxMixin` mixin class][paginate-by-max-mixin] that allows your API clients to specify `?page_size=max` to obtain the maximum allowed page size.
 
-[cite]: https://docs.djangoproject.com/en/dev/topics/pagination/
-[github-link-pagination]: https://developer.github.com/guides/traversing-with-pagination/
+## drf-proxy-pagination
+
+The [`drf-proxy-pagination` package][drf-proxy-pagination] includes a `ProxyPagination` class which allows to choose pagination class with a query parameter.
+
+## link-header-pagination
+
+The [`django-rest-framework-link-header-pagination` package][drf-link-header-pagination] includes a `LinkHeaderPagination` class which provides pagination via an HTTP `Link` header as described in [GitHub REST API documentation][github-traversing-with-pagination].
+
+[cite]: https://docs.djangoproject.com/en/stable/topics/pagination/
 [link-header]: ../img/link-header-pagination.png
-[drf-extensions]: http://chibisov.github.io/drf-extensions/docs/
-[paginate-by-max-mixin]: http://chibisov.github.io/drf-extensions/docs/#paginatebymaxmixin
-[disqus-cursor-api]: http://cramer.io/2011/03/08/building-cursors-for-the-disqus-api/
+[drf-extensions]: https://chibisov.github.io/drf-extensions/docs/
+[paginate-by-max-mixin]: https://chibisov.github.io/drf-extensions/docs/#paginatebymaxmixin
+[drf-proxy-pagination]: https://github.com/tuffnatty/drf-proxy-pagination
+[drf-link-header-pagination]: https://github.com/tbeadle/django-rest-framework-link-header-pagination
+[disqus-cursor-api]: https://cra.mr/2011/03/08/building-cursors-for-the-disqus-api
+[float_cursor_pagination_example]: https://gist.github.com/keturn/8bc88525a183fd41c73ffb729b8865be#file-fpcursorpagination-py
+[github-traversing-with-pagination]: https://docs.github.com/en/rest/guides/traversing-with-pagination

docs/api-guide/parsers.md

@@ -1,4 +1,7 @@
-source: parsers.py
+---
+source:
+    - parsers.py
+---
 
 # Parsers
 
@@ -8,11 +11,11 @@ sending more complex data than simple forms
 >
 > — Malcom Tredinnick, [Django developers group][cite]
 
-REST framework includes a number of built in Parser classes, that allow you to accept requests with various media types.  There is also support for defining your own custom parsers, which gives you the flexibility to design the media types that your API accepts.
+REST framework includes a number of built-in Parser classes, that allow you to accept requests with various media types.  There is also support for defining your own custom parsers, which gives you the flexibility to design the media types that your API accepts.
 
 ## How the parser is determined
 
-The set of valid parsers for a view is always defined as a list of classes.  When  `request.data` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content.
+The set of valid parsers for a view is always defined as a list of classes.  When `request.data` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content.
 
 ---
 
@@ -29,13 +32,13 @@ As an example, if you are sending `json` encoded data using jQuery with the [.aj
 The default set of parsers may be set globally, using the `DEFAULT_PARSER_CLASSES` setting. For example, the following settings would allow only requests with `JSON` content, instead of the default of JSON or form data.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PARSER_CLASSES': (
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework.parsers.JSONParser',
-        )
+        ]
     }
 
 You can also set the parsers used for an individual view, or viewset,
-using the `APIView` class based views.
+using the `APIView` class-based views.
 
     from rest_framework.parsers import JSONParser
     from rest_framework.response import Response
@@ -45,15 +48,19 @@ using the `APIView` class based views.
         """
         A view that can accept POST requests with JSON content.
         """
-        parser_classes = (JSONParser,)
+        parser_classes = [JSONParser]
 
         def post(self, request, format=None):
             return Response({'received data': request.data})
 
 Or, if you're using the `@api_view` decorator with function based views.
 
+    from rest_framework.decorators import api_view
+    from rest_framework.decorators import parser_classes
+    from rest_framework.parsers import JSONParser
+
     @api_view(['POST'])
-    @parser_classes((JSONParser,))
+    @parser_classes([JSONParser])
     def example_view(request, format=None):
         """
         A view that can accept POST requests with JSON content.
@@ -66,7 +73,7 @@ Or, if you're using the `@api_view` decorator with function based views.
 
 ## JSONParser
 
-Parses `JSON` request content.
+Parses `JSON` request content. `request.data` will be populated with a dictionary of data.
 
 **.media_type**: `application/json`
 
@@ -80,7 +87,7 @@ You will typically want to use both `FormParser` and `MultiPartParser` together
 
 ## MultiPartParser
 
-Parses multipart HTML form content, which supports file uploads.  Both `request.data` will be populated with a `QueryDict`.
+Parses multipart HTML form content, which supports file uploads. `request.data` and `request.FILES` will be populated with a `QueryDict` and `MultiValueDict` respectively.
 
 You will typically want to use both `FormParser` and `MultiPartParser` together in order to fully support HTML form data.
 
@@ -90,20 +97,23 @@ You will typically want to use both `FormParser` and `MultiPartParser` together
 
 Parses raw file upload content.  The `request.data` property will be a dictionary with a single key `'file'` containing the uploaded file.
 
-If the view used with `FileUploadParser` is called with a `filename` URL keyword argument, then that argument will be used as the filename.  If it is called without a `filename` URL keyword argument, then the client must set the filename in the `Content-Disposition` HTTP header.  For example `Content-Disposition: attachment; filename=upload.jpg`.
+If the view used with `FileUploadParser` is called with a `filename` URL keyword argument, then that argument will be used as the filename.
+
+If it is called without a `filename` URL keyword argument, then the client must set the filename in the `Content-Disposition` HTTP header.  For example `Content-Disposition: attachment; filename=upload.jpg`.
 
 **.media_type**: `*/*`
 
 ##### Notes:
 
-* The `FileUploadParser` is for usage with native clients that can upload the file as a raw data request.  For web-based uploads, or for native clients with multipart upload support, you should use the `MultiPartParser` parser instead.
+* The `FileUploadParser` is for usage with native clients that can upload the file as a raw data request.  For web-based uploads, or for native clients with multipart upload support, you should use the `MultiPartParser` instead.
 * Since this parser's `media_type` matches any content type, `FileUploadParser` should generally be the only parser set on an API view.
 * `FileUploadParser` respects Django's standard `FILE_UPLOAD_HANDLERS` setting, and the `request.upload_handlers` attribute.  See the [Django documentation][upload-handlers] for more details.
 
 ##### Basic usage example:
 
+    # views.py
     class FileUploadView(views.APIView):
-        parser_classes = (FileUploadParser,)
+        parser_classes = [FileUploadParser]
 
         def put(self, request, filename, format=None):
             file_obj = request.data['file']
@@ -112,6 +122,11 @@ If the view used with `FileUploadParser` is called with a `filename` URL keyword
             # ...
             return Response(status=204)
 
+    # urls.py
+    urlpatterns = [
+        # ...
+        re_path(r'^upload/(?P<filename>[^/]+)$', FileUploadView.as_view())
+    ]
 
 ---
 
@@ -144,17 +159,16 @@ By default this will include the following keys: `view`, `request`, `args`, `kwa
 The following is an example plaintext parser that will populate the `request.data` property with a string representing the body of the request.
 
     class PlainTextParser(BaseParser):
-    """
-    Plain text parser.
-    """
-
-    media_type = 'text/plain'
-
-    def parse(self, stream, media_type=None, parser_context=None):
         """
-        Simply return a string representing the body of the request.
+        Plain text parser.
         """
-        return stream.read()
+        media_type = 'text/plain'
+
+        def parse(self, stream, media_type=None, parser_context=None):
+            """
+            Simply return a string representing the body of the request.
+            """
+            return stream.read()
 
 ---
 
@@ -175,12 +189,12 @@ Install using pip.
 Modify your REST framework settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PARSER_CLASSES': (
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework_yaml.parsers.YAMLParser',
-        ),
-        'DEFAULT_RENDERER_CLASSES': (
+        ],
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework_yaml.renderers.YAMLRenderer',
-        ),
+        ],
     }
 
 ## XML
@@ -196,12 +210,12 @@ Install using pip.
 Modify your REST framework settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PARSER_CLASSES': (
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework_xml.parsers.XMLParser',
-        ),
-        'DEFAULT_RENDERER_CLASSES': (
+        ],
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework_xml.renderers.XMLRenderer',
-        ),
+        ],
     }
 
 ## MessagePack
@@ -212,11 +226,11 @@ Modify your REST framework settings.
 
 [djangorestframework-camel-case] provides camel case JSON renderers and parsers for REST framework.  This allows serializers to use Python-style underscored field names, but be exposed in the API as Javascript-style camel case field names.  It is maintained by [Vitaly Babiy][vbabiy].
 
-[jquery-ajax]: http://api.jquery.com/jQuery.ajax/
+[jquery-ajax]: https://api.jquery.com/jQuery.ajax/
 [cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion
-[upload-handlers]: https://docs.djangoproject.com/en/dev/topics/http/file-uploads/#upload-handlers
-[rest-framework-yaml]: http://jpadilla.github.io/django-rest-framework-yaml/
-[rest-framework-xml]: http://jpadilla.github.io/django-rest-framework-xml/
+[upload-handlers]: https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#upload-handlers
+[rest-framework-yaml]: https://jpadilla.github.io/django-rest-framework-yaml/
+[rest-framework-xml]: https://jpadilla.github.io/django-rest-framework-xml/
 [yaml]: http://www.yaml.org/
 [messagepack]: https://github.com/juanriaza/django-rest-framework-msgpack
 [juanriaza]: https://github.com/juanriaza

docs/api-guide/permissions.md

@@ -1,4 +1,7 @@
-source: permissions.py
+---
+source:
+    - permissions.py
+---
 
 # Permissions
 
@@ -10,9 +13,9 @@ Together with [authentication] and [throttling], permissions determine whether a
 
 Permission checks are always run at the very start of the view, before any other code is allowed to proceed.  Permission checks will typically use the authentication information in the `request.user` and `request.auth` properties to determine if the incoming request should be permitted.
 
-Permissions are used to grant or deny access different classes of users to different parts of the API.
+Permissions are used to grant or deny access for different classes of users to different parts of the API.
 
-The simplest style of permission would be to allow access to any authenticated user, and deny access to any unauthenticated user. This corresponds the `IsAuthenticated` class in REST framework.
+The simplest style of permission would be to allow access to any authenticated user, and deny access to any unauthenticated user. This corresponds to the `IsAuthenticated` class in REST framework.
 
 A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the `IsAuthenticatedOrReadOnly` class in REST framework.
 
@@ -21,9 +24,9 @@ A slightly less strict style of permission would be to allow full access to auth
 Permissions in REST framework are always defined as a list of permission classes.
 
 Before running the main body of the view each permission in the list is checked.
-If any permission check fails an `exceptions.PermissionDenied` or `exceptions.NotAuthenticated` exception will be raised, and the main body of the view will not run.
+If any permission check fails, an `exceptions.PermissionDenied` or `exceptions.NotAuthenticated` exception will be raised, and the main body of the view will not run.
 
-When the permissions checks fail either a "403 Forbidden" or a "401 Unauthorized" response will be returned, according to the following rules:
+When the permission checks fail, either a "403 Forbidden" or a "401 Unauthorized" response will be returned, according to the following rules:
 
 * The request was successfully authenticated, but permission was denied. *— An HTTP 403 Forbidden response will be returned.*
 * The request was not successfully authenticated, and the highest priority authentication class *does not* use `WWW-Authenticate` headers. *— An HTTP 403 Forbidden response will be returned.*
@@ -44,41 +47,56 @@ This will either raise a `PermissionDenied` or `NotAuthenticated` exception, or
 For example:
 
     def get_object(self):
-        obj = get_object_or_404(self.get_queryset())
+        obj = get_object_or_404(self.get_queryset(), pk=self.kwargs["pk"])
         self.check_object_permissions(self.request, obj)
         return obj
 
+---
+
+**Note**: With the exception of `DjangoObjectPermissions`, the provided
+permission classes in `rest_framework.permissions` **do not** implement the
+methods necessary to check object permissions.
+
+If you wish to use the provided permission classes in order to check object
+permissions, **you must** subclass them and implement the
+`has_object_permission()` method described in the [_Custom
+permissions_](#custom-permissions) section (below).
+
+---
+
 #### Limitations of object level permissions
 
 For performance reasons the generic views will not automatically apply object level permissions to each instance in a queryset when returning a list of objects.
 
 Often when you're using object level permissions you'll also want to [filter the queryset][filtering] appropriately, to ensure that users only have visibility onto instances that they are permitted to view.
 
+Because the `get_object()` method is not called, object level permissions from the `has_object_permission()` method **are not applied** when creating objects. In order to restrict object creation you need to implement the permission check either in your Serializer class or override the `perform_create()` method of your ViewSet class.
+
 ## Setting the permission policy
 
 The default permission policy may be set globally, using the `DEFAULT_PERMISSION_CLASSES` setting.  For example.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PERMISSION_CLASSES': (
+        'DEFAULT_PERMISSION_CLASSES': [
             'rest_framework.permissions.IsAuthenticated',
-        )
+        ]
     }
 
 If not specified, this setting defaults to allowing unrestricted access:
 
-    'DEFAULT_PERMISSION_CLASSES': (
+    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.AllowAny',
-    )
+    ]
 
 You can also set the authentication policy on a per-view, or per-viewset basis,
-using the `APIView` class based views.
+using the `APIView` class-based views.
 
     from rest_framework.permissions import IsAuthenticated
-	from rest_framework.response import Response
-	from rest_framework.views import APIView
+    from rest_framework.response import Response
+    from rest_framework.views import APIView
 
     class ExampleView(APIView):
-        permission_classes = (IsAuthenticated,)
+        permission_classes = [IsAuthenticated]
 
         def get(self, request, format=None):
             content = {
@@ -88,14 +106,41 @@ using the `APIView` class based views.
 
 Or, if you're using the `@api_view` decorator with function based views.
 
-    @api_view('GET')
-    @permission_classes((IsAuthenticated, ))
+    from rest_framework.decorators import api_view, permission_classes
+    from rest_framework.permissions import IsAuthenticated
+    from rest_framework.response import Response
+
+    @api_view(['GET'])
+    @permission_classes([IsAuthenticated])
     def example_view(request, format=None):
         content = {
             'status': 'request was permitted'
         }
         return Response(content)
 
+__Note:__ when you set new permission classes via the class attribute or decorators you're telling the view to ignore the default list set in the __settings.py__ file.
+
+Provided they inherit from `rest_framework.permissions.BasePermission`, permissions can be composed using standard Python bitwise operators. For example, `IsAuthenticatedOrReadOnly` could be written:
+
+    from rest_framework.permissions import BasePermission, IsAuthenticated, SAFE_METHODS
+    from rest_framework.response import Response
+    from rest_framework.views import APIView
+
+    class ReadOnly(BasePermission):
+        def has_permission(self, request, view):
+            return request.method in SAFE_METHODS
+
+    class ExampleView(APIView):
+        permission_classes = [IsAuthenticated|ReadOnly]
+
+        def get(self, request, format=None):
+            content = {
+                'status': 'request was permitted'
+            }
+            return Response(content)
+
+__Note:__ it supports & (and), | (or) and ~ (not).
+
 ---
 
 # API Reference
@@ -120,28 +165,22 @@ This permission is suitable if you want your API to only be accessible to a subs
 
 ## IsAuthenticatedOrReadOnly
 
-The `IsAuthenticatedOrReadOnly` will allow authenticated users to perform any request.  Requests for unauthorised users will only be permitted if the request method is one of the "safe" methods; `GET`, `HEAD` or `OPTIONS`.
+The `IsAuthenticatedOrReadOnly` will allow authenticated users to perform any request.  Requests for unauthenticated users will only be permitted if the request method is one of the "safe" methods; `GET`, `HEAD` or `OPTIONS`.
 
 This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.
 
 ## DjangoModelPermissions
 
-This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth].  This permission must only be applied to views that has a `.queryset` property set. Authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
+This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth].  This permission must only be applied to views that have a `.queryset` property or `get_queryset()` method. Authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. The appropriate model is determined by checking `get_queryset().model` or `queryset.model`.
 
 * `POST` requests require the user to have the `add` permission on the model.
 * `PUT` and `PATCH` requests require the user to have the `change` permission on the model.
 * `DELETE` requests require the user to have the `delete` permission on the model.
 
-The default behaviour can also be overridden to support custom model permissions.  For example, you might want to include a `view` model permission for `GET` requests.
+The default behavior can also be overridden to support custom model permissions.  For example, you might want to include a `view` model permission for `GET` requests.
 
 To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property.  Refer to the source code for details.
 
-#### Using with views that do not include a `queryset` attribute.
-
-If you're using this permission with a view that uses an overridden `get_queryset()` method there may not be a `queryset` attribute on the view. In this case we suggest also marking the view with a sential queryset, so that this class can determine the required permissions. For example:
-
-    queryset = User.objects.none()  # Required for DjangoModelPermissions
-
 ## DjangoModelPermissionsOrAnonReadOnly
 
 Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
@@ -158,13 +197,11 @@ As with `DjangoModelPermissions`, this permission must only be applied to views
 
 Note that `DjangoObjectPermissions` **does not** require the `django-guardian` package, and should support other object-level backends equally well.
 
-As with `DjangoModelPermissions` you can use custom model permissions by overriding `DjangoModelPermissions` and setting the `.perms_map` property.  Refer to the source code for details.
+As with `DjangoModelPermissions` you can use custom model permissions by overriding `DjangoObjectPermissions` and setting the `.perms_map` property.  Refer to the source code for details.
 
 ---
 
-**Note**: If you need object level `view` permissions for `GET`, `HEAD` and `OPTIONS` requests, you'll want to consider also adding the `DjangoObjectPermissionsFilter` class to ensure that list endpoints only return results including objects for which the user has appropriate view permissions.
-
----
+**Note**: If you need object level `view` permissions for `GET`, `HEAD` and `OPTIONS` requests and are using django-guardian for your object-level permissions backend, you'll want to consider using the `DjangoObjectPermissionsFilter` class provided by the [`djangorestframework-guardian2` package][django-rest-framework-guardian2]. It ensures that list endpoints only return results including objects for which the user has appropriate view permissions.
 
 ---
 
@@ -186,25 +223,35 @@ If you need to test if a request is a read operation or a write operation, you s
 
 ---
 
-**Note**: The instance-level `has_object_permission` method will only be called if the view-level `has_permission` checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call `.check_object_permissions(request, obj)`. If you are using the generic views then this will be handled for you by default.
+**Note**: The instance-level `has_object_permission` method will only be called if the view-level `has_permission` checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call `.check_object_permissions(request, obj)`. If you are using the generic views then this will be handled for you by default. (Function-based views will need to check object permissions explicitly, raising `PermissionDenied` on failure.)
 
 ---
 
-## Examples
-
-The following is an example of a permission class that checks the incoming request's IP address against a blacklist, and denies the request if the IP has been blacklisted.
+Custom permissions will raise a `PermissionDenied` exception if the test fails. To change the error message associated with the exception, implement a `message` attribute directly on your custom permission. Otherwise the `default_detail` attribute from `PermissionDenied` will be used. Similarly, to change the code identifier associated with the exception, implement a `code` attribute directly on your custom permission - otherwise the `default_code` attribute from `PermissionDenied` will be used.
 
     from rest_framework import permissions
 
-    class BlacklistPermission(permissions.BasePermission):
+    class CustomerAccessPermission(permissions.BasePermission):
+        message = 'Adding customers not allowed.'
+
+        def has_permission(self, request, view):
+             ...
+
+## Examples
+
+The following is an example of a permission class that checks the incoming request's IP address against a blocklist, and denies the request if the IP has been blocked.
+
+    from rest_framework import permissions
+
+    class BlocklistPermission(permissions.BasePermission):
         """
-        Global permission check for blacklisted IPs.
+        Global permission check for blocked IPs.
         """
 
         def has_permission(self, request, view):
             ip_addr = request.META['REMOTE_ADDR']
-            blacklisted = Blacklist.objects.filter(ip_addr=ip_addr).exists()
-            return not blacklisted
+            blocked = Blocklist.objects.filter(ip_addr=ip_addr).exists()
+            return not blocked
 
 As well as global permissions, that are run against all incoming requests, you can also create object-level permissions, that are only run against operations that affect a particular object instance.  For example:
 
@@ -227,15 +274,39 @@ Note that the generic views will check the appropriate object level permissions,
 
 Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance.  If you require object-level filtering of list views, you'll need to filter the queryset separately.  See the [filtering documentation][filtering] for more details.
 
+# Overview of access restriction methods
+
+REST framework offers three different methods to customize access restrictions on a case-by-case basis. These apply in different scenarios and have different effects and limitations.
+
+ * `queryset`/`get_queryset()`: Limits the general visibility of existing objects from the database. The queryset limits which objects will be listed and which objects can be modified or deleted. The `get_queryset()` method can apply different querysets based on the current action.
+ * `permission_classes`/`get_permissions()`: General permission checks based on the current action, request and targeted object. Object level permissions can only be applied to retrieve, modify and deletion actions. Permission checks for list and create will be applied to the entire object type. (In case of list: subject to restrictions in the queryset.)
+ * `serializer_class`/`get_serializer()`: Instance level restrictions that apply to all objects on input and output. The serializer may have access to the request context. The `get_serializer()` method can apply different serializers based on the current action.
+
+The following table lists the access restriction methods and the level of control they offer over which actions.
+
+|                                    | `queryset` | `permission_classes` | `serializer_class` |
+|------------------------------------|------------|----------------------|--------------------|
+| Action: list                       | global     | global               | object-level*      |
+| Action: create                     | no         | global               | object-level       |
+| Action: retrieve                   | global     | object-level         | object-level       |
+| Action: update                     | global     | object-level         | object-level       |
+| Action: partial_update             | global     | object-level         | object-level       |
+| Action: destroy                    | global     | object-level         | no                 |
+| Can reference action in decision   | no**       | yes                  | no**               |
+| Can reference request in decision  | no**       | yes                  | yes                |
+
+ \* A Serializer class should not raise PermissionDenied in a list action, or the entire list would not be returned. <br>
+ \** The `get_*()` methods have access to the current view and can return different Serializer or QuerySet instances based on the request or action.
+
 ---
 
 # Third party packages
 
 The following third party packages are also available.
 
-## DRF Any Permissions
+## DRF - Access Policy
 
-The [DRF Any Permissions][drf-any-permissions] packages provides a different permission behavior in contrast to REST framework.  Instead of all specified permissions being required, only one of the given permissions has to be true in order to get access to the view.
+The [Django REST - Access Policy][drf-access-policy] package provides a way to define complex access rules in declarative policy classes that are attached to view sets or function-based views. The policies are defined in JSON in a format similar to AWS' Identity & Access Management policies. 
 
 ## Composed Permissions
 
@@ -243,18 +314,48 @@ The [Composed Permissions][composed-permissions] package provides a simple way t
 
 ## REST Condition
 
-The [REST Condition][rest-condition] package is another extension for building complex permissions in a simple and convenient way.  The extension allows you to combine permissions with logical operators.
+The [REST Condition][rest-condition] package is another extension for building complex permissions in a simple and convenient way. The extension allows you to combine permissions with logical operators.
+
+## DRY Rest Permissions
+
+The [DRY Rest Permissions][dry-rest-permissions] package provides the ability to define different permissions for individual default and custom actions. This package is made for apps with permissions that are derived from relationships defined in the app's data model. It also supports permission checks being returned to a client app through the API's serializer. Additionally it supports adding permissions to the default and custom list actions to restrict the data they retrieve per user.
+
+## Django Rest Framework Roles
+
+The [Django Rest Framework Roles][django-rest-framework-roles] package makes it easier to parameterize your API over multiple types of users.
+
+## Rest Framework Roles
+
+The [Rest Framework Roles][rest-framework-roles] makes it super easy to protect views based on roles. Most importantly allows you to decouple accessibility logic from models and views in a clean human-readable way.
+
+## Django REST Framework API Key
+
+The [Django REST Framework API Key][djangorestframework-api-key] package provides permissions classes, models and helpers to add API key authorization to your API. It can be used to authorize internal or third-party backends and services (i.e. _machines_) which do not have a user account. API keys are stored securely using Django's password hashing infrastructure, and they can be viewed, edited and revoked at anytime in the Django admin.
+
+## Django Rest Framework Role Filters
+
+The [Django Rest Framework Role Filters][django-rest-framework-role-filters] package provides simple filtering over multiple types of roles.
+
+## Django Rest Framework PSQ
+
+The [Django Rest Framework PSQ][drf-psq] package is an extension that gives support for having action-based **permission_classes**, **serializer_class**, and **queryset** dependent on permission-based rules.
+
 
 [cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html
 [authentication]: authentication.md
 [throttling]: throttling.md
 [filtering]: filtering.md
-[contribauth]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#custom-permissions
-[objectpermissions]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#handling-object-permissions
+[contribauth]: https://docs.djangoproject.com/en/stable/topics/auth/customizing/#custom-permissions
+[objectpermissions]: https://docs.djangoproject.com/en/stable/topics/auth/customizing/#handling-object-permissions
 [guardian]: https://github.com/lukaszb/django-guardian
-[get_objects_for_user]: http://pythonhosted.org/django-guardian/api/guardian.shortcuts.html#get-objects-for-user
-[2.2-announcement]: ../topics/2.2-announcement.md
 [filtering]: filtering.md
-[drf-any-permissions]: https://github.com/kevin-brown/drf-any-permissions
 [composed-permissions]: https://github.com/niwibe/djangorestframework-composed-permissions
 [rest-condition]: https://github.com/caxap/rest_condition
+[dry-rest-permissions]: https://github.com/FJNR-inc/dry-rest-permissions
+[django-rest-framework-roles]: https://github.com/computer-lab/django-rest-framework-roles
+[rest-framework-roles]: https://github.com/Pithikos/rest-framework-roles
+[djangorestframework-api-key]: https://florimondmanca.github.io/djangorestframework-api-key/
+[django-rest-framework-role-filters]: https://github.com/allisson/django-rest-framework-role-filters
+[django-rest-framework-guardian2]: https://github.com/johnthagen/django-rest-framework-guardian2
+[drf-access-policy]: https://github.com/rsinger86/drf-access-policy
+[drf-psq]: https://github.com/drf-psq/drf-psq

docs/api-guide/relations.md

@@ -1,12 +1,13 @@
-source: relations.py
+---
+source:
+    - relations.py
+---
 
 # Serializer relations
 
-> Bad programmers worry about the code.
-> Good programmers worry about data structures and their relationships.
+> Data structures, not algorithms, are central to programming.
 >
-> — [Linus Torvalds][cite]
-
+> — [Rob Pike][cite]
 
 Relational fields are used to represent model relationships.  They can be applied to `ForeignKey`, `ManyToManyField` and `OneToOneField` relationships, as well as to reverse relationships, and custom relationships such as `GenericForeignKey`.
 
@@ -16,7 +17,38 @@ Relational fields are used to represent model relationships.  They can be applie
 
 ---
 
-#### Inspecting automatically generated relationships.
+---
+
+**Note:** REST Framework does not attempt to automatically optimize querysets passed to serializers in terms of `select_related` and `prefetch_related` since it would be too much magic. A serializer with a field spanning an orm relation through its source attribute could require an additional database hit to fetch related objects from the database. It is the programmer's responsibility to optimize queries to avoid additional database hits which could occur while using such a serializer.
+
+For example, the following serializer would lead to a database hit each time evaluating the tracks field if it is not prefetched:
+
+    class AlbumSerializer(serializers.ModelSerializer):
+        tracks = serializers.SlugRelatedField(
+            many=True,
+            read_only=True,
+            slug_field='title'
+        )
+
+        class Meta:
+            model = Album
+            fields = ['album_name', 'artist', 'tracks']
+
+    # For each album object, tracks should be fetched from database
+    qs = Album.objects.all()
+    print(AlbumSerializer(qs, many=True).data)
+
+If `AlbumSerializer` is used to serialize a fairly large queryset with `many=True` then it could be a serious performance problem. Optimizing the queryset passed to `AlbumSerializer` with:
+
+    qs = Album.objects.prefetch_related('tracks')
+    # No additional database hits required
+    print(AlbumSerializer(qs, many=True).data)
+
+would solve the issue.
+
+---
+
+#### Inspecting relationships.
 
 When using the `ModelSerializer` class, serializer fields and relationships will be automatically generated for you. Inspecting these automatically generated fields can be a useful tool for determining how to customize the relationship style.
 
@@ -24,7 +56,7 @@ To do so, open the Django shell, using `python manage.py shell`, then import the
 
     >>> from myapp.serializers import AccountSerializer
     >>> serializer = AccountSerializer()
-    >>> print repr(serializer)  # Or `print(repr(serializer))` in Python 3.x.
+    >>> print(repr(serializer))
     AccountSerializer():
         id = IntegerField(label='ID', read_only=True)
         name = CharField(allow_blank=True, max_length=100, required=False)
@@ -39,32 +71,32 @@ In order to explain the various types of relational fields, we'll use a couple o
         artist = models.CharField(max_length=100)
 
     class Track(models.Model):
-        album = models.ForeignKey(Album, related_name='tracks')
+        album = models.ForeignKey(Album, related_name='tracks', on_delete=models.CASCADE)
         order = models.IntegerField()
         title = models.CharField(max_length=100)
         duration = models.IntegerField()
 
         class Meta:
-            unique_together = ('album', 'order')
+            unique_together = ['album', 'order']
             ordering = ['order']
 
-        def __unicode__(self):
+        def __str__(self):
             return '%d: %s' % (self.order, self.title)
 
 ## StringRelatedField
 
-`StringRelatedField` may be used to represent the target of the relationship using its `__unicode__` method.
+`StringRelatedField` may be used to represent the target of the relationship using its `__str__` method.
 
-For example, the following serializer.
+For example, the following serializer:
 
     class AlbumSerializer(serializers.ModelSerializer):
         tracks = serializers.StringRelatedField(many=True)
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
-Would serialize to the following representation.
+Would serialize to the following representation:
 
     {
         'album_name': 'Things We Lost In The Fire',
@@ -94,13 +126,13 @@ For example, the following serializer:
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
 Would serialize to a representation like this:
 
     {
-        'album_name': 'The Roots',
-        'artist': 'Undun',
+        'album_name': 'Undun',
+        'artist': 'The Roots',
         'tracks': [
             89,
             90,
@@ -116,6 +148,8 @@ By default this field is read-write, although you can change this behavior using
 * `queryset` - The queryset used for model instance lookups when validating the field input. Relationships must either set a queryset explicitly, or set `read_only=True`.
 * `many` - If applied to a to-many relationship, you should set this argument to `True`.
 * `allow_null` - If set to `True`, the field will accept values of `None` or the empty string for nullable relationships. Defaults to `False`.
+* `pk_field` - Set to a field to control serialization/deserialization of the primary key's value. For example, `pk_field=UUIDField(format='hex')` would serialize a UUID primary key into its compact hex representation.
+
 
 ## HyperlinkedRelatedField
 
@@ -132,7 +166,7 @@ For example, the following serializer:
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
 Would serialize to a representation like this:
 
@@ -149,6 +183,16 @@ Would serialize to a representation like this:
 
 By default this field is read-write, although you can change this behavior using the `read_only` flag.
 
+---
+
+**Note**: This field is designed for objects that map to a URL that accepts a single URL keyword argument, as set using the `lookup_field` and `lookup_url_kwarg` arguments.
+
+This is suitable for URLs that contain a single primary key or slug argument as part of the URL.
+
+If you require more complex hyperlinked representation you'll need to customize the field, as described in the [custom hyperlinked fields](#custom-hyperlinked-fields) section, below.
+
+---
+
 **Arguments**:
 
 * `view_name` - The view name that should be used as the target of the relationship.  If you're using [the standard router classes][routers] this will be a string with the format `<modelname>-detail`. **required**.
@@ -174,7 +218,7 @@ For example, the following serializer:
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
 Would serialize to a representation like this:
 
@@ -202,14 +246,14 @@ When using `SlugRelatedField` as a read-write field, you will normally want to e
 
 ## HyperlinkedIdentityField
 
-This field can be applied as an identity relationship, such as the `'url'` field on  a HyperlinkedModelSerializer.  It can also be used for an attribute on the object.  For example, the following serializer:
+This field can be applied as an identity relationship, such as the `'url'` field on a HyperlinkedModelSerializer.  It can also be used for an attribute on the object.  For example, the following serializer:
 
     class AlbumSerializer(serializers.HyperlinkedModelSerializer):
         track_listing = serializers.HyperlinkedIdentityField(view_name='track-list')
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'track_listing')
+            fields = ['album_name', 'artist', 'track_listing']
 
 Would serialize to a representation like this:
 
@@ -232,7 +276,9 @@ This field is always read-only.
 
 # Nested relationships
 
-Nested relationships can be expressed by using serializers as fields.
+As opposed to previously discussed _references_ to another entity, the referred entity can instead also be embedded or _nested_
+in the representation of the object that refers to it.
+Such nested relationships can be expressed by using serializers as fields.
 
 If the field is used to represent a to-many relationship, you should add the `many=True` flag to the serializer field.
 
@@ -243,37 +289,92 @@ For example, the following serializer:
     class TrackSerializer(serializers.ModelSerializer):
         class Meta:
             model = Track
-            fields = ('order', 'title')
+            fields = ['order', 'title', 'duration']
 
     class AlbumSerializer(serializers.ModelSerializer):
         tracks = TrackSerializer(many=True, read_only=True)
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
 Would serialize to a nested representation like this:
 
+    >>> album = Album.objects.create(album_name="The Grey Album", artist='Danger Mouse')
+    >>> Track.objects.create(album=album, order=1, title='Public Service Announcement', duration=245)
+    <Track: Track object>
+    >>> Track.objects.create(album=album, order=2, title='What More Can I Say', duration=264)
+    <Track: Track object>
+    >>> Track.objects.create(album=album, order=3, title='Encore', duration=159)
+    <Track: Track object>
+    >>> serializer = AlbumSerializer(instance=album)
+    >>> serializer.data
     {
         'album_name': 'The Grey Album',
         'artist': 'Danger Mouse',
         'tracks': [
-            {'order': 1, 'title': 'Public Service Announcement'},
-            {'order': 2, 'title': 'What More Can I Say'},
-            {'order': 3, 'title': 'Encore'},
+            {'order': 1, 'title': 'Public Service Announcement', 'duration': 245},
+            {'order': 2, 'title': 'What More Can I Say', 'duration': 264},
+            {'order': 3, 'title': 'Encore', 'duration': 159},
             ...
         ],
     }
 
+## Writable nested serializers
+
+By default nested serializers are read-only. If you want to support write-operations to a nested serializer field you'll need to create `create()` and/or `update()` methods in order to explicitly specify how the child relationships should be saved:
+
+    class TrackSerializer(serializers.ModelSerializer):
+        class Meta:
+            model = Track
+            fields = ['order', 'title', 'duration']
+
+    class AlbumSerializer(serializers.ModelSerializer):
+        tracks = TrackSerializer(many=True)
+
+        class Meta:
+            model = Album
+            fields = ['album_name', 'artist', 'tracks']
+
+        def create(self, validated_data):
+            tracks_data = validated_data.pop('tracks')
+            album = Album.objects.create(**validated_data)
+            for track_data in tracks_data:
+                Track.objects.create(album=album, **track_data)
+            return album
+
+    >>> data = {
+        'album_name': 'The Grey Album',
+        'artist': 'Danger Mouse',
+        'tracks': [
+            {'order': 1, 'title': 'Public Service Announcement', 'duration': 245},
+            {'order': 2, 'title': 'What More Can I Say', 'duration': 264},
+            {'order': 3, 'title': 'Encore', 'duration': 159},
+        ],
+    }
+    >>> serializer = AlbumSerializer(data=data)
+    >>> serializer.is_valid()
+    True
+    >>> serializer.save()
+    <Album: Album object>
+
+---
+
 # Custom relational fields
 
+In rare cases where none of the existing relational styles fit the representation you need,
+you can implement a completely custom relational field, that describes exactly how the
+output representation should be generated from the model instance.
+
 To implement a custom relational field, you should override `RelatedField`, and implement the `.to_representation(self, value)` method. This method takes the target of the field as the `value` argument, and should return the representation that should be used to serialize the target. The `value` argument will typically be a model instance.
 
-If you want to implement a read-write relational field, you must also implement the `.to_internal_value(self, data)` method.
+If you want to implement a read-write relational field, you must also implement the [`.to_internal_value(self, data)` method][to_internal_value].
+
+To provide a dynamic queryset based on the `context`, you can also override `.get_queryset(self)` instead of specifying `.queryset` on the class or when initializing the field.
 
 ## Example
 
-For example, we could define a relational field to serialize a track to a custom string representation, using its ordering, title, and duration.
+For example, we could define a relational field to serialize a track to a custom string representation, using its ordering, title, and duration:
 
     import time
 
@@ -287,9 +388,9 @@ For example, we could define a relational field to serialize a track to a custom
 
         class Meta:
             model = Album
-            fields = ('album_name', 'artist', 'tracks')
+            fields = ['album_name', 'artist', 'tracks']
 
-This custom field would then serialize to the following representation.
+This custom field would then serialize to the following representation:
 
     {
         'album_name': 'Sometimes I Wish We Were an Eagle',
@@ -304,6 +405,65 @@ This custom field would then serialize to the following representation.
 
 ---
 
+# Custom hyperlinked fields
+
+In some cases you may need to customize the behavior of a hyperlinked field, in order to represent URLs that require more than a single lookup field.
+
+You can achieve this by overriding `HyperlinkedRelatedField`. There are two methods that may be overridden:
+
+**get_url(self, obj, view_name, request, format)**
+
+The `get_url` method is used to map the object instance to its URL representation.
+
+May raise a `NoReverseMatch` if the `view_name` and `lookup_field`
+attributes are not configured to correctly match the URL conf.
+
+**get_object(self, view_name, view_args, view_kwargs)**
+
+If you want to support a writable hyperlinked field then you'll also want to override `get_object`, in order to map incoming URLs back to the object they represent. For read-only hyperlinked fields there is no need to override this method.
+
+The return value of this method should the object that corresponds to the matched URL conf arguments.
+
+May raise an `ObjectDoesNotExist` exception.
+
+## Example
+
+Say we have a URL for a customer object that takes two keyword arguments, like so:
+
+    /api/<organization_slug>/customers/<customer_pk>/
+
+This cannot be represented with the default implementation, which accepts only a single lookup field.
+
+In this case we'd need to override `HyperlinkedRelatedField` to get the behavior we want:
+
+    from rest_framework import serializers
+    from rest_framework.reverse import reverse
+
+    class CustomerHyperlink(serializers.HyperlinkedRelatedField):
+        # We define these as class attributes, so we don't need to pass them as arguments.
+        view_name = 'customer-detail'
+        queryset = Customer.objects.all()
+
+        def get_url(self, obj, view_name, request, format):
+            url_kwargs = {
+                'organization_slug': obj.organization.slug,
+                'customer_pk': obj.pk
+            }
+            return reverse(view_name, kwargs=url_kwargs, request=request, format=format)
+
+        def get_object(self, view_name, view_args, view_kwargs):
+            lookup_kwargs = {
+               'organization__slug': view_kwargs['organization_slug'],
+               'pk': view_kwargs['customer_pk']
+            }
+            return self.get_queryset().get(**lookup_kwargs)
+
+Note that if you wanted to use this style together with the generic views then you'd also need to override `.get_object` on the view in order to get the correct lookup behavior.
+
+Generally we recommend a flat style for API representations where possible, but the nested URL style can also be reasonable when used in moderation.
+
+---
+
 # Further notes
 
 ## The `queryset` argument
@@ -316,31 +476,62 @@ This behavior is now replaced with *always* using an explicit `queryset` argumen
 
 Doing so reduces the amount of hidden 'magic' that `ModelSerializer` provides, makes the behavior of the field more clear, and ensures that it is trivial to move between using the `ModelSerializer` shortcut, or using fully explicit `Serializer` classes.
 
+## Customizing the HTML display
+
+The built-in `__str__` method of the model will be used to generate string representations of the objects used to populate the `choices` property. These choices are used to populate select HTML inputs in the browsable API.
+
+To provide customized representations for such inputs, override `display_value()` of a `RelatedField` subclass. This method will receive a model object, and should return a string suitable for representing it. For example:
+
+    class TrackPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):
+        def display_value(self, instance):
+            return 'Track: %s' % (instance.title)
+
+## Select field cutoffs
+
+When rendered in the browsable API relational fields will default to only displaying a maximum of 1000 selectable items. If more items are present then a disabled option with "More than 1000 items…" will be displayed.
+
+This behavior is intended to prevent a template from being unable to render in an acceptable timespan due to a very large number of relationships being displayed.
+
+There are two keyword arguments you can use to control this behavior:
+
+* `html_cutoff` - If set this will be the maximum number of choices that will be displayed by a HTML select drop down. Set to `None` to disable any limiting. Defaults to `1000`.
+* `html_cutoff_text` - If set this will display a textual indicator if the maximum number of items have been cutoff in an HTML select drop down. Defaults to `"More than {count} items…"`
+
+You can also control these globally using the settings `HTML_SELECT_CUTOFF` and `HTML_SELECT_CUTOFF_TEXT`.
+
+In cases where the cutoff is being enforced you may want to instead use a plain input field in the HTML form. You can do so using the `style` keyword argument. For example:
+
+    assigned_to = serializers.SlugRelatedField(
+       queryset=User.objects.all(),
+       slug_field='username',
+       style={'base_template': 'input.html'}
+    )
+
 ## Reverse relations
 
 Note that reverse relationships are not automatically included by the `ModelSerializer` and `HyperlinkedModelSerializer` classes.  To include a reverse relationship, you must explicitly add it to the fields list.  For example:
 
     class AlbumSerializer(serializers.ModelSerializer):
         class Meta:
-            fields = ('tracks', ...)
+            fields = ['tracks', ...]
 
 You'll normally want to ensure that you've set an appropriate `related_name` argument on the relationship, that you can use as the field name.  For example:
 
     class Track(models.Model):
-        album = models.ForeignKey(Album, related_name='tracks')
+        album = models.ForeignKey(Album, related_name='tracks', on_delete=models.CASCADE)
         ...
 
 If you have not set a related name for the reverse relationship, you'll need to use the automatically generated related name in the `fields` argument.  For example:
 
     class AlbumSerializer(serializers.ModelSerializer):
         class Meta:
-            fields = ('track_set', ...)
+            fields = ['track_set', ...]
 
 See the Django documentation on [reverse relationships][reverse-relationships] for more details.
 
 ## Generic relationships
 
-If you want to serialize a generic foreign key, you need to define a custom field, to determine explicitly how you want serialize the targets of the relationship.
+If you want to serialize a generic foreign key, you need to define a custom field, to determine explicitly how you want to serialize the targets of the relationship.
 
 For example, given the following model for a tag, which has a generic relationship with other arbitrary models:
 
@@ -348,17 +539,17 @@ For example, given the following model for a tag, which has a generic relationsh
         """
         Tags arbitrary model instances using a generic relation.
 
-        See: https://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/
+        See: https://docs.djangoproject.com/en/stable/ref/contrib/contenttypes/
         """
         tag_name = models.SlugField()
-        content_type = models.ForeignKey(ContentType)
+        content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
         object_id = models.PositiveIntegerField()
         tagged_object = GenericForeignKey('content_type', 'object_id')
 
-        def __unicode__(self):
-            return self.tag
+        def __str__(self):
+            return self.tag_name
 
-And the following two models, which may be have associated tags:
+And the following two models, which may have associated tags:
 
     class Bookmark(models.Model):
         """
@@ -375,7 +566,7 @@ And the following two models, which may be have associated tags:
         text = models.CharField(max_length=1000)
         tags = GenericRelation(TaggedItem)
 
-We could define a custom field that could be used to serialize tagged instances, using the type of each instance to determine how it should be serialized.
+We could define a custom field that could be used to serialize tagged instances, using the type of each instance to determine how it should be serialized:
 
     class TaggedObjectRelatedField(serializers.RelatedField):
         """
@@ -421,38 +612,7 @@ If you explicitly specify a relational field pointing to a
 ``ManyToManyField`` with a through model, be sure to set ``read_only``
 to ``True``.
 
-## Advanced Hyperlinked fields
-
-If you have very specific requirements for the style of your hyperlinked relationships you can override `HyperlinkedRelatedField`.
-
-There are two methods you'll need to override.
-
-#### get_url(self, obj, view_name, request, format)
-
-This method should return the URL that corresponds to the given object.
-
-May raise a `NoReverseMatch` if the `view_name` and `lookup_field`
-attributes are not configured to correctly match the URL conf.
-
-#### get_object(self, queryset, view_name, view_args, view_kwargs)
-
-This method should the object that corresponds to the matched URL conf arguments.
-
-May raise an `ObjectDoesNotExist` exception.
-
-### Example
-
-For example, if all your object URLs used both a account and a slug in the the URL to reference the object, you might create a custom field like this:
-
-    class CustomHyperlinkedField(serializers.HyperlinkedRelatedField):
-        def get_url(self, obj, view_name, request, format):
-            kwargs = {'account': obj.account, 'slug': obj.slug}
-            return reverse(view_name, kwargs=kwargs, request=request, format=format)
-
-        def get_object(self, queryset, view_name, view_args, view_kwargs):
-            account = view_kwargs['account']
-            slug = view_kwargs['slug']
-            return queryset.get(account=account, slug=slug)
+If you wish to represent [extra fields on a through model][django-intermediary-manytomany] then you may serialize the through model as [a nested object][dealing-with-nested-objects].
 
 ---
 
@@ -464,9 +624,20 @@ The following third party packages are also available.
 
 The [drf-nested-routers package][drf-nested-routers] provides routers and relationship fields for working with nested resources.
 
-[cite]: http://lwn.net/Articles/193245/
-[reverse-relationships]: https://docs.djangoproject.com/en/dev/topics/db/queries/#following-relationships-backward
-[routers]: http://www.django-rest-framework.org/api-guide/routers#defaultrouter
-[generic-relations]: https://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/#id1
-[2.2-announcement]: ../topics/2.2-announcement.md
+## Rest Framework Generic Relations
+
+The [rest-framework-generic-relations][drf-nested-relations] library provides read/write serialization for generic foreign keys.
+
+The [rest-framework-gm2m-relations][drf-gm2m-relations] library provides read/write serialization for [django-gm2m][django-gm2m-field].
+
+[cite]: http://users.ece.utexas.edu/~adnan/pike.html
+[reverse-relationships]: https://docs.djangoproject.com/en/stable/topics/db/queries/#following-relationships-backward
+[routers]: https://www.django-rest-framework.org/api-guide/routers#defaultrouter
+[generic-relations]: https://docs.djangoproject.com/en/stable/ref/contrib/contenttypes/#id1
 [drf-nested-routers]: https://github.com/alanjds/drf-nested-routers
+[drf-nested-relations]: https://github.com/Ian-Foote/rest-framework-generic-relations
+[drf-gm2m-relations]: https://github.com/mojtabaakbari221b/rest-framework-gm2m-relations
+[django-gm2m-field]: https://github.com/tkhyn/django-gm2m
+[django-intermediary-manytomany]: https://docs.djangoproject.com/en/stable/topics/db/models/#intermediary-manytomany
+[dealing-with-nested-objects]: https://www.django-rest-framework.org/api-guide/serializers/#dealing-with-nested-objects
+[to_internal_value]: https://www.django-rest-framework.org/api-guide/serializers/#to_internal_valueself-data

docs/api-guide/renderers.md

@@ -1,4 +1,7 @@
-source: renderers.py
+---
+source:
+    - renderers.py
+---
 
 # Renderers
 
@@ -21,14 +24,14 @@ For more information see the documentation on [content negotiation][conneg].
 The default set of renderers may be set globally, using the `DEFAULT_RENDERER_CLASSES` setting.  For example, the following settings would use `JSON` as the main media type and also include the self describing API.
 
     REST_FRAMEWORK = {
-        'DEFAULT_RENDERER_CLASSES': (
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework.renderers.JSONRenderer',
             'rest_framework.renderers.BrowsableAPIRenderer',
-        )
+        ]
     }
 
 You can also set the renderers used for an individual view, or viewset,
-using the `APIView` class based views.
+using the `APIView` class-based views.
 
     from django.contrib.auth.models import User
     from rest_framework.renderers import JSONRenderer
@@ -39,7 +42,7 @@ using the `APIView` class based views.
         """
         A view that returns the count of active users in JSON.
         """
-        renderer_classes = (JSONRenderer, )
+        renderer_classes = [JSONRenderer]
 
         def get(self, request, format=None):
             user_count = User.objects.filter(active=True).count()
@@ -49,7 +52,7 @@ using the `APIView` class based views.
 Or, if you're using the `@api_view` decorator with function based views.
 
     @api_view(['GET'])
-    @renderer_classes((JSONRenderer,))
+    @renderer_classes([JSONRenderer])
     def user_count_view(request, format=None):
         """
         A view that returns the count of active users in JSON.
@@ -89,7 +92,7 @@ The default JSON encoding style can be altered using the `UNICODE_JSON` and `COM
 
 **.media_type**: `application/json`
 
-**.format**: `'.json'`
+**.format**: `'json'`
 
 **.charset**: `None`
 
@@ -100,6 +103,16 @@ Unlike other renderers, the data passed to the `Response` does not need to be se
 
 The TemplateHTMLRenderer will create a `RequestContext`, using the `response.data` as the context dict, and determine a template name to use to render the context.
 
+---
+
+**Note:** When used with a view that makes use of a serializer the `Response` sent for rendering may not be a dictionary and will need to be wrapped in a dict before returning to allow the `TemplateHTMLRenderer` to render it. For example:
+
+```
+response.data = {'results': response.data}
+```
+
+---
+
 The template name is determined by (in order of preference):
 
 1. An explicit `template_name` argument passed to the response.
@@ -113,7 +126,7 @@ An example of a view that uses `TemplateHTMLRenderer`:
         A view that returns a templated HTML representation of a given user.
         """
         queryset = User.objects.all()
-        renderer_classes = (TemplateHTMLRenderer,)
+        renderer_classes = [TemplateHTMLRenderer]
 
         def get(self, request, *args, **kwargs):
             self.object = self.get_object()
@@ -123,9 +136,11 @@ You can use `TemplateHTMLRenderer` either to return regular HTML pages using RES
 
 If you're building websites that use `TemplateHTMLRenderer` along with other renderer classes, you should consider listing `TemplateHTMLRenderer` as the first class in the `renderer_classes` list, so that it will be prioritised first even for browsers that send poorly formed `ACCEPT:` headers.
 
+See the [_HTML & Forms_ Topic Page][html-and-forms] for further examples of `TemplateHTMLRenderer` usage.
+
 **.media_type**: `text/html`
 
-**.format**: `'.html'`
+**.format**: `'html'`
 
 **.charset**: `utf-8`
 
@@ -137,8 +152,8 @@ A simple renderer that simply returns pre-rendered HTML.  Unlike other renderers
 
 An example of a view that uses `StaticHTMLRenderer`:
 
-    @api_view(('GET',))
-    @renderer_classes((StaticHTMLRenderer,))
+    @api_view(['GET'])
+    @renderer_classes([StaticHTMLRenderer])
     def simple_html_view(request):
         data = '<html><body><h1>Hello, world</h1></body></html>'
         return Response(data)
@@ -147,33 +162,23 @@ You can use `StaticHTMLRenderer` either to return regular HTML pages using REST
 
 **.media_type**: `text/html`
 
-**.format**: `'.html'`
+**.format**: `'html'`
 
 **.charset**: `utf-8`
 
 See also: `TemplateHTMLRenderer`
 
-## HTMLFormRenderer
-
-Renders data returned by a serializer into an HTML form.  The output of this renderer does not include the enclosing `<form>` tags or an submit actions, as you'll probably need those to include the desired method and URL.  Also note that the `HTMLFormRenderer` does not yet support including field error messages.
-
-Note that the template used by the `HTMLFormRenderer` class, and the context submitted to it **may be subject to change**.  If you need to use this renderer class it is advised that you either make a local copy of the class and templates, or follow the release note on REST framework upgrades closely.
-
-**.media_type**: `text/html`
-
-**.format**: `'.form'`
-
-**.charset**: `utf-8`
-
-**.template**: `'rest_framework/form.html'`
-
 ## BrowsableAPIRenderer
 
-Renders data into HTML for the Browsable API.  This renderer will determine which other renderer would have been given highest priority, and use that to display an API style response within the HTML page.
+Renders data into HTML for the Browsable API:
+
+![The BrowsableAPIRenderer](../img/quickstart.png)
+
+This renderer will determine which other renderer would have been given highest priority, and use that to display an API style response within the HTML page.
 
 **.media_type**: `text/html`
 
-**.format**: `'.api'`
+**.format**: `'api'`
 
 **.charset**: `utf-8`
 
@@ -181,19 +186,70 @@ Renders data into HTML for the Browsable API.  This renderer will determine whic
 
 #### Customizing BrowsableAPIRenderer
 
-By default the response content will be rendered with the highest priority renderer apart from `BrowseableAPIRenderer`.  If you need to customize this behavior, for example to use HTML as the default return format, but use JSON in the browsable API, you can do so by overriding the `get_default_renderer()` method.  For example:
+By default the response content will be rendered with the highest priority renderer apart from `BrowsableAPIRenderer`.  If you need to customize this behavior, for example to use HTML as the default return format, but use JSON in the browsable API, you can do so by overriding the `get_default_renderer()` method.  For example:
 
     class CustomBrowsableAPIRenderer(BrowsableAPIRenderer):
         def get_default_renderer(self, view):
             return JSONRenderer()
 
+## AdminRenderer
+
+Renders data into HTML for an admin-like display:
+
+![The AdminRender view](../img/admin.png)
+
+This renderer is suitable for CRUD-style web APIs that should also present a user-friendly interface for managing the data.
+
+Note that views that have nested or list serializers for their input won't work well with the `AdminRenderer`, as the HTML forms are unable to properly support them.
+
+**Note**: The `AdminRenderer` is only able to include links to detail pages when a properly configured `URL_FIELD_NAME` (`url` by default) attribute is present in the data. For `HyperlinkedModelSerializer` this will be the case, but for `ModelSerializer` or plain `Serializer` classes you'll need to make sure to include the field explicitly. For example here we use models `get_absolute_url` method:
+
+    class AccountSerializer(serializers.ModelSerializer):
+        url = serializers.CharField(source='get_absolute_url', read_only=True)
+
+        class Meta:
+            model = Account
+
+
+**.media_type**: `text/html`
+
+**.format**: `'admin'`
+
+**.charset**: `utf-8`
+
+**.template**: `'rest_framework/admin.html'`
+
+## HTMLFormRenderer
+
+Renders data returned by a serializer into an HTML form. The output of this renderer does not include the enclosing `<form>` tags, a hidden CSRF input or any submit buttons.
+
+This renderer is not intended to be used directly, but can instead be used in templates by passing a serializer instance to the `render_form` template tag.
+
+    {% load rest_framework %}
+
+    <form action="/submit-report/" method="post">
+        {% csrf_token %}
+        {% render_form serializer %}
+        <input type="submit" value="Save" />
+    </form>
+
+For more information see the [HTML & Forms][html-and-forms] documentation.
+
+**.media_type**: `text/html`
+
+**.format**: `'form'`
+
+**.charset**: `utf-8`
+
+**.template**: `'rest_framework/horizontal/form.html'`
+
 ## MultiPartRenderer
 
 This renderer is used for rendering HTML multipart form data.  **It is not suitable as a response renderer**, but is instead used for creating test requests, using REST framework's [test client and test request factory][testing].
 
 **.media_type**: `multipart/form-data; boundary=BoUnDaRyStRiNg`
 
-**.format**: `'.multipart'`
+**.format**: `'multipart'`
 
 **.charset**: `utf-8`
 
@@ -201,7 +257,7 @@ This renderer is used for rendering HTML multipart form data.  **It is not suita
 
 # Custom renderers
 
-To implement a custom renderer, you should override `BaseRenderer`, set the `.media_type` and `.format` properties, and implement the `.render(self, data, media_type=None, renderer_context=None)` method.
+To implement a custom renderer, you should override `BaseRenderer`, set the `.media_type` and `.format` properties, and implement the `.render(self, data, accepted_media_type=None, renderer_context=None)` method.
 
 The method should return a bytestring, which will be used as the body of the HTTP response.
 
@@ -211,7 +267,7 @@ The arguments passed to the `.render()` method are:
 
 The request data, as set by the `Response()` instantiation.
 
-### `media_type=None`
+### `accepted_media_type=None`
 
 Optional.  If provided, this is the accepted media type, as determined by the content negotiation stage.
 
@@ -227,7 +283,7 @@ By default this will include the following keys: `view`, `request`, `response`,
 
 The following is an example plaintext renderer that will return a response with the `data` parameter as the content of the response.
 
-    from django.utils.encoding import smart_unicode
+    from django.utils.encoding import smart_str
     from rest_framework import renderers
 
 
@@ -235,8 +291,8 @@ The following is an example plaintext renderer that will return a response with
         media_type = 'text/plain'
         format = 'txt'
 
-        def render(self, data, media_type=None, renderer_context=None):
-            return data.encode(self.charset)
+        def render(self, data, accepted_media_type=None, renderer_context=None):
+            return smart_str(data, encoding=self.charset)
 
 ## Setting the character set
 
@@ -247,7 +303,7 @@ By default renderer classes are assumed to be using the `UTF-8` encoding.  To us
         format = 'txt'
         charset = 'iso-8859-1'
 
-        def render(self, data, media_type=None, renderer_context=None):
+        def render(self, data, accepted_media_type=None, renderer_context=None):
             return data.encode(self.charset)
 
 Note that if a renderer class returns a unicode string, then the response content will be coerced into a bytestring by the `Response` class, with the `charset` attribute set on the renderer used to determine the encoding.
@@ -262,7 +318,7 @@ In some cases you may also want to set the `render_style` attribute to `'binary'
         charset = None
         render_style = 'binary'
 
-        def render(self, data, media_type=None, renderer_context=None):
+        def render(self, data, accepted_media_type=None, renderer_context=None):
             return data
 
 ---
@@ -276,14 +332,14 @@ You can do some pretty flexible things using REST framework's renderers.  Some e
 * Specify multiple types of HTML representation for API clients to use.
 * Underspecify a renderer's media type, such as using `media_type = 'image/*'`, and use the `Accept` header to vary the encoding of the response.
 
-## Varying behaviour by media type
+## Varying behavior by media type
 
 In some cases you might want your view to use different serialization styles depending on the accepted media type.  If you need to do this you can access `request.accepted_renderer` to determine the negotiated renderer that will be used for the response.
 
 For example:
 
-    @api_view(('GET',))
-    @renderer_classes((TemplateHTMLRenderer, JSONRenderer))
+    @api_view(['GET'])
+    @renderer_classes([TemplateHTMLRenderer, JSONRenderer])
     def list_users(request):
         """
         A view that can return JSON or HTML representations
@@ -355,12 +411,12 @@ Install using pip.
 Modify your REST framework settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PARSER_CLASSES': (
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework_yaml.parsers.YAMLParser',
-        ),
-        'DEFAULT_RENDERER_CLASSES': (
+        ],
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework_yaml.renderers.YAMLRenderer',
-        ),
+        ],
     }
 
 ## XML
@@ -376,12 +432,12 @@ Install using pip.
 Modify your REST framework settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_PARSER_CLASSES': (
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework_xml.parsers.XMLParser',
-        ),
-        'DEFAULT_RENDERER_CLASSES': (
+        ],
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework_xml.renderers.XMLRenderer',
-        ),
+        ],
     }
 
 ## JSONP
@@ -405,22 +461,59 @@ Install using pip.
 Modify your REST framework settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_RENDERER_CLASSES': (
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework_jsonp.renderers.JSONPRenderer',
-        ),
+        ],
     }
 
 ## MessagePack
 
 [MessagePack][messagepack] is a fast, efficient binary serialization format.  [Juan Riaza][juanriaza] maintains the [djangorestframework-msgpack][djangorestframework-msgpack] package which provides MessagePack renderer and parser support for REST framework.
 
+## Microsoft Excel: XLSX (Binary Spreadsheet Endpoints)
+
+XLSX is the world's most popular binary spreadsheet format. [Tim Allen][flipperpa] of [The Wharton School][wharton] maintains [drf-excel][drf-excel], which renders an endpoint as an XLSX spreadsheet using OpenPyXL, and allows the client to download it. Spreadsheets can be styled on a per-view basis.
+
+#### Installation & configuration
+
+Install using pip.
+
+    $ pip install drf-excel
+
+Modify your REST framework settings.
+
+    REST_FRAMEWORK = {
+        ...
+
+        'DEFAULT_RENDERER_CLASSES': [
+            'rest_framework.renderers.JSONRenderer',
+            'rest_framework.renderers.BrowsableAPIRenderer',
+            'drf_excel.renderers.XLSXRenderer',
+        ],
+    }
+
+To avoid having a file streamed without a filename (which the browser will often default to the filename "download", with no extension), we need to use a mixin to override the `Content-Disposition` header. If no filename is provided, it will default to `export.xlsx`. For example:
+
+    from rest_framework.viewsets import ReadOnlyModelViewSet
+    from drf_excel.mixins import XLSXFileMixin
+    from drf_excel.renderers import XLSXRenderer
+
+    from .models import MyExampleModel
+    from .serializers import MyExampleSerializer
+
+    class MyExampleViewSet(XLSXFileMixin, ReadOnlyModelViewSet):
+        queryset = MyExampleModel.objects.all()
+        serializer_class = MyExampleSerializer
+        renderer_classes = [XLSXRenderer]
+        filename = 'my_export.xlsx'
+
 ## CSV
 
 Comma-separated values are a plain-text tabular data format, that can be easily imported into spreadsheet applications. [Mjumbe Poe][mjumbewu] maintains the [djangorestframework-csv][djangorestframework-csv] package which provides CSV renderer support for REST framework.
 
 ## UltraJSON
 
-[UltraJSON][ultrajson] is an optimized C JSON encoder which can give significantly faster JSON rendering. [Jacob Haslehurst][hzy] maintains the [drf-ujson-renderer][drf-ujson-renderer] package which implements JSON rendering using the UJSON package.
+[UltraJSON][ultrajson] is an optimized C JSON encoder which can give significantly faster JSON rendering. [Adam Mertz][Amertz08] maintains [drf_ujson2][drf_ujson2], a fork of the now unmaintained [drf-ujson-renderer][drf-ujson-renderer], which implements JSON rendering using the UJSON package.
 
 ## CamelCase JSON
 
@@ -430,37 +523,48 @@ Comma-separated values are a plain-text tabular data format, that can be easily
 
 [Django REST Pandas] provides a serializer and renderers that support additional data processing and output via the [Pandas] DataFrame API.  Django REST Pandas includes renderers for Pandas-style CSV files, Excel workbooks (both `.xls` and `.xlsx`), and a number of [other formats]. It is maintained by [S. Andrew Sheppard][sheppard] as part of the [wq Project][wq].
 
+## LaTeX
 
-[cite]: https://docs.djangoproject.com/en/dev/ref/template-response/#the-rendering-process
+[Rest Framework Latex] provides a renderer that outputs PDFs using Lualatex. It is maintained by [Pebble (S/F Software)][mypebble].
+
+
+[cite]: https://docs.djangoproject.com/en/stable/ref/template-response/#the-rendering-process
 [conneg]: content-negotiation.md
+[html-and-forms]: ../topics/html-and-forms.md
 [browser-accept-headers]: http://www.gethifi.com/blog/browser-rest-http-accept-headers
 [testing]: testing.md
 [HATEOAS]: http://timelessrepo.com/haters-gonna-hateoas
-[quote]: http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
-[application/vnd.github+json]: http://developer.github.com/v3/media/
+[quote]: https://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
+[application/vnd.github+json]: https://developer.github.com/v3/media/
 [application/vnd.collection+json]: http://www.amundsen.com/media-types/collection/
-[django-error-views]: https://docs.djangoproject.com/en/dev/topics/http/views/#customizing-error-views
-[rest-framework-jsonp]: http://jpadilla.github.io/django-rest-framework-jsonp/
-[cors]: http://www.w3.org/TR/cors/
-[cors-docs]: http://www.django-rest-framework.org/topics/ajax-csrf-cors/
-[jsonp-security]: http://stackoverflow.com/questions/613962/is-jsonp-safe-to-use
-[rest-framework-yaml]: http://jpadilla.github.io/django-rest-framework-yaml/
-[rest-framework-xml]: http://jpadilla.github.io/django-rest-framework-xml/
-[messagepack]: http://msgpack.org/
+[django-error-views]: https://docs.djangoproject.com/en/stable/topics/http/views/#customizing-error-views
+[rest-framework-jsonp]: https://jpadilla.github.io/django-rest-framework-jsonp/
+[cors]: https://www.w3.org/TR/cors/
+[cors-docs]: https://www.django-rest-framework.org/topics/ajax-csrf-cors/
+[jsonp-security]: https://stackoverflow.com/questions/613962/is-jsonp-safe-to-use
+[rest-framework-yaml]: https://jpadilla.github.io/django-rest-framework-yaml/
+[rest-framework-xml]: https://jpadilla.github.io/django-rest-framework-xml/
+[messagepack]: https://msgpack.org/
 [juanriaza]: https://github.com/juanriaza
 [mjumbewu]: https://github.com/mjumbewu
+[flipperpa]: https://github.com/flipperpa
+[wharton]: https://github.com/wharton
+[drf-excel]: https://github.com/wharton/drf-excel
 [vbabiy]: https://github.com/vbabiy
-[rest-framework-yaml]: http://jpadilla.github.io/django-rest-framework-yaml/
-[rest-framework-xml]: http://jpadilla.github.io/django-rest-framework-xml/
+[rest-framework-yaml]: https://jpadilla.github.io/django-rest-framework-yaml/
+[rest-framework-xml]: https://jpadilla.github.io/django-rest-framework-xml/
 [yaml]: http://www.yaml.org/
 [djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack
 [djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv
 [ultrajson]: https://github.com/esnme/ultrajson
-[hzy]: https://github.com/hzy
+[Amertz08]: https://github.com/Amertz08
 [drf-ujson-renderer]: https://github.com/gizmag/drf-ujson-renderer
+[drf_ujson2]: https://github.com/Amertz08/drf_ujson2
 [djangorestframework-camel-case]: https://github.com/vbabiy/djangorestframework-camel-case
 [Django REST Pandas]: https://github.com/wq/django-rest-pandas
-[Pandas]: http://pandas.pydata.org/
+[Pandas]: https://pandas.pydata.org/
 [other formats]: https://github.com/wq/django-rest-pandas#supported-formats
 [sheppard]: https://github.com/sheppard
 [wq]: https://github.com/wq
+[mypebble]: https://github.com/mypebble
+[Rest Framework Latex]: https://github.com/mypebble/rest-framework-latex

docs/api-guide/requests.md

@@ -1,4 +1,7 @@
-source: request.py
+---
+source:
+    - request.py
+---
 
 # Requests
 
@@ -20,7 +23,7 @@ REST framework's Request objects provide flexible request parsing that allows yo
 
 * It includes all parsed content, including *file and non-file* inputs.
 * It supports parsing the content of HTTP methods other than `POST`, meaning that you can access the content of `PUT` and `PATCH` requests.
-* It supports REST framework's flexible request parsing, rather than just supporting form data.  For example you can handle incoming JSON data in the same way that you handle incoming form data.
+* It supports REST framework's flexible request parsing, rather than just supporting form data.  For example you can handle incoming [JSON data] similarly to how you handle incoming [form data].
 
 For more details see the [parsers documentation].
 
@@ -30,14 +33,6 @@ For more details see the [parsers documentation].
 
 For clarity inside your code, we recommend using `request.query_params` instead of the Django's standard `request.GET`. Doing so will help keep your codebase more correct and obvious - any HTTP method type may include query parameters, not just `GET` requests.
 
-## .DATA and .FILES
-
-The old-style version 2.x `request.DATA` and `request.FILES` attributes are still available, but are now pending deprecation in favor of the unified `request.data` attribute.
-
-## .QUERY_PARAMS
-
-The old-style version 2.x `request.QUERY_PARAMS` attribute is still available, but is now pending deprecation in favor of the more pythonic `request.query_params`.
-
 ## .parsers
 
 The `APIView` class or `@api_view` decorator will ensure that this property is automatically set to a list of `Parser` instances, based on the `parser_classes` set on the view or based on the `DEFAULT_PARSER_CLASSES` setting.
@@ -54,11 +49,11 @@ If a client sends a request with a content-type that cannot be parsed then a `Un
 
 # Content negotiation
 
-The request exposes some properties that allow you to determine the result of the content negotiation stage. This allows you to implement behaviour such as selecting a different serialisation schemes for different media types.
+The request exposes some properties that allow you to determine the result of the content negotiation stage. This allows you to implement behavior such as selecting a different serialization schemes for different media types.
 
 ## .accepted_renderer
 
-The renderer instance what was selected by the content negotiation stage.
+The renderer instance that was selected by the content negotiation stage.
 
 ## .accepted_media_type
 
@@ -98,6 +93,10 @@ You won't typically need to access this property.
 
 ---
 
+**Note:** You may see a `WrappedAttributeError` raised when calling the `.user` or `.auth` properties. These errors originate from an authenticator as a standard `AttributeError`, however it's necessary that they be re-raised as a different exception type in order to prevent them from being suppressed by the outer property access. Python will not recognize that the `AttributeError` originates from the authenticator and will instead assume that the request object does not have a `.user` or `.auth` property. The authenticator will need to be fixed.
+
+---
+
 # Browser enhancements
 
 REST framework supports a few browser enhancements such as browser-based `PUT`, `PATCH` and `DELETE` forms.
@@ -126,10 +125,6 @@ For more information see the [browser enhancements documentation].
 
 You won't typically need to directly access the request's content, as you'll normally rely on REST framework's default request parsing behavior.
 
-If you do need to access the raw content directly, you should use the `.stream` property in preference to using `request.content`, as it provides transparent support for browser-based non-form content.
-
-For more information see the [browser enhancements documentation].
-
 ---
 
 # Standard HttpRequest attributes
@@ -141,5 +136,7 @@ Note that due to implementation reasons the `Request` class does not inherit fro
 
 [cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion
 [parsers documentation]: parsers.md
+[JSON data]: parsers.md#jsonparser
+[form data]: parsers.md#formparser
 [authentication documentation]: authentication.md
 [browser enhancements documentation]: ../topics/browser-enhancements.md

docs/api-guide/responses.md

@@ -1,4 +1,7 @@
-source: response.py
+---
+source:
+    - response.py
+---
 
 # Responses
 
@@ -42,7 +45,7 @@ Arguments:
 
 ## .data
 
-The unrendered content of a `Request` object.
+The unrendered, serialized data of the response.
 
 ## .status_code
 
@@ -91,5 +94,5 @@ As with any other `TemplateResponse`, this method is called to render the serial
 
 You won't typically need to call `.render()` yourself, as it's handled by Django's standard response cycle.
 
-[cite]: https://docs.djangoproject.com/en/dev/ref/template-response/
+[cite]: https://docs.djangoproject.com/en/stable/ref/template-response/
 [statuscodes]: status-codes.md

docs/api-guide/reverse.md

@@ -1,4 +1,7 @@
-source: reverse.py
+---
+source:
+    - reverse.py
+---
 
 # Returning URLs
 
@@ -23,33 +26,33 @@ There's no requirement for you to use them, but if you do then the self-describi
 
 **Signature:** `reverse(viewname, *args, **kwargs)`
 
-Has the same behavior as [`django.core.urlresolvers.reverse`][reverse], except that it returns a fully qualified URL, using the request to determine the host and port.
+Has the same behavior as [`django.urls.reverse`][reverse], except that it returns a fully qualified URL, using the request to determine the host and port.
 
 You should **include the request as a keyword argument** to the function, for example:
 
     from rest_framework.reverse import reverse
     from rest_framework.views import APIView
-	from django.utils.timezone import now
+    from django.utils.timezone import now
 
-	class APIRootView(APIView):
-	    def get(self, request):
-	        year = now().year
-			data = {
- 				...
-    		    'year-summary-url': reverse('year-summary', args=[year], request=request)
+    class APIRootView(APIView):
+        def get(self, request):
+            year = now().year
+            data = {
+                ...
+                'year-summary-url': reverse('year-summary', args=[year], request=request)
             }
-    		return Response(data)
+            return Response(data)
 
 ## reverse_lazy
 
 **Signature:** `reverse_lazy(viewname, *args, **kwargs)`
 
-Has the same behavior as [`django.core.urlresolvers.reverse_lazy`][reverse-lazy], except that it returns a fully qualified URL, using the request to determine the host and port.
+Has the same behavior as [`django.urls.reverse_lazy`][reverse-lazy], except that it returns a fully qualified URL, using the request to determine the host and port.
 
 As with the `reverse` function, you should **include the request as a keyword argument** to the function, for example:
 
     api_root = reverse_lazy('api-root', request=request)
 
-[cite]: http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_5
-[reverse]: https://docs.djangoproject.com/en/dev/topics/http/urls/#reverse
-[reverse-lazy]: https://docs.djangoproject.com/en/dev/topics/http/urls/#reverse-lazy
+[cite]: https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_5
+[reverse]: https://docs.djangoproject.com/en/stable/ref/urlresolvers/#reverse
+[reverse-lazy]: https://docs.djangoproject.com/en/stable/ref/urlresolvers/#reverse-lazy

docs/api-guide/routers.md

@@ -1,4 +1,7 @@
-source: routers.py
+---
+source:
+    - routers.py
+---
 
 # Routers
 
@@ -28,7 +31,7 @@ There are two mandatory arguments to the `register()` method:
 
 Optionally, you may also specify an additional argument:
 
-* `base_name` - The base to use for the URL names that are created.  If unset the basename will be automatically generated based on the `queryset` attribute of the viewset, if it has one.  Note that if the viewset does not include a `queryset` attribute then you must set `base_name` when registering the viewset.
+* `basename` - The base to use for the URL names that are created.  If unset the basename will be automatically generated based on the `queryset` attribute of the viewset, if it has one.  Note that if the viewset does not include a `queryset` attribute then you must set `basename` when registering the viewset.
 
 The example above would generate the following URL patterns:
 
@@ -39,13 +42,13 @@ The example above would generate the following URL patterns:
 
 ---
 
-**Note**: The `base_name` argument is used to specify the initial part of the view name pattern.  In the example above, that's the `user` or `account` part.
+**Note**: The `basename` argument is used to specify the initial part of the view name pattern.  In the example above, that's the `user` or `account` part.
 
-Typically you won't *need* to specify the `base_name` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set.  If you try to register that viewset you'll see an error like this:
+Typically you won't *need* to specify the `basename` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set.  If you try to register that viewset you'll see an error like this:
 
-    'base_name' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute.
+    'basename' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute.
 
-This means you'll need to explicitly set the `base_name` argument when registering the viewset, as it could not be automatically determined from the model name.
+This means you'll need to explicitly set the `basename` argument when registering the viewset, as it could not be automatically determined from the model name.
 
 ---
 
@@ -53,104 +56,135 @@ This means you'll need to explicitly set the `base_name` argument when registeri
 
 The `.urls` attribute on a router instance is simply a standard list of URL patterns. There are a number of different styles for how you can include these URLs.
 
-For example, you can append `router.urls` to a list of existing views…
+For example, you can append `router.urls` to a list of existing views...
 
     router = routers.SimpleRouter()
     router.register(r'users', UserViewSet)
     router.register(r'accounts', AccountViewSet)
-    
+
     urlpatterns = [
-        url(r'^forgot-password/$', ForgotPasswordFormView.as_view()),
+        path('forgot-password/', ForgotPasswordFormView.as_view()),
     ]
-    
+
     urlpatterns += router.urls
 
-Alternatively you can use Django's `include` function, like so…
+Alternatively you can use Django's `include` function, like so...
 
     urlpatterns = [
-        url(r'^forgot-password/$', ForgotPasswordFormView.as_view()),
-        url(r'^', include(router.urls)),
+        path('forgot-password', ForgotPasswordFormView.as_view()),
+        path('', include(router.urls)),
     ]
 
-Router URL patterns can also be namespaces.
+You may use `include` with an application namespace:
 
     urlpatterns = [
-        url(r'^forgot-password/$', ForgotPasswordFormView.as_view()),
-        url(r'^api/', include(router.urls, namespace='api')),
+        path('forgot-password/', ForgotPasswordFormView.as_view()),
+        path('api/', include((router.urls, 'app_name'))),
     ]
 
-If using namespacing with hyperlinked serializers you'll also need to ensure that any `view_name` parameters on the serializers correctly reflect the namespace. In the example above you'd need to include a parameter such as `view_name='api:user-detail'` for serializer fields hyperlinked to the user detail view.
+Or both an application and instance namespace:
 
-### Extra link and actions
+    urlpatterns = [
+        path('forgot-password/', ForgotPasswordFormView.as_view()),
+        path('api/', include((router.urls, 'app_name'), namespace='instance_name')),
+    ]
 
-Any methods on the viewset decorated with `@detail_route` or `@list_route` will also be routed.
-For example, given a method like this on the `UserViewSet` class:
+See Django's [URL namespaces docs][url-namespace-docs] and the [`include` API reference][include-api-reference] for more details.
+
+---
+
+**Note**: If using namespacing with hyperlinked serializers you'll also need to ensure that any `view_name` parameters
+on the serializers correctly reflect the namespace. In the examples above you'd need to include a parameter such as
+`view_name='app_name:user-detail'` for serializer fields hyperlinked to the user detail view.
+
+The automatic `view_name` generation uses a pattern like `%(model_name)-detail`. Unless your models names actually clash
+you may be better off **not** namespacing your Django REST Framework views when using hyperlinked serializers.
+
+---
+
+### Routing for extra actions
+
+A viewset may [mark extra actions for routing][route-decorators] by decorating a method with the `@action` decorator. These extra actions will be included in the generated routes. For example, given the `set_password` method on the `UserViewSet` class:
 
     from myapp.permissions import IsAdminOrIsSelf
-    from rest_framework.decorators import detail_route
+    from rest_framework.decorators import action
 
     class UserViewSet(ModelViewSet):
         ...
 
-        @detail_route(methods=['post'], permission_classes=[IsAdminOrIsSelf])
+        @action(methods=['post'], detail=True, permission_classes=[IsAdminOrIsSelf])
         def set_password(self, request, pk=None):
             ...
 
-The following URL pattern would additionally be generated:
+The following route would be generated:
 
-* URL pattern: `^users/{pk}/set_password/$`  Name: `'user-set-password'`
+* URL pattern: `^users/{pk}/set_password/$`
+* URL name: `'user-set-password'`
 
-If you do not want to use the default URL generated for your custom action, you can instead use the url_path parameter to customize it.
+By default, the URL pattern is based on the method name, and the URL name is the combination of the `ViewSet.basename` and the hyphenated method name.
+If you don't want to use the defaults for either of these values, you can instead provide the `url_path` and `url_name` arguments to the `@action` decorator.
 
 For example, if you want to change the URL for our custom action to `^users/{pk}/change-password/$`, you could write:
 
     from myapp.permissions import IsAdminOrIsSelf
-    from rest_framework.decorators import detail_route
-    
+    from rest_framework.decorators import action
+
     class UserViewSet(ModelViewSet):
         ...
-        
-        @detail_route(methods=['post'], permission_classes=[IsAdminOrIsSelf], url_path='change-password')
+
+        @action(methods=['post'], detail=True, permission_classes=[IsAdminOrIsSelf],
+                url_path='change-password', url_name='change_password')
         def set_password(self, request, pk=None):
             ...
 
 The above example would now generate the following URL pattern:
 
-* URL pattern: `^users/{pk}/change-password/$`  Name: `'user-change-password'`
+* URL path: `^users/{pk}/change-password/$`
+* URL name: `'user-change_password'`
 
-For more information see the viewset documentation on [marking extra actions for routing][route-decorators].
+### Using Django `path()` with routers
+
+By default, the URLs created by routers use regular expressions. This behavior can be modified by setting the `use_regex_path` argument to `False` when instantiating the router, in this case [path converters][path-converters-topic-reference] are used. For example:
+
+    router = SimpleRouter(use_regex_path=False)
+
+The router will match lookup values containing any characters except slashes and period characters.  For a more restrictive (or lenient) lookup pattern, set the `lookup_value_regex` attribute on the viewset or `lookup_value_converter` if using path converters.  For example, you can limit the lookup to valid UUIDs:
+
+    class MyModelViewSet(mixins.RetrieveModelMixin, viewsets.GenericViewSet):
+        lookup_field = 'my_model_id'
+        lookup_value_regex = '[0-9a-f]{32}'
+
+    class MyPathModelViewSet(mixins.RetrieveModelMixin, viewsets.GenericViewSet):
+        lookup_field = 'my_model_uuid'
+        lookup_value_converter = 'uuid'
+
+Note that path converters will be used on all URLs registered in the router, including viewset actions.
 
 # API Guide
 
 ## SimpleRouter
 
-This router includes routes for the standard set of `list`, `create`, `retrieve`, `update`, `partial_update` and `destroy` actions.  The viewset can also mark additional methods to be routed, using the `@detail_route` or `@list_route` decorators.
+This router includes routes for the standard set of `list`, `create`, `retrieve`, `update`, `partial_update` and `destroy` actions.  The viewset can also mark additional methods to be routed, using the `@action` decorator.
 
 <table border=1>
     <tr><th>URL Style</th><th>HTTP Method</th><th>Action</th><th>URL Name</th></tr>
     <tr><td rowspan=2>{prefix}/</td><td>GET</td><td>list</td><td rowspan=2>{basename}-list</td></tr></tr>
     <tr><td>POST</td><td>create</td></tr>
-    <tr><td>{prefix}/{methodname}/</td><td>GET, or as specified by `methods` argument</td><td>`@list_route` decorated method</td><td>{basename}-{methodname}</td></tr>
+    <tr><td>{prefix}/{url_path}/</td><td>GET, or as specified by `methods` argument</td><td>`@action(detail=False)` decorated method</td><td>{basename}-{url_name}</td></tr>
     <tr><td rowspan=4>{prefix}/{lookup}/</td><td>GET</td><td>retrieve</td><td rowspan=4>{basename}-detail</td></tr></tr>
     <tr><td>PUT</td><td>update</td></tr>
     <tr><td>PATCH</td><td>partial_update</td></tr>
     <tr><td>DELETE</td><td>destroy</td></tr>
-    <tr><td>{prefix}/{lookup}/{methodname}/</td><td>GET, or as specified by `methods` argument</td><td>`@detail_route` decorated method</td><td>{basename}-{methodname}</td></tr>
+    <tr><td>{prefix}/{lookup}/{url_path}/</td><td>GET, or as specified by `methods` argument</td><td>`@action(detail=True)` decorated method</td><td>{basename}-{url_name}</td></tr>
 </table>
 
-By default the URLs created by `SimpleRouter` are appended with a trailing slash.
+By default, the URLs created by `SimpleRouter` are appended with a trailing slash.
 This behavior can be modified by setting the `trailing_slash` argument to `False` when instantiating the router.  For example:
 
     router = SimpleRouter(trailing_slash=False)
 
 Trailing slashes are conventional in Django, but are not used by default in some other frameworks such as Rails.  Which style you choose to use is largely a matter of preference, although some javascript frameworks may expect a particular routing style.
 
-The router will match lookup values containing any characters except slashes and period characters.  For a more restrictive (or lenient) lookup pattern, set the `lookup_value_regex` attribute on the viewset.  For example, you can limit the lookup to valid UUIDs:
-
-    class MyModelViewSet(mixins.RetrieveModelMixin, viewsets.GenericViewSet):
-        lookup_field = 'my_model_id'
-        lookup_value_regex = '[0-9a-f]{32}'
-
 ## DefaultRouter
 
 This router is similar to `SimpleRouter` as above, but additionally includes a default API root view, that returns a response containing hyperlinks to all the list views.  It also generates routes for optional `.json` style format suffixes.
@@ -160,12 +194,12 @@ This router is similar to `SimpleRouter` as above, but additionally includes a d
     <tr><td>[.format]</td><td>GET</td><td>automatically generated root view</td><td>api-root</td></tr></tr>
     <tr><td rowspan=2>{prefix}/[.format]</td><td>GET</td><td>list</td><td rowspan=2>{basename}-list</td></tr></tr>
     <tr><td>POST</td><td>create</td></tr>
-    <tr><td>{prefix}/{methodname}/[.format]</td><td>GET, or as specified by `methods` argument</td><td>`@list_route` decorated method</td><td>{basename}-{methodname}</td></tr>
+    <tr><td>{prefix}/{url_path}/[.format]</td><td>GET, or as specified by `methods` argument</td><td>`@action(detail=False)` decorated method</td><td>{basename}-{url_name}</td></tr>
     <tr><td rowspan=4>{prefix}/{lookup}/[.format]</td><td>GET</td><td>retrieve</td><td rowspan=4>{basename}-detail</td></tr></tr>
     <tr><td>PUT</td><td>update</td></tr>
     <tr><td>PATCH</td><td>partial_update</td></tr>
     <tr><td>DELETE</td><td>destroy</td></tr>
-    <tr><td>{prefix}/{lookup}/{methodname}/[.format]</td><td>GET, or as specified by `methods` argument</td><td>`@detail_route` decorated method</td><td>{basename}-{methodname}</td></tr>
+    <tr><td>{prefix}/{lookup}/{url_path}/[.format]</td><td>GET, or as specified by `methods` argument</td><td>`@action(detail=True)` decorated method</td><td>{basename}-{url_name}</td></tr>
 </table>
 
 As with `SimpleRouter` the trailing slashes on the URL routes can be removed by setting the `trailing_slash` argument to `False` when instantiating the router.
@@ -174,7 +208,7 @@ As with `SimpleRouter` the trailing slashes on the URL routes can be removed by
 
 # Custom Routers
 
-Implementing a custom router isn't something you'd need to do very often, but it can be useful if you have specific requirements about how the your URLs for your API are structured.  Doing so allows you to encapsulate the URL structure in a reusable way that ensures you don't have to write your URL patterns explicitly for each new view.
+Implementing a custom router isn't something you'd need to do very often, but it can be useful if you have specific requirements about how the URLs for your API are structured.  Doing so allows you to encapsulate the URL structure in a reusable way that ensures you don't have to write your URL patterns explicitly for each new view.
 
 The simplest way to implement a custom router is to subclass one of the existing router classes.  The `.routes` attribute is used to template the URL patterns that will be mapped to each viewset. The `.routes` attribute is a list of `Route` named tuples.
 
@@ -192,18 +226,18 @@ The arguments to the `Route` named tuple are:
 
 * `{basename}` - The base to use for the URL names that are created.
 
-**initkwargs**: A dictionary of any additional arguments that should be passed when instantiating the view.  Note that the `suffix` argument is reserved for identifying the viewset type, used when generating the view name and breadcrumb links.
+**initkwargs**: A dictionary of any additional arguments that should be passed when instantiating the view.  Note that the `detail`, `basename`, and `suffix` arguments are reserved for viewset introspection and are also used by the browsable API to generate the view name and breadcrumb links.
 
 ## Customizing dynamic routes
 
-You can also customize how the `@list_route` and `@detail_route` decorators are routed.
-To route either or both of these decorators, include a `DynamicListRoute` and/or `DynamicDetailRoute` named tuple in the `.routes` list.
+You can also customize how the `@action` decorator is routed. Include the `DynamicRoute` named tuple in the `.routes` list, setting the `detail` argument as appropriate for the list-based and detail-based routes. In addition to `detail`, the arguments to `DynamicRoute` are:
 
-The arguments to `DynamicListRoute` and `DynamicDetailRoute` are:
+**url**: A string representing the URL to be routed. May include the same format strings as `Route`, and additionally accepts the `{url_path}` format string.
 
-**url**: A string representing the URL to be routed. May include the same format strings as `Route`, and additionally accepts the `{methodname}` and `{methodnamehyphen}` format strings.
+**name**: The name of the URL as used in `reverse` calls. May include the following format strings:
 
-**name**: The name of the URL as used in `reverse` calls. May include the following format strings: `{basename}`, `{methodname}` and `{methodnamehyphen}`.
+* `{basename}` - The base to use for the URL names that are created.
+* `{url_name}` - The `url_name` provided to the `@action`.
 
 **initkwargs**: A dictionary of any additional arguments that should be passed when instantiating the view.
 
@@ -211,7 +245,7 @@ The arguments to `DynamicListRoute` and `DynamicDetailRoute` are:
 
 The following example will only route to the `list` and `retrieve` actions, and does not use the trailing slash convention.
 
-    from rest_framework.routers import Route, DynamicDetailRoute, SimpleRouter
+    from rest_framework.routers import Route, DynamicRoute, SimpleRouter
 
     class CustomReadOnlyRouter(SimpleRouter):
         """
@@ -219,22 +253,25 @@ The following example will only route to the `list` and `retrieve` actions, and
         """
         routes = [
             Route(
-            	url=r'^{prefix}$',
-            	mapping={'get': 'list'},
-            	name='{basename}-list',
-            	initkwargs={'suffix': 'List'}
+                url=r'^{prefix}$',
+                mapping={'get': 'list'},
+                name='{basename}-list',
+                detail=False,
+                initkwargs={'suffix': 'List'}
             ),
             Route(
-            	url=r'^{prefix}/{lookup}$',
-               mapping={'get': 'retrieve'},
-               name='{basename}-detail',
-               initkwargs={'suffix': 'Detail'}
+                url=r'^{prefix}/{lookup}$',
+                mapping={'get': 'retrieve'},
+                name='{basename}-detail',
+                detail=True,
+                initkwargs={'suffix': 'Detail'}
             ),
-            DynamicDetailRoute(
-            	url=r'^{prefix}/{lookup}/{methodnamehyphen}$',
-            	name='{basename}-{methodnamehyphen}',
-            	initkwargs={}
-        	)
+            DynamicRoute(
+                url=r'^{prefix}/{lookup}/{url_path}$',
+                name='{basename}-{url_name}',
+                detail=True,
+                initkwargs={}
+            )
         ]
 
 Let's take a look at the routes our `CustomReadOnlyRouter` would generate for a simple viewset.
@@ -249,8 +286,8 @@ Let's take a look at the routes our `CustomReadOnlyRouter` would generate for a
         serializer_class = UserSerializer
         lookup_field = 'username'
 
-        @detail_route()
-        def group_names(self, request):
+        @action(detail=True)
+        def group_names(self, request, pk=None):
             """
             Returns a list of all the group names that the given
             user belongs to.
@@ -263,7 +300,7 @@ Let's take a look at the routes our `CustomReadOnlyRouter` would generate for a
 
     router = CustomReadOnlyRouter()
     router.register('users', UserViewSet)
-	urlpatterns = router.urls
+    urlpatterns = router.urls
 
 The following mappings would be generated...
 
@@ -271,7 +308,7 @@ The following mappings would be generated...
     <tr><th>URL</th><th>HTTP Method</th><th>Action</th><th>URL Name</th></tr>
     <tr><td>/users</td><td>GET</td><td>list</td><td>user-list</td></tr>
     <tr><td>/users/{username}</td><td>GET</td><td>retrieve</td><td>user-detail</td></tr>
-    <tr><td>/users/{username}/group-names</td><td>GET</td><td>group_names</td><td>user-group-names</td></tr>
+    <tr><td>/users/{username}/group_names</td><td>GET</td><td>group_names</td><td>user-group-names</td></tr>
 </table>
 
 For another example of setting the `.routes` attribute, see the source code for the `SimpleRouter` class.
@@ -280,7 +317,7 @@ For another example of setting the `.routes` attribute, see the source code for
 
 If you want to provide totally custom behavior, you can override `BaseRouter` and override the `get_urls(self)` method.  The method should inspect the registered viewsets and return a list of URL patterns.  The registered prefix, viewset and basename tuples may be inspected by accessing the `self.registry` attribute.
 
-You may also want to override the `get_default_base_name(self, viewset)` method, or else always explicitly set the `base_name` argument when registering your viewsets with the router.
+You may also want to override the `get_default_basename(self, viewset)` method, or else always explicitly set the `basename` argument when registering your viewsets with the router.
 
 # Third Party Packages
 
@@ -303,13 +340,16 @@ The [wq.db package][wq.db] provides an advanced [ModelRouter][wq.db-router] clas
 
 The [`DRF-extensions` package][drf-extensions] provides [routers][drf-extensions-routers] for creating [nested viewsets][drf-extensions-nested-viewsets], [collection level controllers][drf-extensions-collection-level-controllers] with [customizable endpoint names][drf-extensions-customizable-endpoint-names].
 
-[cite]: http://guides.rubyonrails.org/routing.html
+[cite]: https://guides.rubyonrails.org/routing.html
 [route-decorators]: viewsets.md#marking-extra-actions-for-routing
 [drf-nested-routers]: https://github.com/alanjds/drf-nested-routers
-[wq.db]: http://wq.io/wq.db
-[wq.db-router]: http://wq.io/docs/router
-[drf-extensions]: http://chibisov.github.io/drf-extensions/docs/
-[drf-extensions-routers]: http://chibisov.github.io/drf-extensions/docs/#routers
-[drf-extensions-nested-viewsets]: http://chibisov.github.io/drf-extensions/docs/#nested-routes
-[drf-extensions-collection-level-controllers]: http://chibisov.github.io/drf-extensions/docs/#collection-level-controllers
-[drf-extensions-customizable-endpoint-names]: http://chibisov.github.io/drf-extensions/docs/#controller-endpoint-name
+[wq.db]: https://wq.io/wq.db
+[wq.db-router]: https://wq.io/docs/router
+[drf-extensions]: https://chibisov.github.io/drf-extensions/docs/
+[drf-extensions-routers]: https://chibisov.github.io/drf-extensions/docs/#routers
+[drf-extensions-nested-viewsets]: https://chibisov.github.io/drf-extensions/docs/#nested-routes
+[drf-extensions-collection-level-controllers]: https://chibisov.github.io/drf-extensions/docs/#collection-level-controllers
+[drf-extensions-customizable-endpoint-names]: https://chibisov.github.io/drf-extensions/docs/#controller-endpoint-name
+[url-namespace-docs]: https://docs.djangoproject.com/en/4.0/topics/http/urls/#url-namespaces
+[include-api-reference]: https://docs.djangoproject.com/en/4.0/ref/urls/#include
+[path-converters-topic-reference]: https://docs.djangoproject.com/en/2.0/topics/http/urls/#path-converters

docs/api-guide/schemas.md

@@ -0,0 +1,465 @@
+---
+source:
+    - schemas
+---
+
+# Schema
+
+> A machine-readable [schema] describes what resources are available via the API, what their URLs are, how they are represented and what operations they support.
+>
+> — Heroku, [JSON Schema for the Heroku Platform API][cite]
+
+---
+
+**Deprecation notice:**
+
+REST framework's built-in support for generating OpenAPI schemas is
+**deprecated** in favor of 3rd party packages that can provide this
+functionality instead. The built-in support will be moved into a separate
+package and then subsequently retired over the next releases.
+
+As a full-fledged replacement, we recommend the [drf-spectacular] package.
+It has extensive support for generating OpenAPI 3 schemas from
+REST framework APIs, with both automatic and customisable options available.
+For further information please refer to
+[Documenting your API](../topics/documenting-your-api.md#drf-spectacular).
+
+---
+
+API schemas are a useful tool that allow for a range of use cases, including
+generating reference documentation, or driving dynamic client libraries that
+can interact with your API.
+
+Django REST Framework provides support for automatic generation of
+[OpenAPI][openapi] schemas.
+
+## Overview
+
+Schema generation has several moving parts. It's worth having an overview:
+
+* `SchemaGenerator` is a top-level class that is responsible for walking your
+  configured URL patterns, finding `APIView` subclasses, enquiring for their
+  schema representation, and compiling the final schema object.
+* `AutoSchema` encapsulates all the details necessary for per-view schema
+  introspection. Is attached to each view via the `schema` attribute. You
+  subclass `AutoSchema` in order to customize your schema.
+* The `generateschema` management command allows you to generate a static schema
+  offline.
+* Alternatively, you can route `SchemaView` to dynamically generate and serve
+  your schema.
+* `settings.DEFAULT_SCHEMA_CLASS` allows you to specify an `AutoSchema`
+  subclass to serve as your project's default.
+
+The following sections explain more.
+
+## Generating an OpenAPI Schema
+
+### Install dependencies
+
+    pip install pyyaml uritemplate inflection
+
+* `pyyaml` is used to generate schema into YAML-based OpenAPI format.
+* `uritemplate` is used internally to get parameters in path.
+* `inflection` is used to pluralize operations more appropriately in the list endpoints.
+
+### Generating a static schema with the `generateschema` management command
+
+If your schema is static, you can use the `generateschema` management command:
+
+```bash
+./manage.py generateschema --file openapi-schema.yml
+```
+
+Once you've generated a schema in this way you can annotate it with any
+additional information that cannot be automatically inferred by the schema
+generator.
+
+You might want to check your API schema into version control and update it
+with each new release, or serve the API schema from your site's static media.
+
+### Generating a dynamic schema with `SchemaView`
+
+If you require a dynamic schema, because foreign key choices depend on database
+values, for example, you can route a `SchemaView` that will generate and serve
+your schema on demand.
+
+To route a `SchemaView`, use the `get_schema_view()` helper.
+
+In `urls.py`:
+
+```python
+from rest_framework.schemas import get_schema_view
+
+urlpatterns = [
+    # ...
+    # Use the `get_schema_view()` helper to add a `SchemaView` to project URLs.
+    #   * `title` and `description` parameters are passed to `SchemaGenerator`.
+    #   * Provide view name for use with `reverse()`.
+    path(
+        "openapi",
+        get_schema_view(
+            title="Your Project", description="API for all things …", version="1.0.0"
+        ),
+        name="openapi-schema",
+    ),
+    # ...
+]
+```
+
+#### `get_schema_view()`
+
+The `get_schema_view()` helper takes the following keyword arguments:
+
+* `title`: May be used to provide a descriptive title for the schema definition.
+* `description`: Longer descriptive text.
+* `version`: The version of the API.
+* `url`: May be used to pass a canonical base URL for the schema.
+
+        schema_view = get_schema_view(
+            title='Server Monitoring API',
+            url='https://www.example.org/api/'
+        )
+
+* `urlconf`: A string representing the import path to the URL conf that you want
+   to generate an API schema for. This defaults to the value of Django's
+   `ROOT_URLCONF` setting.
+
+        schema_view = get_schema_view(
+            title='Server Monitoring API',
+            url='https://www.example.org/api/',
+            urlconf='myproject.urls'
+        )
+
+* `patterns`: List of url patterns to limit the schema introspection to. If you
+  only want the `myproject.api` urls to be exposed in the schema:
+
+        schema_url_patterns = [
+            path('api/', include('myproject.api.urls')),
+        ]
+
+        schema_view = get_schema_view(
+            title='Server Monitoring API',
+            url='https://www.example.org/api/',
+            patterns=schema_url_patterns,
+        )
+* `public`: May be used to specify if schema should bypass views permissions. Default to False
+
+* `generator_class`: May be used to specify a `SchemaGenerator` subclass to be
+  passed to the `SchemaView`.
+* `authentication_classes`: May be used to specify the list of authentication
+  classes that will apply to the schema endpoint. Defaults to
+  `settings.DEFAULT_AUTHENTICATION_CLASSES`
+* `permission_classes`: May be used to specify the list of permission classes
+  that will apply to the schema endpoint. Defaults to
+  `settings.DEFAULT_PERMISSION_CLASSES`.
+* `renderer_classes`: May be used to pass the set of renderer classes that can
+  be used to render the API root endpoint.
+
+
+## SchemaGenerator
+
+**Schema-level customization**
+
+```python
+from rest_framework.schemas.openapi import SchemaGenerator
+```
+
+`SchemaGenerator` is a class that walks a list of routed URL patterns, requests
+the schema for each view and collates the resulting OpenAPI schema.
+
+Typically you won't need to instantiate `SchemaGenerator` yourself, but you can
+do so like so:
+
+    generator = SchemaGenerator(title='Stock Prices API')
+
+Arguments:
+
+* `title` **required**: The name of the API.
+* `description`: Longer descriptive text.
+* `version`: The version of the API. Defaults to `0.1.0`.
+* `url`: The root URL of the API schema. This option is not required unless the schema is included under path prefix.
+* `patterns`: A list of URLs to inspect when generating the schema. Defaults to the project's URL conf.
+* `urlconf`: A URL conf module name to use when generating the schema. Defaults to `settings.ROOT_URLCONF`.
+
+In order to customize the top-level schema, subclass
+`rest_framework.schemas.openapi.SchemaGenerator` and provide your subclass
+as an argument to the `generateschema` command or `get_schema_view()` helper
+function.
+
+### get_schema(self, request=None, public=False)
+
+Returns a dictionary that represents the OpenAPI schema:
+
+    generator = SchemaGenerator(title='Stock Prices API')
+    schema = generator.get_schema()
+
+The `request` argument is optional, and may be used if you want to apply
+per-user permissions to the resulting schema generation.
+
+This is a good point to override if you want to customize the generated
+dictionary For example you might wish to add terms of service to the [top-level
+`info` object][info-object]:
+
+```
+class TOSSchemaGenerator(SchemaGenerator):
+    def get_schema(self, *args, **kwargs):
+        schema = super().get_schema(*args, **kwargs)
+        schema["info"]["termsOfService"] = "https://example.com/tos.html"
+        return schema
+```
+
+## AutoSchema
+
+**Per-View Customization**
+
+```python
+from rest_framework.schemas.openapi import AutoSchema
+```
+
+By default, view introspection is performed by an `AutoSchema` instance
+accessible via the `schema` attribute on `APIView`.
+
+    auto_schema = some_view.schema
+
+`AutoSchema` provides the OpenAPI elements needed for each view, request method
+and path:
+
+* A list of [OpenAPI components][openapi-components]. In DRF terms these are
+  mappings of serializers that describe request and response bodies.
+* The appropriate [OpenAPI operation object][openapi-operation] that describes
+  the endpoint, including path and query parameters for pagination, filtering,
+  and so on.
+
+```python
+components = auto_schema.get_components(...)
+operation = auto_schema.get_operation(...)
+```
+
+In compiling the schema, `SchemaGenerator` calls `get_components()` and
+`get_operation()` for each view, allowed method, and path.
+
+----
+
+**Note**: The automatic introspection of components, and many operation
+parameters relies on the relevant attributes and methods of
+`GenericAPIView`: `get_serializer()`, `pagination_class`, `filter_backends`,
+etc. For basic `APIView` subclasses, default introspection is essentially limited to
+the URL kwarg path parameters for this reason.
+
+----
+
+`AutoSchema` encapsulates the view introspection needed for schema generation.
+Because of this all the schema generation logic is kept in a single place,
+rather than being spread around the already extensive view, serializer and
+field APIs.
+
+Keeping with this pattern, try not to let schema logic leak into your own
+views, serializers, or fields when customizing the schema generation. You might
+be tempted to do something like this:
+
+```python
+class CustomSchema(AutoSchema):
+    """
+    AutoSchema subclass using schema_extra_info on the view.
+    """
+
+    ...
+
+
+class CustomView(APIView):
+    schema = CustomSchema()
+    schema_extra_info = ...  # some extra info
+```
+
+Here, the `AutoSchema` subclass goes looking for `schema_extra_info` on the
+view. This is _OK_ (it doesn't actually hurt) but it means you'll end up with
+your schema logic spread out in a number of different places.
+
+Instead try to subclass `AutoSchema` such that the `extra_info` doesn't leak
+out into the view:
+
+```python
+class BaseSchema(AutoSchema):
+    """
+    AutoSchema subclass that knows how to use extra_info.
+    """
+
+    ...
+
+
+class CustomSchema(BaseSchema):
+    extra_info = ...  # some extra info
+
+
+class CustomView(APIView):
+    schema = CustomSchema()
+```
+
+This style is slightly more verbose but maintains the encapsulation of the
+schema related code. It's more _cohesive_ in the _parlance_. It'll keep the
+rest of your API code more tidy.
+
+If an option applies to many view classes, rather than creating a specific
+subclass per-view, you may find it more convenient to allow specifying the
+option as an `__init__()` kwarg to your base `AutoSchema` subclass:
+
+```python
+class CustomSchema(BaseSchema):
+    def __init__(self, **kwargs):
+        # store extra_info for later
+        self.extra_info = kwargs.pop("extra_info")
+        super().__init__(**kwargs)
+
+
+class CustomView(APIView):
+    schema = CustomSchema(extra_info=...)  # some extra info
+```
+
+This saves you having to create a custom subclass per-view for a commonly used option.
+
+Not all `AutoSchema` methods expose related `__init__()` kwargs, but those for
+the more commonly needed options do.
+
+### `AutoSchema` methods
+
+#### `get_components()`
+
+Generates the OpenAPI components that describe request and response bodies,
+deriving their properties from the serializer.
+
+Returns a dictionary mapping the component name to the generated
+representation. By default this has just a single pair but you may override
+`get_components()` to return multiple pairs if your view uses multiple
+serializers.
+
+#### `get_component_name()`
+
+Computes the component's name from the serializer.
+
+You may see warnings if your API has duplicate component names. If so you can override `get_component_name()` or pass the `component_name` `__init__()` kwarg (see below) to provide different names.
+
+#### `get_reference()`
+
+Returns a reference to the serializer component. This may be useful if you override `get_schema()`.
+
+
+#### `map_serializer()`
+
+Maps serializers to their OpenAPI representations.
+
+Most serializers should conform to the standard OpenAPI `object` type, but you may
+wish to override `map_serializer()` in order to customize this or other
+serializer-level fields.
+
+#### `map_field()`
+
+Maps individual serializer fields to their schema representation. The base implementation
+will handle the default fields that Django REST Framework provides.
+
+For `SerializerMethodField` instances, for which the schema is unknown, or custom field subclasses you should override `map_field()` to generate the correct schema:
+
+```python
+class CustomSchema(AutoSchema):
+    """Extension of ``AutoSchema`` to add support for custom field schemas."""
+
+    def map_field(self, field):
+        # Handle SerializerMethodFields or custom fields here...
+        # ...
+        return super().map_field(field)
+```
+
+Authors of third-party packages should aim to provide an `AutoSchema` subclass,
+and a mixin, overriding `map_field()` so that users can easily generate schemas
+for their custom fields.
+
+#### `get_tags()`
+
+OpenAPI groups operations by tags. By default tags taken from the first path
+segment of the routed URL. For example, a URL like `/users/{id}/` will generate
+the tag `users`.
+
+You can pass an `__init__()` kwarg to manually specify tags (see below), or
+override `get_tags()` to provide custom logic.
+
+#### `get_operation()`
+
+Returns the [OpenAPI operation object][openapi-operation] that describes the
+endpoint, including path and query parameters for pagination, filtering, and so
+on.
+
+Together with `get_components()`, this is the main entry point to the view
+introspection.
+
+#### `get_operation_id()`
+
+There must be a unique [operationid](openapi-operationid) for each operation.
+By default the `operationId` is deduced from the model name, serializer name or
+view name. The operationId looks like "listItems", "retrieveItem",
+"updateItem", etc. The `operationId` is camelCase by convention.
+
+#### `get_operation_id_base()`
+
+If you have several views with the same model name, you may see duplicate
+operationIds.
+
+In order to work around this, you can override `get_operation_id_base()` to
+provide a different base for name part of the ID.
+
+#### `get_serializer()`
+
+If the view has implemented `get_serializer()`, returns the result.
+
+#### `get_request_serializer()`
+
+By default returns `get_serializer()` but can be overridden to
+differentiate between request and response objects.
+
+#### `get_response_serializer()`
+
+By default returns `get_serializer()` but can be overridden to
+differentiate between request and response objects.
+
+### `AutoSchema.__init__()` kwargs
+
+`AutoSchema` provides a number of `__init__()` kwargs that can be used for
+common customizations, if the default generated values are not appropriate.
+
+The available kwargs are:
+
+* `tags`: Specify a list of tags.
+* `component_name`: Specify the component name.
+* `operation_id_base`: Specify the resource-name part of operation IDs.
+
+You pass the kwargs when declaring the `AutoSchema` instance on your view:
+
+```
+class PetDetailView(generics.RetrieveUpdateDestroyAPIView):
+    schema = AutoSchema(
+        tags=['Pets'],
+        component_name='Pet',
+        operation_id_base='Pet',
+    )
+    ...
+```
+
+Assuming a `Pet` model and `PetSerializer` serializer, the kwargs in this
+example are probably not needed. Often, though, you'll need to pass the kwargs
+if you have multiple view targeting the same model, or have multiple views with
+identically named serializers.
+
+If your views have related customizations that are needed frequently, you can
+create a base `AutoSchema` subclass for your project that takes additional
+`__init__()` kwargs to save subclassing `AutoSchema` for each view.
+
+[cite]: https://blog.heroku.com/archives/2014/1/8/json_schema_for_heroku_platform_api
+[openapi]: https://github.com/OAI/OpenAPI-Specification
+[openapi-specification-extensions]: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#specification-extensions
+[openapi-operation]: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#operationObject
+[openapi-tags]: https://swagger.io/specification/#tagObject
+[openapi-operationid]: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#fixed-fields-17
+[openapi-components]: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#componentsObject
+[openapi-reference]: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#referenceObject
+[openapi-generator]: https://github.com/OpenAPITools/openapi-generator
+[swagger-codegen]: https://github.com/swagger-api/swagger-codegen
+[info-object]: https://swagger.io/specification/#infoObject
+[drf-spectacular]: https://drf-spectacular.readthedocs.io/en/latest/readme.html

docs/api-guide/serializers.md

@@ -1,4 +1,7 @@
-source: serializers.py
+---
+source:
+    - serializers.py
+---
 
 # Serializers
 
@@ -18,7 +21,7 @@ Let's start by creating a simple object we can use for example purposes:
 
     from datetime import datetime
 
-    class Comment(object):
+    class Comment:
         def __init__(self, email, content, created=None):
             self.email = email
             self.content = content
@@ -43,7 +46,7 @@ We can now use `CommentSerializer` to serialize a comment, or list of comments.
 
     serializer = CommentSerializer(comment)
     serializer.data
-    # {'email': u'leila@example.com', 'content': u'foo bar', 'created': datetime.datetime(2012, 8, 22, 16, 20, 9, 822774)}
+    # {'email': 'leila@example.com', 'content': 'foo bar', 'created': '2016-01-27T15:17:10.375877'}
 
 At this point we've translated the model instance into Python native datatypes.  To finalise the serialization process we render the data into `json`.
 
@@ -51,16 +54,16 @@ At this point we've translated the model instance into Python native datatypes.
 
     json = JSONRenderer().render(serializer.data)
     json
-    # '{"email": "leila@example.com", "content": "foo bar", "created": "2012-08-22T16:20:09.822"}'
+    # b'{"email":"leila@example.com","content":"foo bar","created":"2016-01-27T15:17:10.375877"}'
 
 ## Deserializing objects
 
 Deserialization is similar. First we parse a stream into Python native datatypes...
 
-    from django.utils.six import BytesIO
+    import io
     from rest_framework.parsers import JSONParser
 
-    stream = BytesIO(json)
+    stream = io.BytesIO(json)
     data = JSONParser().parse(stream)
 
 ...then we restore those native datatypes into a dictionary of validated data.
@@ -73,7 +76,7 @@ Deserialization is similar. First we parse a stream into Python native datatypes
 
 ## Saving instances
 
-If we want to be able to return complete object instances based on the validated data we need to implement one or both of the `.create()` and `update()` methods. For example:
+If we want to be able to return complete object instances based on the validated data we need to implement one or both of the `.create()` and `.update()` methods. For example:
 
     class CommentSerializer(serializers.Serializer):
         email = serializers.EmailField()
@@ -113,7 +116,7 @@ Calling `.save()` will either create a new instance, or update an existing insta
     # .save() will update the existing `comment` instance.
     serializer = CommentSerializer(comment, data=data)
 
-Both the `.create()` and `.update()` methods are optional. You can implement either neither, one, or both of them, depending on the use-case for your serializer class.
+Both the `.create()` and `.update()` methods are optional. You can implement either none, one, or both of them, depending on the use-case for your serializer class.
 
 #### Passing additional attributes to `.save()`
 
@@ -152,13 +155,13 @@ When deserializing data, you always need to call `is_valid()` before attempting
     serializer.is_valid()
     # False
     serializer.errors
-    # {'email': [u'Enter a valid e-mail address.'], 'created': [u'This field is required.']}
+    # {'email': ['Enter a valid e-mail address.'], 'created': ['This field is required.']}
 
 Each key in the dictionary will be the field name, and the values will be lists of strings of any error messages corresponding to that field.  The `non_field_errors` key may also be present, and will list any general validation errors. The name of the `non_field_errors` key may be customized using the `NON_FIELD_ERRORS_KEY` REST framework setting.
 
 When deserializing a list of items, errors will be returned as a list of dictionaries representing each of the deserialized items.
 
-#### Raising an exception on invalid data
+#### Raising an exception on invalid data
 
 The `.is_valid()` method takes an optional `raise_exception` flag that will cause it to raise a `serializers.ValidationError` exception if there are validation errors.
 
@@ -189,9 +192,15 @@ Your `validate_<field_name>` methods should return the validated value or raise
                 raise serializers.ValidationError("Blog post is not about Django")
             return value
 
+---
+
+**Note:** If your `<field_name>` is declared on your serializer with the parameter `required=False` then this validation step will not take place if the field is not included.
+
+---
+
 #### Object-level validation
 
-To do any other validation that requires access to multiple fields, add a method called `.validate()` to your `Serializer` subclass.  This method takes a single argument, which is a dictionary of field values.  It should raise a `ValidationError` if necessary, or just return the validated values.  For example:
+To do any other validation that requires access to multiple fields, add a method called `.validate()` to your `Serializer` subclass.  This method takes a single argument, which is a dictionary of field values.  It should raise a `serializers.ValidationError` if necessary, or just return the validated values.  For example:
 
     from rest_framework import serializers
 
@@ -202,7 +211,7 @@ To do any other validation that requires access to multiple fields, add a method
 
         def validate(self, data):
             """
-            Check that the start is before the stop.
+            Check that start is before finish.
             """
             if data['start'] > data['finish']:
                 raise serializers.ValidationError("finish must occur after start")
@@ -217,22 +226,24 @@ Individual fields on a serializer can include validators, by declaring them on t
             raise serializers.ValidationError('Not a multiple of ten')
 
     class GameRecord(serializers.Serializer):
-        score = IntegerField(validators=[multiple_of_ten])
+        score = serializers.IntegerField(validators=[multiple_of_ten])
         ...
 
 Serializer classes can also include reusable validators that are applied to the complete set of field data. These validators are included by declaring them on an inner `Meta` class, like so:
 
     class EventSerializer(serializers.Serializer):
         name = serializers.CharField()
-        room_number = serializers.IntegerField(choices=[101, 102, 103, 201])
+        room_number = serializers.ChoiceField(choices=[101, 102, 103, 201])
         date = serializers.DateField()
 
         class Meta:
             # Each room only has one event per day.
-            validators = UniqueTogetherValidator(
-                queryset=Event.objects.all(),
-                fields=['room_number', 'date']
-            )
+            validators = [
+                UniqueTogetherValidator(
+                    queryset=Event.objects.all(),
+                    fields=['room_number', 'date']
+                )
+            ]
 
 For more information see the [validators documentation](validators.md).
 
@@ -240,14 +251,14 @@ For more information see the [validators documentation](validators.md).
 
 When passing an initial object or queryset to a serializer instance, the object will be made available as `.instance`. If no initial object is passed then the `.instance` attribute will be `None`.
 
-When passing data to a serializer instance, the unmodified data will be made available as `.initial_data`. If the data keyword argument is not passed then the `.initial_data` attribute will not exist.
+When passing data to a serializer instance, the unmodified data will be made available as `.initial_data`. If the `data` keyword argument is not passed then the `.initial_data` attribute will not exist.
 
 ## Partial updates
 
 By default, serializers must be passed values for all required fields or they will raise validation errors. You can use the `partial` argument in order to allow partial updates.
 
     # Update `comment` with partial data
-    serializer = CommentSerializer(comment, data={'content': u'foo bar'}, partial=True)
+    serializer = CommentSerializer(comment, data={'content': 'foo bar'}, partial=True)
 
 ## Dealing with nested objects
 
@@ -271,7 +282,7 @@ If a nested representation may optionally accept the `None` value you should pas
         content = serializers.CharField(max_length=200)
         created = serializers.DateTimeField()
 
-Similarly if a nested representation should be a list of items, you should pass the `many=True` flag to the nested serialized.
+Similarly if a nested representation should be a list of items, you should pass the `many=True` flag to the nested serializer.
 
     class CommentSerializer(serializers.Serializer):
         user = UserSerializer(required=False)
@@ -281,13 +292,13 @@ Similarly if a nested representation should be a list of items, you should pass
 
 ## Writable nested representations
 
-When dealing with nested representations that support deserializing the data, an errors with nested objects will be nested under the field name of the nested object.
+When dealing with nested representations that support deserializing the data, any errors with nested objects will be nested under the field name of the nested object.
 
     serializer = CommentSerializer(data={'user': {'email': 'foobar', 'username': 'doe'}, 'content': 'baz'})
     serializer.is_valid()
     # False
     serializer.errors
-    # {'user': {'email': [u'Enter a valid e-mail address.']}, 'created': [u'This field is required.']}
+    # {'user': {'email': ['Enter a valid e-mail address.']}, 'created': ['This field is required.']}
 
 Similarly, the `.validated_data` property will include nested data structures.
 
@@ -302,7 +313,7 @@ The following example demonstrates how you might handle creating a user with a n
 
         class Meta:
             model = User
-            fields = ('username', 'email', 'profile')
+            fields = ['username', 'email', 'profile']
 
         def create(self, validated_data):
             profile_data = validated_data.pop('profile')
@@ -319,12 +330,12 @@ For updates you'll want to think carefully about how to handle updates to relati
 * Ignore the data and leave the instance as it is.
 * Raise a validation error.
 
-Here's an example for an `update()` method on our previous `UserSerializer` class.
+Here's an example for an `.update()` method on our previous `UserSerializer` class.
 
         def update(self, instance, validated_data):
             profile_data = validated_data.pop('profile')
             # Unless the application properly enforces that this field is
-            # always set, the follow could raise a `DoesNotExist`, which
+            # always set, the following could raise a `DoesNotExist`, which
             # would need to be handled.
             profile = instance.profile
 
@@ -346,11 +357,11 @@ Here's an example for an `update()` method on our previous `UserSerializer` clas
 
 Because the behavior of nested creates and updates can be ambiguous, and may require complex dependencies between related models, REST framework 3 requires you to always write these methods explicitly. The default `ModelSerializer` `.create()` and `.update()` methods do not include support for writable nested representations.
 
-It is possible that a third party package, providing automatic support some kinds of automatic writable nested representations may be released alongside the 3.1 release.
+There are however, third-party packages available such as [DRF Writable Nested][thirdparty-writable-nested] that support automatic writable nested representations.
 
 #### Handling saving related instances in model manager classes
 
-An alternative to saving multiple related instances in the serializer is to write custom model manager classes handle creating the correct instances.
+An alternative to saving multiple related instances in the serializer is to write custom model manager classes that handle creating the correct instances.
 
 For example, suppose we wanted to ensure that `User` instances and `Profile` instances are always created together as a pair. We might write a custom manager class that looks something like this:
 
@@ -373,12 +384,12 @@ This manager class now more nicely encapsulates that user instances and profile
     def create(self, validated_data):
         return User.objects.create(
             username=validated_data['username'],
-            email=validated_data['email']
-            is_premium_member=validated_data['profile']['is_premium_member']
+            email=validated_data['email'],
+            is_premium_member=validated_data['profile']['is_premium_member'],
             has_support_contract=validated_data['profile']['has_support_contract']
         )
 
-For more details on this approach see the Django documentation on [model managers](model-managers), and [this blogpost on using model and manager classes](encapsulation-blogpost).
+For more details on this approach see the Django documentation on [model managers][model-managers], and [this blogpost on using model and manager classes][encapsulation-blogpost].
 
 ## Dealing with multiple objects
 
@@ -399,7 +410,7 @@ To serialize a queryset or list of objects instead of a single object instance,
 
 #### Deserializing multiple objects
 
-The default behavior for deserializing multiple objects is to support multiple object creation, but not support multiple object updates. For more information on how to support or customize either of these cases, see the [ListSerializer](#ListSerializer) documentation below.
+The default behavior for deserializing multiple objects is to support multiple object creation, but not support multiple object updates. For more information on how to support or customize either of these cases, see the [ListSerializer](#listserializer) documentation below.
 
 ## Including extra context
 
@@ -409,7 +420,7 @@ You can provide arbitrary additional context by passing a `context` argument whe
 
     serializer = AccountSerializer(account, context={'request': request})
     serializer.data
-    # {'id': 6, 'owner': u'denvercoder9', 'created': datetime.datetime(2013, 2, 12, 09, 44, 56, 678870), 'details': 'http://example.com/accounts/6/details'}
+    # {'id': 6, 'owner': 'denvercoder9', 'created': datetime.datetime(2013, 2, 12, 09, 44, 56, 678870), 'details': 'http://example.com/accounts/6/details'}
 
 The context dictionary can be used within any serializer field logic, such as a custom `.to_representation()` method, by accessing the `self.context` attribute.
 
@@ -432,10 +443,11 @@ Declaring a `ModelSerializer` looks like this:
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
             model = Account
+            fields = ['id', 'account_name', 'users', 'created']
 
 By default, all the model fields on the class will be mapped to a corresponding serializer fields.
 
-Any relationships such as foreign keys on the model will be mapped to `PrimaryKeyRelatedField`. Reverse relationships are not included by default unless explicitly included as described below.
+Any relationships such as foreign keys on the model will be mapped to `PrimaryKeyRelatedField`. Reverse relationships are not included by default unless explicitly included as specified in the [serializer relations][relations] documentation.
 
 #### Inspecting a `ModelSerializer`
 
@@ -445,7 +457,7 @@ To do so, open the Django shell, using `python manage.py shell`, then import the
 
     >>> from myapp.serializers import AccountSerializer
     >>> serializer = AccountSerializer()
-    >>> print repr(serializer)  # Or `print(repr(serializer))` in Python 3.x.
+    >>> print(repr(serializer))
     AccountSerializer():
         id = IntegerField(label='ID', read_only=True)
         name = CharField(allow_blank=True, max_length=100, required=False)
@@ -453,19 +465,41 @@ To do so, open the Django shell, using `python manage.py shell`, then import the
 
 ## Specifying which fields to include
 
-If you only want a subset of the default fields to be used in a model serializer, you can do so using `fields` or `exclude` options, just as you would with a `ModelForm`.
+If you only want a subset of the default fields to be used in a model serializer, you can do so using `fields` or `exclude` options, just as you would with a `ModelForm`. It is strongly recommended that you explicitly set all fields that should be serialized using the `fields` attribute. This will make it less likely to result in unintentionally exposing data when your models change.
 
 For example:
 
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
             model = Account
-            fields = ('id', 'account_name', 'users', 'created')
+            fields = ['id', 'account_name', 'users', 'created']
 
-The names in the `fields` option will normally map to model fields on the model class.
+You can also set the `fields` attribute to the special value `'__all__'` to indicate that all fields in the model should be used.
+
+For example:
+
+    class AccountSerializer(serializers.ModelSerializer):
+        class Meta:
+            model = Account
+            fields = '__all__'
+
+You can set the `exclude` attribute to a list of fields to be excluded from the serializer.
+
+For example:
+
+    class AccountSerializer(serializers.ModelSerializer):
+        class Meta:
+            model = Account
+            exclude = ['users']
+
+In the example above, if the `Account` model had 3 fields `account_name`, `users`, and `created`, this will result in the fields `account_name` and `created` to be serialized.
+
+The names in the `fields` and `exclude` attributes will normally map to model fields on the model class.
 
 Alternatively names in the `fields` options can map to properties or methods which take no arguments that exist on the model class.
 
+Since version 3.3.0, it is **mandatory** to provide one of the attributes `fields` or `exclude`.
+
 ## Specifying nested serialization
 
 The default `ModelSerializer` uses primary keys for relationships, but you can also easily generate nested representations using the `depth` option:
@@ -473,7 +507,7 @@ The default `ModelSerializer` uses primary keys for relationships, but you can a
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
             model = Account
-            fields = ('id', 'account_name', 'users', 'created')
+            fields = ['id', 'account_name', 'users', 'created']
             depth = 1
 
 The `depth` option should be set to an integer value that indicates the depth of relationships that should be traversed before reverting to a flat representation.
@@ -490,6 +524,7 @@ You can add extra fields to a `ModelSerializer` or override the default fields b
 
         class Meta:
             model = Account
+            fields = ['url', 'groups']
 
 Extra fields can correspond to any property or callable on the model.
 
@@ -502,8 +537,8 @@ This option should be a list or tuple of field names, and is declared as follows
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
             model = Account
-            fields = ('id', 'account_name', 'users', 'created')
-            read_only_fields = ('account_name',)
+            fields = ['id', 'account_name', 'users', 'created']
+            read_only_fields = ['account_name']
 
 Model fields which have `editable=False` set, and `AutoField` fields will be set to read-only by default, and do not need to be added to the `read_only_fields` option.
 
@@ -524,14 +559,14 @@ Please review the [Validators Documentation](/api-guide/validators/) for details
 
 ## Additional keyword arguments
 
-There is also a shortcut allowing you to specify arbitrary additional keyword arguments on fields, using the `extra_kwargs` option. Similarly to `read_only_fields` this means you do not need to explicitly declare the field on the serializer.
+There is also a shortcut allowing you to specify arbitrary additional keyword arguments on fields, using the `extra_kwargs` option. As in the case of `read_only_fields`, this means you do not need to explicitly declare the field on the serializer.
 
 This option is a dictionary, mapping field names to a dictionary of keyword arguments. For example:
 
     class CreateUserSerializer(serializers.ModelSerializer):
         class Meta:
             model = User
-            fields = ('email', 'username', 'password')
+            fields = ['email', 'username', 'password']
             extra_kwargs = {'password': {'write_only': True}}
 
         def create(self, validated_data):
@@ -543,6 +578,8 @@ This option is a dictionary, mapping field names to a dictionary of keyword argu
             user.save()
             return user
 
+Please keep in mind that, if the field has already been explicitly declared on the serializer class, then the `extra_kwargs` option will be ignored.
+
 ## Relational fields
 
 When serializing model instances, there are a number of different ways you might choose to represent relationships.  The default representation for `ModelSerializer` is to use the primary keys of the related instances.
@@ -551,31 +588,21 @@ Alternative representations include serializing using hyperlinks, serializing co
 
 For full details see the [serializer relations][relations] documentation.
 
-## Inheritance of the 'Meta' class
-
-The inner `Meta` class on serializers is not inherited from parent classes by default. This is the same behavior as with Django's `Model` and `ModelForm` classes. If you want the `Meta` class to inherit from a parent class you must do so explicitly. For example:
-
-    class AccountSerializer(MyBaseSerializer):
-        class Meta(MyBaseSerializer.Meta):
-            model = Account
-
-Typically we would recommend *not* using inheritance on inner Meta classes, but instead declaring all options explicitly.
-
 ## Customizing field mappings
 
 The ModelSerializer class also exposes an API that you can override in order to alter how serializer fields are automatically determined when instantiating the serializer.
 
-Normally if a `ModelSerializer` does not generate the fields you need by default the you should either add them to the class explicitly, or simply use a regular `Serializer` class instead. However in some cases you may want to create a new base class that defines how the serializer fields are created for any given model.
+Normally if a `ModelSerializer` does not generate the fields you need by default then you should either add them to the class explicitly, or simply use a regular `Serializer` class instead. However in some cases you may want to create a new base class that defines how the serializer fields are created for any given model.
 
-### `.serializer_field_mapping`
+### `serializer_field_mapping`
 
-A mapping of Django model classes to REST framework serializer classes. You can override this mapping to alter the default serializer classes that should be used for each model class.
+A mapping of Django model fields to REST framework serializer fields. You can override this mapping to alter the default serializer fields that should be used for each model field.
 
-### `.serializer_related_field`
+### `serializer_related_field`
 
 This property should be the serializer field class, that is used for relational fields by default.
 
-For `ModelSerializer` this defaults to `PrimaryKeyRelatedField`.
+For `ModelSerializer` this defaults to `serializers.PrimaryKeyRelatedField`.
 
 For `HyperlinkedModelSerializer` this defaults to `serializers.HyperlinkedRelatedField`.
 
@@ -595,21 +622,21 @@ Defaults to `serializers.ChoiceField`
 
 The following methods are called to determine the class and keyword arguments for each field that should be automatically included on the serializer. Each of these methods should return a two tuple of `(field_class, field_kwargs)`.
 
-### `.build_standard_field(self, field_name, model_field)`
+### `build_standard_field(self, field_name, model_field)`
 
 Called to generate a serializer field that maps to a standard model field.
 
 The default implementation returns a serializer class based on the `serializer_field_mapping` attribute.
 
-### `.build_relational_field(self, field_name, relation_info)`
+### `build_relational_field(self, field_name, relation_info)`
 
 Called to generate a serializer field that maps to a relational model field.
 
-The default implementation returns a serializer class based on the `serializer_relational_field` attribute.
+The default implementation returns a serializer class based on the `serializer_related_field` attribute.
 
 The `relation_info` argument is a named tuple, that contains `model_field`, `related_model`, `to_many` and `has_through_model` properties.
 
-### `.build_nested_field(self, field_name, relation_info, nested_depth)`
+### `build_nested_field(self, field_name, relation_info, nested_depth)`
 
 Called to generate a serializer field that maps to a relational model field, when the `depth` option has been set.
 
@@ -619,17 +646,17 @@ The `nested_depth` will be the value of the `depth` option, minus one.
 
 The `relation_info` argument is a named tuple, that contains `model_field`, `related_model`, `to_many` and `has_through_model` properties.
 
-### `.build_property_field(self, field_name, model_class)`
+### `build_property_field(self, field_name, model_class)`
 
 Called to generate a serializer field that maps to a property or zero-argument method on the model class.
 
 The default implementation returns a `ReadOnlyField` class.
 
-### `.build_url_field(self, field_name, model_class)`
+### `build_url_field(self, field_name, model_class)`
 
 Called to generate a serializer field for the serializer's own `url` field. The default implementation returns a `HyperlinkedIdentityField` class.
 
-### `.build_unknown_field(self, field_name, model_class)`
+### `build_unknown_field(self, field_name, model_class)`
 
 Called when the field name did not map to any model field or model property.
 The default implementation raises an error, although subclasses may customize this behavior.
@@ -649,7 +676,26 @@ You can explicitly include the primary key by adding it to the `fields` option,
     class AccountSerializer(serializers.HyperlinkedModelSerializer):
         class Meta:
             model = Account
-            fields = ('url', 'id', 'account_name', 'users', 'created')
+            fields = ['url', 'id', 'account_name', 'users', 'created']
+
+## Absolute and relative URLs
+
+When instantiating a `HyperlinkedModelSerializer` you must include the current
+`request` in the serializer context, for example:
+
+    serializer = AccountSerializer(queryset, context={'request': request})
+
+Doing so will ensure that the hyperlinks can include an appropriate hostname,
+so that the resulting representation uses fully qualified URLs, such as:
+
+    http://api.example.com/accounts/1/
+
+Rather than relative URLs, such as:
+
+    /accounts/1/
+
+If you *do* want to use relative URLs, you should explicitly pass `{'request': None}`
+in the serializer context.
 
 ## How hyperlinked views are determined
 
@@ -662,9 +708,9 @@ You can override a URL field view name and lookup field by using either, or both
     class AccountSerializer(serializers.HyperlinkedModelSerializer):
         class Meta:
             model = Account
-            fields = ('account_url', 'account_name', 'users', 'created')
+            fields = ['account_url', 'account_name', 'users', 'created']
             extra_kwargs = {
-                'url': {'view_name': 'accounts', 'lookup_field': 'account_name'}
+                'url': {'view_name': 'accounts', 'lookup_field': 'account_name'},
                 'users': {'lookup_field': 'username'}
             }
 
@@ -684,7 +730,7 @@ Alternatively you can set the fields on the serializer explicitly. For example:
 
         class Meta:
             model = Account
-            fields = ('url', 'account_name', 'users', 'created')
+            fields = ['url', 'account_name', 'users', 'created']
 
 ---
 
@@ -704,9 +750,25 @@ The `ListSerializer` class provides the behavior for serializing and validating
 
 When a serializer is instantiated and `many=True` is passed, a `ListSerializer` instance will be created. The serializer class then becomes a child of the parent `ListSerializer`
 
+The following argument can also be passed to a `ListSerializer` field or a serializer that is passed `many=True`:
+
+### `allow_empty`
+
+This is `True` by default, but can be set to `False` if you want to disallow empty lists as valid input.
+
+### `max_length`
+
+This is `None` by default, but can be set to a positive integer if you want to validate that the list contains no more than this number of elements.
+
+### `min_length`
+
+This is `None` by default, but can be set to a positive integer if you want to validate that the list contains no fewer than this number of elements.
+
+### Customizing `ListSerializer` behavior
+
 There *are* a few use cases when you might want to customize the `ListSerializer` behavior. For example:
 
-* You want to provide particular validation of the lists, such as always ensuring that there is at least one element in a list.
+* You want to provide particular validation of the lists, such as checking that one element does not conflict with another element in a list.
 * You want to customize the create or update behavior of multiple objects.
 
 For these cases you can modify the class that is used when `many=True` is passed, by using the `list_serializer_class` option on the serializer `Meta` class.
@@ -748,6 +810,8 @@ To support multiple updates you'll need to do so explicitly. When writing your m
 * How should removals be handled? Do they imply object deletion, or removing a relationship? Should they be silently ignored, or are they invalid?
 * How should ordering be handled? Does changing the position of two items imply any state change or is it ignored?
 
+You will need to add an explicit `id` field to the instance serializer. The default implicitly-generated `id` field is marked as `read_only`. This causes it to be removed on updates. Once you declare it explicitly, it will be available in the list serializer's `update` method.
+
 Here's an example of how you might choose to implement multiple updates:
 
     class BookListSerializer(serializers.ListSerializer):
@@ -759,7 +823,7 @@ Here's an example of how you might choose to implement multiple updates:
             # Perform creations and updates.
             ret = []
             for book_id, data in data_mapping.items():
-                book = book_mapping.get(book_id, None):
+                book = book_mapping.get(book_id, None)
                 if book is None:
                     ret.append(self.child.create(data))
                 else:
@@ -773,12 +837,14 @@ Here's an example of how you might choose to implement multiple updates:
             return ret
 
     class BookSerializer(serializers.Serializer):
+        # We need to identify elements in the list using their primary key,
+        # so use a writable field here, rather than the default which would be read-only.
+        id = serializers.IntegerField()
         ...
+
         class Meta:
             list_serializer_class = BookListSerializer
 
-It is possible that a third party package may be included alongside the 3.1 release that provides some automatic support for multiple update operations, similar to the `allow_add_remove` behavior that was present in REST framework 2.
-
 #### Customizing ListSerializer initialization
 
 When a serializer with `many=True` is instantiated, we need to determine which arguments and keyword arguments should be passed to the `.__init__()` method for both the child `Serializer` class, and for the parent `ListSerializer` class.
@@ -805,7 +871,7 @@ This class implements the same basic API as the `Serializer` class:
 * `.data` - Returns the outgoing primitive representation.
 * `.is_valid()` - Deserializes and validates incoming data.
 * `.validated_data` - Returns the validated incoming data.
-* `.errors` - Returns an errors during validation.
+* `.errors` - Returns any errors during validation.
 * `.save()` - Persists the validated data into an object instance.
 
 There are four methods that can be overridden, depending on what functionality you want the serializer class to support:
@@ -814,11 +880,11 @@ There are four methods that can be overridden, depending on what functionality y
 * `.to_internal_value()` - Override this to support deserialization, for write operations.
 * `.create()` and `.update()` - Override either or both of these to support saving instances.
 
-Because this class provides the same interface as the `Serializer` class, you can use it with the existing generic class based views exactly as you would for a regular `Serializer` or `ModelSerializer`.
+Because this class provides the same interface as the `Serializer` class, you can use it with the existing generic class-based views exactly as you would for a regular `Serializer` or `ModelSerializer`.
 
 The only difference you'll notice when doing so is the `BaseSerializer` classes will not generate HTML forms in the browsable API. This is because the data they return does not include all the field information that would allow each field to be rendered into a suitable HTML input.
 
-##### Read-only `BaseSerializer` classes
+#### Read-only `BaseSerializer` classes
 
 To implement a read-only serializer using the `BaseSerializer` class, we just need to override the `.to_representation()` method. Let's take a look at an example using a simple Django model:
 
@@ -830,10 +896,10 @@ To implement a read-only serializer using the `BaseSerializer` class, we just ne
 It's simple to create a read-only serializer for converting `HighScore` instances into primitive data types.
 
     class HighScoreSerializer(serializers.BaseSerializer):
-        def to_representation(self, obj):
+        def to_representation(self, instance):
             return {
-                'score': obj.score,
-                'player_name': obj.player_name
+                'score': instance.score,
+                'player_name': instance.player_name
             }
 
 We can now use this class to serialize single `HighScore` instances:
@@ -842,7 +908,7 @@ We can now use this class to serialize single `HighScore` instances:
     def high_score(request, pk):
         instance = HighScore.objects.get(pk=pk)
         serializer = HighScoreSerializer(instance)
-	    return Response(serializer.data)
+        return Response(serializer.data)
 
 Or use it to serialize multiple instances:
 
@@ -850,11 +916,11 @@ Or use it to serialize multiple instances:
     def all_high_scores(request):
         queryset = HighScore.objects.order_by('-score')
         serializer = HighScoreSerializer(queryset, many=True)
-	    return Response(serializer.data)
+        return Response(serializer.data)
 
-##### Read-write `BaseSerializer` classes
+#### Read-write `BaseSerializer` classes
 
-To create a read-write serializer we first need to implement a `.to_internal_value()` method. This method returns the validated values that will be used to construct the object instance, and may raise a `ValidationError` if the supplied data is in an incorrect format.
+To create a read-write serializer we first need to implement a `.to_internal_value()` method. This method returns the validated values that will be used to construct the object instance, and may raise a `serializers.ValidationError` if the supplied data is in an incorrect format.
 
 Once you've implemented `.to_internal_value()`, the basic validation API will be available on the serializer, and you will be able to use `.is_valid()`, `.validated_data` and `.errors`.
 
@@ -869,29 +935,29 @@ Here's a complete example of our previous `HighScoreSerializer`, that's been upd
 
             # Perform the data validation.
             if not score:
-                raise ValidationError({
+                raise serializers.ValidationError({
                     'score': 'This field is required.'
                 })
             if not player_name:
-                raise ValidationError({
+                raise serializers.ValidationError({
                     'player_name': 'This field is required.'
                 })
             if len(player_name) > 10:
-                raise ValidationError({
+                raise serializers.ValidationError({
                     'player_name': 'May not be more than 10 characters.'
                 })
 
-			# Return the validated values. This will be available as
-			# the `.validated_data` property.
+            # Return the validated values. This will be available as
+            # the `.validated_data` property.
             return {
                 'score': int(score),
                 'player_name': player_name
             }
 
-        def to_representation(self, obj):
+        def to_representation(self, instance):
             return {
-                'score': obj.score,
-                'player_name': obj.player_name
+                'score': instance.score,
+                'player_name': instance.player_name
             }
 
         def create(self, validated_data):
@@ -901,17 +967,18 @@ Here's a complete example of our previous `HighScoreSerializer`, that's been upd
 
 The `BaseSerializer` class is also useful if you want to implement new generic serializer classes for dealing with particular serialization styles, or for integrating with alternative storage backends.
 
-The following class is an example of a generic serializer that can handle coercing arbitrary objects into primitive representations.
+The following class is an example of a generic serializer that can handle coercing arbitrary complex objects into primitive representations.
 
     class ObjectSerializer(serializers.BaseSerializer):
         """
         A read-only serializer that coerces arbitrary complex objects
         into primitive representations.
         """
-        def to_representation(self, obj):
-            for attribute_name in dir(obj):
-                attribute = getattr(obj, attribute_name)
-                if attribute_name('_'):
+        def to_representation(self, instance):
+            output = {}
+            for attribute_name in dir(instance):
+                attribute = getattr(instance, attribute_name)
+                if attribute_name.startswith('_'):
                     # Ignore private attributes.
                     pass
                 elif hasattr(attribute, '__call__'):
@@ -934,6 +1001,7 @@ The following class is an example of a generic serializer that can handle coerci
                 else:
                     # Force anything else to its string representation.
                     output[attribute_name] = str(attribute)
+            return output
 
 ---
 
@@ -941,7 +1009,7 @@ The following class is an example of a generic serializer that can handle coerci
 
 ## Overriding serialization and deserialization behavior
 
-If you need to alter the serialization, deserialization or validation of a serializer class you can do so by overriding the `.to_representation()` or `.to_internal_value()` methods.
+If you need to alter the serialization or deserialization behavior of a serializer class, you can do so by overriding the `.to_representation()` or `.to_internal_value()` methods.
 
 Some reasons this might be useful include...
 
@@ -951,18 +1019,60 @@ Some reasons this might be useful include...
 
 The signatures for these methods are as follows:
 
-#### `.to_representation(self, obj)`
+#### `to_representation(self, instance)`
 
 Takes the object instance that requires serialization, and should return a primitive representation. Typically this means returning a structure of built-in Python datatypes. The exact types that can be handled will depend on the render classes you have configured for your API.
 
-#### ``.to_internal_value(self, data)``
+May be overridden in order to modify the representation style. For example:
+
+    def to_representation(self, instance):
+        """Convert `username` to lowercase."""
+        ret = super().to_representation(instance)
+        ret['username'] = ret['username'].lower()
+        return ret
+
+#### ``to_internal_value(self, data)``
 
 Takes the unvalidated incoming data as input and should return the validated data that will be made available as `serializer.validated_data`. The return value will also be passed to the `.create()` or `.update()` methods if `.save()` is called on the serializer class.
 
-If any of the validation fails, then the method should raise a `serializers.ValidationError(errors)`. Typically the `errors` argument here will be a dictionary mapping field names to error messages.
+If any of the validation fails, then the method should raise a `serializers.ValidationError(errors)`. The `errors` argument should be a dictionary mapping field names (or `settings.NON_FIELD_ERRORS_KEY`) to a list of error messages. If you don't need to alter deserialization behavior and instead want to provide object-level validation, it's recommended that you instead override the [`.validate()`](#object-level-validation) method.
 
 The `data` argument passed to this method will normally be the value of `request.data`, so the datatype it provides will depend on the parser classes you have configured for your API.
 
+## Serializer Inheritance
+
+Similar to Django forms, you can extend and reuse serializers through inheritance. This allows you to declare a common set of fields or methods on a parent class that can then be used in a number of serializers. For example,
+
+    class MyBaseSerializer(Serializer):
+        my_field = serializers.CharField()
+
+        def validate_my_field(self, value):
+            ...
+
+    class MySerializer(MyBaseSerializer):
+        ...
+
+Like Django's `Model` and `ModelForm` classes, the inner `Meta` class on serializers does not implicitly inherit from it's parents' inner `Meta` classes. If you want the `Meta` class to inherit from a parent class you must do so explicitly. For example:
+
+    class AccountSerializer(MyBaseSerializer):
+        class Meta(MyBaseSerializer.Meta):
+            model = Account
+
+Typically we would recommend *not* using inheritance on inner Meta classes, but instead declaring all options explicitly.
+
+Additionally, the following caveats apply to serializer inheritance:
+
+* Normal Python name resolution rules apply. If you have multiple base classes that declare a `Meta` inner class, only the first one will be used. This means the child’s `Meta`, if it exists, otherwise the `Meta` of the first parent, etc.
+* It’s possible to declaratively remove a `Field` inherited from a parent class by setting the name to be `None` on the subclass.
+
+        class MyBaseSerializer(ModelSerializer):
+            my_field = serializers.CharField()
+
+        class MySerializer(MyBaseSerializer):
+            my_field = None
+
+    However, you can only use this technique to opt out from a field defined declaratively by a parent class; it won’t prevent the `ModelSerializer` from generating a default field. To opt-out from default fields, see [Specifying which fields to include](#specifying-which-fields-to-include).
+
 ## Dynamically modifying fields
 
 Once a serializer has been initialized, the dictionary of fields that are set on the serializer may be accessed using the `.fields` attribute.  Accessing and modifying this attribute allows you to dynamically modify the serializer.
@@ -984,12 +1094,12 @@ For example, if you wanted to be able to set which fields should be used by a se
             fields = kwargs.pop('fields', None)
 
             # Instantiate the superclass normally
-            super(DynamicFieldsModelSerializer, self).__init__(*args, **kwargs)
+            super().__init__(*args, **kwargs)
 
             if fields is not None:
                 # Drop any fields that are not specified in the `fields` argument.
                 allowed = set(fields)
-                existing = set(self.fields.keys())
+                existing = set(self.fields)
                 for field_name in existing - allowed:
                     self.fields.pop(field_name)
 
@@ -998,12 +1108,12 @@ This would then allow you to do the following:
     >>> class UserSerializer(DynamicFieldsModelSerializer):
     >>>     class Meta:
     >>>         model = User
-    >>>         fields = ('id', 'username', 'email')
+    >>>         fields = ['id', 'username', 'email']
     >>>
-    >>> print UserSerializer(user)
+    >>> print(UserSerializer(user))
     {'id': 2, 'username': 'jonwatts', 'email': 'jon@example.com'}
     >>>
-    >>> print UserSerializer(user, fields=('id', 'email'))
+    >>> print(UserSerializer(user, fields=('id', 'email')))
     {'id': 2, 'email': 'jon@example.com'}
 
 ## Customizing the default fields
@@ -1014,14 +1124,20 @@ This API included the `.get_field()`, `.get_pk_field()` and other methods.
 
 Because the serializers have been fundamentally redesigned with 3.0 this API no longer exists. You can still modify the fields that get created but you'll need to refer to the source code, and be aware that if the changes you make are against private bits of API then they may be subject to change.
 
-A new interface for controlling this behavior is currently planned for REST framework 3.1.
-
 ---
 
 # Third party packages
 
 The following third party packages are also available.
 
+## Django REST marshmallow
+
+The [django-rest-marshmallow][django-rest-marshmallow] package provides an alternative implementation for serializers, using the python [marshmallow][marshmallow] library. It exposes the same API as the REST framework serializers, and can be used as a drop-in replacement in some use-cases.
+
+## Serpy
+
+The [serpy][serpy] package is an alternative implementation for serializers that is built for speed. [Serpy][serpy] serializes complex datatypes to simple native types. The native types can be easily converted to JSON or any other format needed.
+
 ## MongoengineModelSerializer
 
 The [django-rest-framework-mongoengine][mongoengine] package provides a `MongoEngineModelSerializer` serializer class that supports using MongoDB as the storage layer for Django REST framework.
@@ -1034,11 +1150,65 @@ The [django-rest-framework-gis][django-rest-framework-gis] package provides a `G
 
 The [django-rest-framework-hstore][django-rest-framework-hstore] package provides an `HStoreSerializer` to support [django-hstore][django-hstore] `DictionaryField` model field and its `schema-mode` feature.
 
+## Dynamic REST
+
+The [dynamic-rest][dynamic-rest] package extends the ModelSerializer and ModelViewSet interfaces, adding API query parameters for filtering, sorting, and including / excluding all fields and relationships defined by your serializers.
+
+## Dynamic Fields Mixin
+
+The [drf-dynamic-fields][drf-dynamic-fields] package provides a mixin to dynamically limit the fields per serializer to a subset specified by an URL parameter.
+
+## DRF FlexFields
+
+The [drf-flex-fields][drf-flex-fields] package extends the ModelSerializer and ModelViewSet to provide commonly used functionality for dynamically setting fields and expanding primitive fields to nested models, both from URL parameters and your serializer class definitions.
+
+## Serializer Extensions
+
+The [django-rest-framework-serializer-extensions][drf-serializer-extensions]
+package provides a collection of tools to DRY up your serializers, by allowing
+fields to be defined on a per-view/request basis. Fields can be whitelisted,
+blacklisted and child serializers can be optionally expanded.
+
+## HTML JSON Forms
+
+The [html-json-forms][html-json-forms] package provides an algorithm and serializer for processing `<form>` submissions per the (inactive) [HTML JSON Form specification][json-form-spec].  The serializer facilitates processing of arbitrarily nested JSON structures within HTML.  For example, `<input name="items[0][id]" value="5">` will be interpreted as `{"items": [{"id": "5"}]}`.
+
+## DRF-Base64
+
+[DRF-Base64][drf-base64] provides a set of field and model serializers that handles the upload of base64-encoded files.
+
+## QueryFields
+
+[djangorestframework-queryfields][djangorestframework-queryfields] allows API clients to specify which fields will be sent in the response via inclusion/exclusion query parameters.
+
+## DRF Writable Nested
+
+The [drf-writable-nested][drf-writable-nested] package provides writable nested model serializer which allows to create/update models with nested related data.
+
+## DRF Encrypt Content
+
+The [drf-encrypt-content][drf-encrypt-content] package helps you encrypt your data, serialized through ModelSerializer. It also contains some helper functions. Which helps you to encrypt your data.
+
+
 [cite]: https://groups.google.com/d/topic/django-users/sVFaOfQi4wY/discussion
 [relations]: relations.md
-[model-managers]: https://docs.djangoproject.com/en/dev/topics/db/managers/
-[encapsulation-blogpost]: http://www.dabapps.com/blog/django-models-and-encapsulation/
+[model-managers]: https://docs.djangoproject.com/en/stable/topics/db/managers/
+[encapsulation-blogpost]: https://www.dabapps.com/blog/django-models-and-encapsulation/
+[thirdparty-writable-nested]: serializers.md#drf-writable-nested
+[django-rest-marshmallow]: https://marshmallow-code.github.io/django-rest-marshmallow/
+[marshmallow]: https://marshmallow.readthedocs.io/en/latest/
+[serpy]: https://github.com/clarkduvall/serpy
 [mongoengine]: https://github.com/umutbozkurt/django-rest-framework-mongoengine
 [django-rest-framework-gis]: https://github.com/djangonauts/django-rest-framework-gis
 [django-rest-framework-hstore]: https://github.com/djangonauts/django-rest-framework-hstore
 [django-hstore]: https://github.com/djangonauts/django-hstore
+[dynamic-rest]: https://github.com/AltSchool/dynamic-rest
+[html-json-forms]: https://github.com/wq/html-json-forms
+[drf-flex-fields]: https://github.com/rsinger86/drf-flex-fields
+[json-form-spec]: https://www.w3.org/TR/html-json-forms/
+[drf-dynamic-fields]: https://github.com/dbrgn/drf-dynamic-fields
+[drf-base64]: https://bitbucket.org/levit_scs/drf_base64
+[drf-serializer-extensions]: https://github.com/evenicoulddoit/django-rest-framework-serializer-extensions
+[djangorestframework-queryfields]: https://djangorestframework-queryfields.readthedocs.io/
+[drf-writable-nested]: https://github.com/beda-software/drf-writable-nested
+[drf-encrypt-content]: https://github.com/oguzhancelikarslan/drf-encrypt-content

docs/api-guide/settings.md

@@ -1,4 +1,7 @@
-source: settings.py
+---
+source:
+    - settings.py
+---
 
 # Settings
 
@@ -11,12 +14,12 @@ Configuration for REST framework is all namespaced inside a single Django settin
 For example your project's `settings.py` file might include something like this:
 
     REST_FRAMEWORK = {
-        'DEFAULT_RENDERER_CLASSES': (
+        'DEFAULT_RENDERER_CLASSES': [
             'rest_framework.renderers.JSONRenderer',
-        ),
-        'DEFAULT_PARSER_CLASSES': (
+        ],
+        'DEFAULT_PARSER_CLASSES': [
             'rest_framework.parsers.JSONParser',
-        )
+        ]
     }
 
 ## Accessing settings
@@ -26,7 +29,7 @@ you should use the `api_settings` object.  For example.
 
     from rest_framework.settings import api_settings
 
-    print api_settings.DEFAULT_AUTHENTICATION_CLASSES
+    print(api_settings.DEFAULT_AUTHENTICATION_CLASSES)
 
 The `api_settings` object will check for any user-defined settings, and otherwise fall back to the default values.  Any setting that uses string import paths to refer to a class will automatically import and return the referenced class, instead of the string literal.
 
@@ -36,7 +39,7 @@ The `api_settings` object will check for any user-defined settings, and otherwis
 
 ## API policy settings
 
-*The following settings control the basic API policies, and are applied to every `APIView` class based view, or `@api_view` function based view.*
+*The following settings control the basic API policies, and are applied to every `APIView` class-based view, or `@api_view` function based view.*
 
 #### DEFAULT_RENDERER_CLASSES
 
@@ -44,10 +47,10 @@ A list or tuple of renderer classes, that determines the default set of renderer
 
 Default:
 
-    (
+    [
         'rest_framework.renderers.JSONRenderer',
         'rest_framework.renderers.BrowsableAPIRenderer',
-    )
+    ]
 
 #### DEFAULT_PARSER_CLASSES
 
@@ -55,11 +58,11 @@ A list or tuple of parser classes, that determines the default set of parsers us
 
 Default:
 
-    (
+    [
         'rest_framework.parsers.JSONParser',
         'rest_framework.parsers.FormParser',
         'rest_framework.parsers.MultiPartParser'
-    )
+    ]
 
 #### DEFAULT_AUTHENTICATION_CLASSES
 
@@ -67,10 +70,10 @@ A list or tuple of authentication classes, that determines the default set of au
 
 Default:
 
-    (
+    [
         'rest_framework.authentication.SessionAuthentication',
         'rest_framework.authentication.BasicAuthentication'
-    )
+    ]
 
 #### DEFAULT_PERMISSION_CLASSES
 
@@ -78,15 +81,15 @@ A list or tuple of permission classes, that determines the default set of permis
 
 Default:
 
-    (
+    [
         'rest_framework.permissions.AllowAny',
-    )
+    ]
 
 #### DEFAULT_THROTTLE_CLASSES
 
 A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view.
 
-Default: `()`
+Default: `[]`
 
 #### DEFAULT_CONTENT_NEGOTIATION_CLASS
 
@@ -94,64 +97,38 @@ A content negotiation class, that determines how a renderer is selected for the
 
 Default: `'rest_framework.negotiation.DefaultContentNegotiation'`
 
+#### DEFAULT_SCHEMA_CLASS
+
+A view inspector class that will be used for schema generation.
+
+Default: `'rest_framework.schemas.openapi.AutoSchema'`
+
 ---
 
 ## Generic view settings
 
-*The following settings control the behavior of the generic class based views.*
-
-#### DEFAULT_PAGINATION_SERIALIZER_CLASS
-
-A class the determines the default serialization style for paginated responses.
-
-Default: `rest_framework.pagination.PaginationSerializer`
+*The following settings control the behavior of the generic class-based views.*
 
 #### DEFAULT_FILTER_BACKENDS
 
 A list of filter backend classes that should be used for generic filtering.
 If set to `None` then generic filtering is disabled.
 
-#### PAGINATE_BY
+#### DEFAULT_PAGINATION_CLASS
+
+The default class to use for queryset pagination. If set to `None`, pagination
+is disabled by default. See the pagination documentation for further guidance on
+[setting](pagination.md#setting-the-pagination-style) and
+[modifying](pagination.md#modifying-the-pagination-style) the pagination style.
+
+Default: `None`
+
+#### PAGE_SIZE
 
 The default page size to use for pagination.  If set to `None`, pagination is disabled by default.
 
 Default: `None`
 
-#### PAGINATE_BY_PARAM
-
-The name of a query parameter, which can be used by the client to override the default page size to use for pagination.  If set to `None`, clients may not override the default page size.
-
-For example, given the following settings:
-
-    REST_FRAMEWORK = {
-    	'PAGINATE_BY': 10,
-    	'PAGINATE_BY_PARAM': 'page_size',
-    }
-
-A client would be able to modify the pagination size by using the `page_size` query parameter.  For example:
-
-    GET http://example.com/api/accounts?page_size=25
-
-Default: `None`
-
-#### MAX_PAGINATE_BY
-
-The maximum page size to allow when the page size is specified by the client.  If set to `None`, then no maximum limit is applied.
-
-For example, given the following settings:
-
-    REST_FRAMEWORK = {
-    	'PAGINATE_BY': 10,
-    	'PAGINATE_BY_PARAM': 'page_size',
-        'MAX_PAGINATE_BY': 100
-    }
-
-A client request like the following would return a paginated list of up to 100 items.
-
-    GET http://example.com/api/accounts?page_size=999
-
-Default: `None`
-
 ### SEARCH_PARAM
 
 The name of a query parameter, which can be used to specify the search term used by `SearchFilter`.
@@ -180,12 +157,18 @@ If set, this value will restrict the set of versions that may be returned by the
 
 Default: `None`
 
-#### VERSION_PARAMETER
+#### VERSION_PARAM
 
 The string that should used for any versioning parameters, such as in the media type or URL query parameters.
 
 Default: `'version'`
 
+#### DEFAULT_VERSIONING_CLASS
+
+The default versioning scheme to use.
+
+Default: `None`
+
 ---
 
 ## Authentication settings
@@ -195,6 +178,8 @@ Default: `'version'`
 #### UNAUTHENTICATED_USER
 
 The class that should be used to initialize `request.user` for unauthenticated requests.
+(If removing authentication entirely, e.g. by removing `django.contrib.auth` from
+`INSTALLED_APPS`, set `UNAUTHENTICATED_USER` to `None`.)
 
 Default: `django.contrib.auth.models.AnonymousUser`
 
@@ -226,52 +211,52 @@ The format of any of these renderer classes may be used when constructing a test
 
 Default:
 
-    (
+    [
         'rest_framework.renderers.MultiPartRenderer',
         'rest_framework.renderers.JSONRenderer'
-    )
+    ]
 
 ---
 
-## Browser overrides
+## Schema generation controls
 
-*The following settings provide URL or form-based overrides of the default browser behavior.*
+#### SCHEMA_COERCE_PATH_PK
 
-#### FORM_METHOD_OVERRIDE
+If set, this maps the `'pk'` identifier in the URL conf onto the actual field
+name when generating a schema path parameter. Typically this will be `'id'`.
+This gives a more suitable representation as "primary key" is an implementation
+detail, whereas "identifier" is a more general concept.
 
-The name of a form field that may be used to override the HTTP method of the form.
+Default: `True`
 
-If the value of this setting is `None` then form method overloading will be disabled.
+#### SCHEMA_COERCE_METHOD_NAMES
 
-Default: `'_method'`
+If set, this is used to map internal viewset method names onto external action
+names used in the schema generation. This allows us to generate names that
+are more suitable for an external representation than those that are used
+internally in the codebase.
 
-#### FORM_CONTENT_OVERRIDE
+Default: `{'retrieve': 'read', 'destroy': 'delete'}`
 
-The name of a form field that may be used to override the content of the form payload.  Must be used together with `FORM_CONTENTTYPE_OVERRIDE`.
+---
 
-If either setting is `None` then form content overloading will be disabled.
-
-Default: `'_content'`
-
-#### FORM_CONTENTTYPE_OVERRIDE
-
-The name of a form field that may be used to override the content type of the form payload.  Must be used together with `FORM_CONTENT_OVERRIDE`.
-
-If either setting is `None` then form content overloading will be disabled.
-
-Default: `'_content_type'`
-
-#### URL_ACCEPT_OVERRIDE
-
-The name of a URL parameter that may be used to override the HTTP `Accept` header.
-
-If the value of this setting is `None` then URL accept overloading will be disabled.
-
-Default: `'accept'`
+## Content type controls
 
 #### URL_FORMAT_OVERRIDE
 
-The name of a URL parameter that may be used to override the default `Accept` header based content negotiation.
+The name of a URL parameter that may be used to override the default content negotiation `Accept` header behavior, by using a `format=…` query parameter in the request URL.
+
+For example: `http://example.com/organizations/?format=csv`
+
+If the value of this setting is `None` then URL format overrides will be disabled.
+
+Default: `'format'`
+
+#### FORMAT_SUFFIX_KWARG
+
+The name of a parameter in the URL conf that may be used to provide a format suffix. This setting is applied when using `format_suffix_patterns` to include suffixed URL patterns.
+
+For example: `http://example.com/organizations.csv/`
 
 Default: `'format'`
 
@@ -361,6 +346,14 @@ The default style is to return minified responses, in line with [Heroku's API de
 
 Default: `True`
 
+#### STRICT_JSON
+
+When set to `True`, JSON rendering and parsing will only observe syntactically valid JSON, raising an exception for the extended float values (`nan`, `inf`, `-inf`) accepted by Python's `json` module. This is the recommended setting, as these values are not generally supported. e.g., neither Javascript's `JSON.Parse` nor PostgreSQL's JSON data type accept these values.
+
+When set to `False`, JSON rendering and parsing will be permissive. However, these values are still invalid and will need to be specially handled in your code.
+
+Default: `True`
+
 #### COERCE_DECIMAL_TO_STRING
 
 When returning decimal objects in API representations that do not support a native decimal type, it is normally best to return the value as a string. This avoids the loss of precision that occurs with binary floating point implementations.
@@ -381,10 +374,15 @@ A string representing the function that should be used when generating view name
 
 This should be a function with the following signature:
 
-    view_name(cls, suffix=None)
+    view_name(self)
 
-* `cls`: The view class.  Typically the name function would inspect the name of the class when generating a descriptive name, by accessing `cls.__name__`.
-* `suffix`: The optional suffix used when differentiating individual views in a viewset.
+* `self`: The view instance.  Typically the name function would inspect the name of the class when generating a descriptive name, by accessing `self.__class__.__name__`.
+
+If the view instance inherits `ViewSet`, it may have been initialized with several optional arguments:
+
+* `name`: A name explicitly provided to a view in the viewset. Typically, this value should be used as-is when provided.
+* `suffix`: Text used when differentiating individual views in a viewset. This argument is mutually exclusive to `name`.
+* `detail`: Boolean that differentiates an individual view in a viewset as either being a 'list' or 'detail' view.
 
 Default: `'rest_framework.views.get_view_name'`
 
@@ -396,13 +394,33 @@ This setting can be changed to support markup styles other than the default mark
 
 This should be a function with the following signature:
 
-    view_description(cls, html=False)
+    view_description(self, html=False)
 
-* `cls`: The view class.  Typically the description function would inspect the docstring of the class when generating a description, by accessing `cls.__doc__`
+* `self`: The view instance.  Typically the description function would inspect the docstring of the class when generating a description, by accessing `self.__class__.__doc__`
 * `html`: A boolean indicating if HTML output is required.  `True` when used in the browsable API, and `False` when used in generating `OPTIONS` responses.
 
+If the view instance inherits `ViewSet`, it may have been initialized with several optional arguments:
+
+* `description`: A description explicitly provided to the view in the viewset. Typically, this is set by extra viewset `action`s, and should be used as-is.
+
 Default: `'rest_framework.views.get_view_description'`
 
+## HTML Select Field cutoffs
+
+Global settings for [select field cutoffs for rendering relational fields](relations.md#select-field-cutoffs) in the browsable API.
+
+#### HTML_SELECT_CUTOFF
+
+Global setting for the `html_cutoff` value.  Must be an integer.
+
+Default: 1000
+
+#### HTML_SELECT_CUTOFF_TEXT
+
+A string representing a global setting for `html_cutoff_text`.
+
+Default: `"More than {count} items..."`
+
 ---
 
 ## Miscellaneous settings
@@ -433,19 +451,13 @@ A string representing the key that should be used for the URL fields generated b
 
 Default: `'url'`
 
-#### FORMAT_SUFFIX_KWARG
-
-The name of a parameter in the URL conf that may be used to provide a format suffix.
-
-Default: `'format'`
-
 #### NUM_PROXIES
 
 An integer of 0 or more, that may be used to specify the number of application proxies that the API runs behind.  This allows throttling to more accurately identify client IP addresses.  If set to `None` then less strict IP matching will be used by the throttle classes.
 
 Default: `None`
 
-[cite]: http://www.python.org/dev/peps/pep-0020/
-[rfc4627]: http://www.ietf.org/rfc/rfc4627.txt
+[cite]: https://www.python.org/dev/peps/pep-0020/
+[rfc4627]: https://www.ietf.org/rfc/rfc4627.txt
 [heroku-minified-json]: https://github.com/interagent/http-api-design#keep-json-minified-in-all-responses
-[strftime]: http://docs.python.org/2/library/time.html#time.strftime
+[strftime]: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes

docs/api-guide/status-codes.md

@@ -1,4 +1,7 @@
-source: status.py
+---
+source:
+    - status.py
+---
 
 # Status Codes
 
@@ -6,7 +9,7 @@ source: status.py
 >
 > — [RFC 2324][rfc2324], Hyper Text Coffee Pot Control Protocol
 
-Using bare status codes in your responses isn't recommended.  REST framework includes a set of named constants that you can use to make more code more obvious and readable.
+Using bare status codes in your responses isn't recommended.  REST framework includes a set of named constants that you can use to make your code more obvious and readable.
 
     from rest_framework import status
     from rest_framework.response import Response
@@ -20,13 +23,13 @@ The full set of HTTP status codes included in the `status` module is listed belo
 The module also includes a set of helper functions for testing if a status code is in a given range.
 
     from rest_framework import status
-	from rest_framework.test import APITestCase
+    from rest_framework.test import APITestCase
 
-	class ExampleTestCase(APITestCase):
-	    def test_url_root(self):
-	        url = reverse('index')
-	        response = self.client.get(url)
-	        self.assertTrue(status.is_success(response.status_code))
+    class ExampleTestCase(APITestCase):
+        def test_url_root(self):
+            url = reverse('index')
+            response = self.client.get(url)
+            self.assertTrue(status.is_success(response.status_code))
 
 
 For more information on proper usage of HTTP status codes see [RFC 2616][rfc2616]
@@ -38,6 +41,8 @@ This class of status code indicates a provisional response.  There are no 1xx st
 
     HTTP_100_CONTINUE
     HTTP_101_SWITCHING_PROTOCOLS
+    HTTP_102_PROCESSING
+    HTTP_103_EARLY_HINTS
 
 ## Successful - 2xx
 
@@ -50,6 +55,9 @@ This class of status code indicates that the client's request was successfully r
     HTTP_204_NO_CONTENT
     HTTP_205_RESET_CONTENT
     HTTP_206_PARTIAL_CONTENT
+    HTTP_207_MULTI_STATUS
+    HTTP_208_ALREADY_REPORTED
+    HTTP_226_IM_USED
 
 ## Redirection - 3xx
 
@@ -63,6 +71,7 @@ This class of status code indicates that further action needs to be taken by the
     HTTP_305_USE_PROXY
     HTTP_306_RESERVED
     HTTP_307_TEMPORARY_REDIRECT
+    HTTP_308_PERMANENT_REDIRECT
 
 ## Client Error - 4xx
 
@@ -86,9 +95,16 @@ The 4xx class of status code is intended for cases in which the client seems to
     HTTP_415_UNSUPPORTED_MEDIA_TYPE
     HTTP_416_REQUESTED_RANGE_NOT_SATISFIABLE
     HTTP_417_EXPECTATION_FAILED
+    HTTP_421_MISDIRECTED_REQUEST
+    HTTP_422_UNPROCESSABLE_ENTITY
+    HTTP_423_LOCKED
+    HTTP_424_FAILED_DEPENDENCY
+    HTTP_425_TOO_EARLY
+    HTTP_426_UPGRADE_REQUIRED
     HTTP_428_PRECONDITION_REQUIRED
     HTTP_429_TOO_MANY_REQUESTS
     HTTP_431_REQUEST_HEADER_FIELDS_TOO_LARGE
+    HTTP_451_UNAVAILABLE_FOR_LEGAL_REASONS
 
 ## Server Error - 5xx
 
@@ -100,6 +116,11 @@ Response status codes beginning with the digit "5" indicate cases in which the s
     HTTP_503_SERVICE_UNAVAILABLE
     HTTP_504_GATEWAY_TIMEOUT
     HTTP_505_HTTP_VERSION_NOT_SUPPORTED
+    HTTP_506_VARIANT_ALSO_NEGOTIATES
+    HTTP_507_INSUFFICIENT_STORAGE
+    HTTP_508_LOOP_DETECTED
+    HTTP_509_BANDWIDTH_LIMIT_EXCEEDED
+    HTTP_510_NOT_EXTENDED
     HTTP_511_NETWORK_AUTHENTICATION_REQUIRED
 
 ## Helper functions
@@ -112,6 +133,6 @@ The following helper functions are available for identifying the category of the
     is_client_error()   # 4xx
     is_server_error()   # 5xx
 
-[rfc2324]: http://www.ietf.org/rfc/rfc2324.txt
-[rfc2616]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
-[rfc6585]: http://tools.ietf.org/html/rfc6585
+[rfc2324]: https://www.ietf.org/rfc/rfc2324.txt
+[rfc2616]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+[rfc6585]: https://tools.ietf.org/html/rfc6585

docs/api-guide/testing.md

@@ -1,4 +1,7 @@
-source: test.py
+---
+source:
+    - test.py
+---
 
 # Testing
 
@@ -22,9 +25,12 @@ The `APIRequestFactory` class supports an almost identical API to Django's stand
     factory = APIRequestFactory()
     request = factory.post('/notes/', {'title': 'new idea'})
 
+    # Using the standard RequestFactory API to encode JSON data
+    request = factory.post('/notes/', {'title': 'new idea'}, content_type='application/json')
+
 #### Using the `format` argument
 
-Methods which create a request body, such as `post`, `put` and `patch`, include a `format` argument, which make it easy to generate requests using a content type other than multipart form data.  For example:
+Methods which create a request body, such as `post`, `put` and `patch`, include a `format` argument, which make it easy to generate requests using a wide set of request formats.  When using this argument, the factory will select an appropriate renderer and its configured `content_type`.  For example:
 
     # Create a JSON POST request
     factory = APIRequestFactory()
@@ -38,7 +44,7 @@ To support a wider set of request formats, or change the default format, [see th
 
 If you need to explicitly encode the request body, you can do so by setting the `content_type` flag.  For example:
 
-    request = factory.post('/notes/', json.dumps({'title': 'new idea'}), content_type='application/json')
+    request = factory.post('/notes/', yaml.dump({'title': 'new idea'}), content_type='application/yaml')
 
 #### PUT and PATCH with form data
 
@@ -82,7 +88,11 @@ For example, when forcibly authenticating using a token, you might do something
 
     user = User.objects.get(username='olivia')
     request = factory.get('/accounts/django-superstars/')
-    force_authenticate(request, user=user, token=user.token)
+    force_authenticate(request, user=user, token=user.auth_token)
+
+---
+
+**Note**: `force_authenticate` directly sets `request.user` to the in-memory `user` instance. If you are re-using the same `user` instance across multiple tests that update the saved `user` state, you may need to call [`refresh_from_db()`][refresh_from_db_docs] between tests.
 
 ---
 
@@ -115,7 +125,7 @@ Extends [Django's existing `Client` class][client].
 
 ## Making requests
 
-The `APIClient` class supports the same request interface as Django's standard `Client` class.  This means the that standard `.get()`, `.post()`, `.put()`, `.patch()`, `.delete()`, `.head()` and `.options()` methods are all available.  For example:
+The `APIClient` class supports the same request interface as Django's standard `Client` class.  This means that the standard `.get()`, `.post()`, `.put()`, `.patch()`, `.delete()`, `.head()` and `.options()` methods are all available.  For example:
 
     from rest_framework.test import APIClient
 
@@ -162,7 +172,7 @@ The `credentials` method is appropriate for testing APIs that require authentica
 
 #### .force_authenticate(user=None, token=None)
 
-Sometimes you may want to bypass authentication, and simple force all requests by the test client to be automatically treated as authenticated.
+Sometimes you may want to bypass authentication entirely and force all requests by the test client to be automatically treated as authenticated.
 
 This can be a useful shortcut if you're testing the API but don't want to have to construct valid authentication credentials in order to make test requests.
 
@@ -184,9 +194,115 @@ As usual CSRF validation will only apply to any session authenticated views.  Th
 
 ---
 
-# Test cases
+# RequestsClient
 
-REST framework includes the following test case classes, that mirror the existing Django test case classes, but use `APIClient` instead of Django's default `Client`.
+REST framework also includes a client for interacting with your application
+using the popular Python library, `requests`. This may be useful if:
+
+* You are expecting to interface with the API primarily from another Python service,
+and want to test the service at the same level as the client will see.
+* You want to write tests in such a way that they can also be run against a staging or
+live environment. (See "Live tests" below.)
+
+This exposes exactly the same interface as if you were using a requests session
+directly.
+
+    from rest_framework.test import RequestsClient
+    
+    client = RequestsClient()
+    response = client.get('http://testserver/users/')
+    assert response.status_code == 200
+
+Note that the requests client requires you to pass fully qualified URLs.
+
+## RequestsClient and working with the database
+
+The `RequestsClient` class is useful if you want to write tests that solely interact with the service interface. This is a little stricter than using the standard Django test client, as it means that all interactions should be via the API.
+
+If you're using `RequestsClient` you'll want to ensure that test setup, and results assertions are performed as regular API calls, rather than interacting with the database models directly. For example, rather than checking that `Customer.objects.count() == 3` you would list the customers endpoint, and ensure that it contains three records.
+
+## Headers & Authentication
+
+Custom headers and authentication credentials can be provided in the same way
+as [when using a standard `requests.Session` instance][session_objects].
+
+    from requests.auth import HTTPBasicAuth
+
+    client.auth = HTTPBasicAuth('user', 'pass')
+    client.headers.update({'x-test': 'true'})
+
+## CSRF
+
+If you're using `SessionAuthentication` then you'll need to include a CSRF token
+for any `POST`, `PUT`, `PATCH` or `DELETE` requests.
+
+You can do so by following the same flow that a JavaScript based client would use.
+First, make a `GET` request in order to obtain a CSRF token, then present that
+token in the following request.
+
+For example...
+
+    client = RequestsClient()
+
+    # Obtain a CSRF token.
+    response = client.get('http://testserver/homepage/')
+    assert response.status_code == 200
+    csrftoken = response.cookies['csrftoken']
+
+    # Interact with the API.
+    response = client.post('http://testserver/organisations/', json={
+        'name': 'MegaCorp',
+        'status': 'active'
+    }, headers={'X-CSRFToken': csrftoken})
+    assert response.status_code == 200
+
+## Live tests
+
+With careful usage both the `RequestsClient` and the `CoreAPIClient` provide
+the ability to write test cases that can run either in development, or be run
+directly against your staging server or production environment.
+
+Using this style to create basic tests of a few core pieces of functionality is
+a powerful way to validate your live service. Doing so may require some careful
+attention to setup and teardown to ensure that the tests run in a way that they
+do not directly affect customer data.
+
+---
+
+# CoreAPIClient
+
+The CoreAPIClient allows you to interact with your API using the Python
+`coreapi` client library.
+
+    # Fetch the API schema
+    client = CoreAPIClient()
+    schema = client.get('http://testserver/schema/')
+
+    # Create a new organisation
+    params = {'name': 'MegaCorp', 'status': 'active'}
+    client.action(schema, ['organisations', 'create'], params)
+
+    # Ensure that the organisation exists in the listing
+    data = client.action(schema, ['organisations', 'list'])
+    assert(len(data) == 1)
+    assert(data == [{'name': 'MegaCorp', 'status': 'active'}])
+
+## Headers & Authentication
+
+Custom headers and authentication may be used with `CoreAPIClient` in a
+similar way as with `RequestsClient`.
+
+    from requests.auth import HTTPBasicAuth
+
+    client = CoreAPIClient()
+    client.session.auth = HTTPBasicAuth('user', 'pass')
+    client.session.headers.update({'x-test': 'true'})
+
+---
+
+# API Test cases
+
+REST framework includes the following test case classes, that mirror the existing [Django's test case classes][provided_test_case_classes], but use `APIClient` instead of Django's default `Client`.
 
 * `APISimpleTestCase`
 * `APITransactionTestCase`
@@ -197,9 +313,10 @@ REST framework includes the following test case classes, that mirror the existin
 
 You can use any of REST framework's test case classes as you would for the regular Django test case classes.  The `self.client` attribute will be an `APIClient` instance.
 
-    from django.core.urlresolvers import reverse
+    from django.urls import reverse
     from rest_framework import status
     from rest_framework.test import APITestCase
+    from myproject.apps.core.models import Account
 
     class AccountTests(APITestCase):
         def test_create_account(self):
@@ -210,7 +327,34 @@ You can use any of REST framework's test case classes as you would for the regul
             data = {'name': 'DabApps'}
             response = self.client.post(url, data, format='json')
             self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-            self.assertEqual(response.data, data)
+            self.assertEqual(Account.objects.count(), 1)
+            self.assertEqual(Account.objects.get().name, 'DabApps')
+
+---
+
+# URLPatternsTestCase
+
+REST framework also provides a test case class for isolating `urlpatterns` on a per-class basis. Note that this inherits from Django's `SimpleTestCase`, and will most likely need to be mixed with another test case class.
+
+## Example
+
+    from django.urls import include, path, reverse
+    from rest_framework.test import APITestCase, URLPatternsTestCase
+
+
+    class AccountTests(APITestCase, URLPatternsTestCase):
+        urlpatterns = [
+            path('api/', include('api.urls')),
+        ]
+
+        def test_create_account(self):
+            """
+            Ensure we can create a new account object.
+            """
+            url = reverse('account-list')
+            response = self.client.get(url, format='json')
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+            self.assertEqual(len(response.data), 1)
 
 ---
 
@@ -261,14 +405,17 @@ For example, to add support for using `format='html'` in test requests, you migh
 
     REST_FRAMEWORK = {
         ...
-        'TEST_REQUEST_RENDERER_CLASSES': (
+        'TEST_REQUEST_RENDERER_CLASSES': [
             'rest_framework.renderers.MultiPartRenderer',
             'rest_framework.renderers.JSONRenderer',
             'rest_framework.renderers.TemplateHTMLRenderer'
-        )
+        ]
     }
 
-[cite]: http://jacobian.org/writing/django-apps-with-buildout/#s-create-a-test-wrapper
-[client]: https://docs.djangoproject.com/en/dev/topics/testing/tools/#the-test-client
-[requestfactory]: https://docs.djangoproject.com/en/dev/topics/testing/advanced/#django.test.client.RequestFactory
+[cite]: https://jacobian.org/writing/django-apps-with-buildout/#s-create-a-test-wrapper
+[client]: https://docs.djangoproject.com/en/stable/topics/testing/tools/#the-test-client
+[requestfactory]: https://docs.djangoproject.com/en/stable/topics/testing/advanced/#django.test.client.RequestFactory
 [configuration]: #configuration
+[refresh_from_db_docs]: https://docs.djangoproject.com/en/stable/ref/models/instances/#django.db.models.Model.refresh_from_db
+[session_objects]: https://requests.readthedocs.io/en/master/user/advanced/#session-objects
+[provided_test_case_classes]: https://docs.djangoproject.com/en/stable/topics/testing/tools/#provided-test-case-classes

docs/api-guide/throttling.md

@@ -1,4 +1,7 @@
-source: throttling.py
+---
+source:
+    - throttling.py
+---
 
 # Throttling
 
@@ -16,6 +19,10 @@ Multiple throttles can also be used if you want to impose both burst throttling
 
 Throttles do not necessarily only refer to rate-limiting requests.  For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed.
 
+**The application-level throttling that REST framework provides should not be considered a security measure or protection against brute forcing or denial-of-service attacks. Deliberately malicious actors will always be able to spoof IP origins. In addition to this, the built-in throttling implementations are implemented using Django's cache framework, and use non-atomic operations to determine the request rate, which may sometimes result in some fuzziness.
+
+The application-level throttling provided by REST framework is intended for implementing policies such as different business tiers and basic protections against service over-use.**
+
 ## How throttling is determined
 
 As with permissions and authentication, throttling in REST framework is always defined as a list of classes.
@@ -28,27 +35,27 @@ If any throttle check fails an `exceptions.Throttled` exception will be raised,
 The default throttling policy may be set globally, using the `DEFAULT_THROTTLE_CLASSES` and `DEFAULT_THROTTLE_RATES` settings.  For example.
 
     REST_FRAMEWORK = {
-        'DEFAULT_THROTTLE_CLASSES': (
+        'DEFAULT_THROTTLE_CLASSES': [
             'rest_framework.throttling.AnonRateThrottle',
             'rest_framework.throttling.UserRateThrottle'
-        ),
+        ],
         'DEFAULT_THROTTLE_RATES': {
             'anon': '100/day',
             'user': '1000/day'
         }
     }
 
-The rate descriptions used in `DEFAULT_THROTTLE_RATES` may include `second`, `minute`, `hour` or `day` as the throttle period.
+The rates used in `DEFAULT_THROTTLE_RATES` can be specified over a period of second, minute, hour or day. The period must be specified after the `/` separator using `s`, `m`, `h` or `d`, respectively. For increased clarity, extended units such as `second`, `minute`, `hour`, `day` or even abbreviations like `sec`, `min`, `hr` are allowed, as only the first character is relevant to identify the rate.
 
 You can also set the throttling policy on a per-view or per-viewset basis,
-using the `APIView` class based views.
+using the `APIView` class-based views.
 
-	from rest_framework.response import Response
+    from rest_framework.response import Response
     from rest_framework.throttling import UserRateThrottle
-	from rest_framework.views import APIView
+    from rest_framework.views import APIView
 
     class ExampleView(APIView):
-        throttle_classes = (UserRateThrottle,)
+        throttle_classes = [UserRateThrottle]
 
         def get(self, request, format=None):
             content = {
@@ -56,7 +63,7 @@ using the `APIView` class based views.
             }
             return Response(content)
 
-Or, if you're using the `@api_view` decorator with function based views.
+If you're using the `@api_view` decorator with function based views you can use the following decorator.
 
     @api_view(['GET'])
     @throttle_classes([UserRateThrottle])
@@ -66,15 +73,25 @@ Or, if you're using the `@api_view` decorator with function based views.
         }
         return Response(content)
 
-## How clients are identified
+It's also possible to set throttle classes for routes that are created using the `@action` decorator.
+Throttle classes set in this way will override any viewset level class settings.
 
-The `X-Forwarded-For` and `Remote-Addr` HTTP headers are used to uniquely identify client IP addresses for throttling.  If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `Remote-Addr` header will be used.
+    @action(detail=True, methods=["post"], throttle_classes=[UserRateThrottle])
+    def example_adhoc_method(request, pk=None):
+        content = {
+            'status': 'request was permitted'
+        }
+        return Response(content)
 
-If you need to strictly identify unique client IP addresses, you'll need to first configure the number of application proxies that the API runs behind by setting the `NUM_PROXIES` setting.  This setting should be an integer of zero or more.  If set to non-zero then the client IP will be identified as being the last IP address in the `X-Forwarded-For` header, once any application proxy IP addresses have first been excluded.  If set to zero, then the `Remote-Addr` header will always be used as the identifying IP address.
+## How clients are identified
 
-It is important to understand that if you configure the `NUM_PROXIES` setting, then all clients behind a unique [NAT'd](http://en.wikipedia.org/wiki/Network_address_translation) gateway will be treated as a single client.
+The `X-Forwarded-For` HTTP header and `REMOTE_ADDR` WSGI variable are used to uniquely identify client IP addresses for throttling.  If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `REMOTE_ADDR` variable from the WSGI environment will be used.
 
-Further context on how the `X-Forwarded-For` header works, and identifying a remote client IP can be [found here][identifing-clients].
+If you need to strictly identify unique client IP addresses, you'll need to first configure the number of application proxies that the API runs behind by setting the `NUM_PROXIES` setting.  This setting should be an integer of zero or more.  If set to non-zero then the client IP will be identified as being the last IP address in the `X-Forwarded-For` header, once any application proxy IP addresses have first been excluded.  If set to zero, then the `REMOTE_ADDR` value will always be used as the identifying IP address.
+
+It is important to understand that if you configure the `NUM_PROXIES` setting, then all clients behind a unique [NAT'd](https://en.wikipedia.org/wiki/Network_address_translation) gateway will be treated as a single client.
+
+Further context on how the `X-Forwarded-For` header works, and identifying a remote client IP can be [found here][identifying-clients].
 
 ## Setting up the cache
 
@@ -82,11 +99,19 @@ The throttle classes provided by REST framework use Django's cache backend.  You
 
 If you need to use a cache other than `'default'`, you can do so by creating a custom throttle class and setting the `cache` attribute.  For example:
 
+    from django.core.cache import caches
+
     class CustomAnonRateThrottle(AnonRateThrottle):
-        cache = get_cache('alternate')
+        cache = caches['alternate']
 
 You'll need to remember to also set your custom throttle class in the `'DEFAULT_THROTTLE_CLASSES'` settings key, or using the `throttle_classes` view attribute.
 
+## A note on concurrency
+
+The built-in throttle implementations are open to [race conditions][race], so under high concurrency they may allow a few extra requests through.
+
+If your project relies on guaranteeing the number of requests during concurrent requests, you will need to implement your own throttle class.
+
 ---
 
 # API Reference
@@ -124,10 +149,10 @@ For example, multiple user throttle rates could be implemented by using the foll
 ...and the following settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_THROTTLE_CLASSES': (
+        'DEFAULT_THROTTLE_CLASSES': [
             'example.throttles.BurstRateThrottle',
             'example.throttles.SustainedRateThrottle'
-        ),
+        ],
         'DEFAULT_THROTTLE_RATES': {
             'burst': '60/min',
             'sustained': '1000/day'
@@ -148,7 +173,7 @@ For example, given the following views...
         throttle_scope = 'contacts'
         ...
 
-    class ContactDetailView(ApiView):
+    class ContactDetailView(APIView):
         throttle_scope = 'contacts'
         ...
 
@@ -159,9 +184,9 @@ For example, given the following views...
 ...and the following settings.
 
     REST_FRAMEWORK = {
-        'DEFAULT_THROTTLE_CLASSES': (
+        'DEFAULT_THROTTLE_CLASSES': [
             'rest_framework.throttling.ScopedRateThrottle',
-        ),
+        ],
         'DEFAULT_THROTTLE_RATES': {
             'contacts': '1000/day',
             'uploads': '20/day'
@@ -184,12 +209,15 @@ If the `.wait()` method is implemented and the request is throttled, then a `Ret
 
 The following is an example of a rate throttle, that will randomly throttle 1 in every 10 requests.
 
-    class RandomRateThrottle(throttles.BaseThrottle):
-        def allow_request(self, request, view):
-            return random.randint(1, 10) == 1
+    import random
 
-[cite]: https://dev.twitter.com/docs/error-codes-responses
+    class RandomRateThrottle(throttling.BaseThrottle):
+        def allow_request(self, request, view):
+            return random.randint(1, 10) != 1
+
+[cite]: https://developer.twitter.com/en/docs/basics/rate-limiting
 [permissions]: permissions.md
-[identifing-clients]: http://oxpedia.org/wiki/index.php?title=AppSuite:Grizzly#Multiple_Proxies_in_front_of_the_cluster
-[cache-setting]: https://docs.djangoproject.com/en/dev/ref/settings/#caches
-[cache-docs]: https://docs.djangoproject.com/en/dev/topics/cache/#setting-up-the-cache
+[identifying-clients]: http://oxpedia.org/wiki/index.php?title=AppSuite:Grizzly#Multiple_Proxies_in_front_of_the_cluster
+[cache-setting]: https://docs.djangoproject.com/en/stable/ref/settings/#caches
+[cache-docs]: https://docs.djangoproject.com/en/stable/topics/cache/#setting-up-the-cache
+[race]: https://en.wikipedia.org/wiki/Race_condition#Data_race

docs/api-guide/validators.md

@@ -1,4 +1,7 @@
-source: validators.py
+---
+source:
+    - validators.py
+---
 
 # Validators
 
@@ -17,10 +20,10 @@ Validation in Django REST framework serializers is handled a little differently
 With `ModelForm` the validation is performed partially on the form, and partially on the model instance. With REST framework the validation is performed entirely on the serializer class. This is advantageous for the following reasons:
 
 * It introduces a proper separation of concerns, making your code behavior more obvious.
-* It is easy to switch between using shortcut `ModelSerializer` classes and using  explicit `Serializer` classes. Any validation behavior being used for `ModelSerializer` is simple to replicate.
+* It is easy to switch between using shortcut `ModelSerializer` classes and using explicit `Serializer` classes. Any validation behavior being used for `ModelSerializer` is simple to replicate.
 * Printing the `repr` of a serializer instance will show you exactly what validation rules it applies. There's no extra hidden validation behavior being called on the model instance.
 
-When you're using `ModelSerializer` all of this is handled automatically for you. If you want to drop down to using a `Serializer` classes instead, then you need to define the validation rules explicitly.
+When you're using `ModelSerializer` all of this is handled automatically for you. If you want to drop down to using `Serializer` classes instead, then you need to define the validation rules explicitly.
 
 #### Example
 
@@ -45,12 +48,12 @@ If we open up the Django shell using `manage.py shell` we can now
     CustomerReportSerializer():
         id = IntegerField(label='ID', read_only=True)
         time_raised = DateTimeField(read_only=True)
-        reference = CharField(max_length=20, validators=[<UniqueValidator(queryset=CustomerReportRecord.objects.all())>])
+        reference = CharField(max_length=20, validators=[UniqueValidator(queryset=CustomerReportRecord.objects.all())])
         description = CharField(style={'type': 'textarea'})
 
 The interesting bit here is the `reference` field. We can see that the uniqueness constraint is being explicitly enforced by a validator on the serializer field.
 
-Because of this more explicit style REST framework includes a few validator classes that are not available in core Django. These classes are detailed below.
+Because of this more explicit style REST framework includes a few validator classes that are not available in core Django. These classes are detailed below.  REST framework validators, like their Django counterparts, implement the `__eq__` method, allowing you to compare instances for equality.
 
 ---
 
@@ -61,9 +64,12 @@ It takes a single required argument, and an optional `messages` argument:
 
 * `queryset` *required* - This is the queryset against which uniqueness should be enforced.
 * `message` - The error message that should be used when validation fails.
+* `lookup` - The lookup used to find an existing instance with the value being validated. Defaults to `'exact'`.
 
 This validator should be applied to *serializer fields*, like so:
 
+    from rest_framework.validators import UniqueValidator
+
     slug = SlugField(
         max_length=100,
         validators=[UniqueValidator(queryset=BlogPost.objects.all())]
@@ -80,6 +86,8 @@ It has two required arguments, and a single optional `messages` argument:
 
 The validator should be applied to *serializer classes*, like so:
 
+    from rest_framework.validators import UniqueTogetherValidator
+
     class ExampleSerializer(serializers.Serializer):
         # ...
         class Meta:
@@ -89,13 +97,13 @@ The validator should be applied to *serializer classes*, like so:
             validators = [
                 UniqueTogetherValidator(
                     queryset=ToDoItem.objects.all(),
-                    fields=('list', 'position')
+                    fields=['list', 'position']
                 )
             ]
 
 ---
 
-**Note**: The `UniqueTogetherValidation` class always imposes an implicit constraint that all the fields it applies to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input.
+**Note**: The `UniqueTogetherValidator` class always imposes an implicit constraint that all the fields it applies to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input.
 
 ---
 
@@ -114,6 +122,8 @@ These validators can be used to enforce the `unique_for_date`, `unique_for_month
 
 The validator should be applied to *serializer classes*, like so:
 
+    from rest_framework.validators import UniqueForYearValidator
+
     class ExampleSerializer(serializers.Serializer):
         # ...
         class Meta:
@@ -142,28 +152,30 @@ If you want the date field to be visible, but not editable by the user, then set
 
     published = serializers.DateTimeField(read_only=True, default=timezone.now)
 
-The field will not be writable to the user, but the default value will still be passed through to the `validated_data`.
-
 #### Using with a hidden date field.
 
-If you want the date field to be entirely hidden from the user, then use `HiddenField`. This field type does not accept user input, but instead always returns it's default value to the `validated_data` in the serializer.
+If you want the date field to be entirely hidden from the user, then use `HiddenField`. This field type does not accept user input, but instead always returns its default value to the `validated_data` in the serializer.
 
     published = serializers.HiddenField(default=timezone.now)
 
 ---
 
-**Note**: The `UniqueFor<Range>Validation` classes always imposes an implicit constraint that the fields they are applied to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input.
+**Note**: The `UniqueFor<Range>Validator` classes impose an implicit constraint that the fields they are applied to are always treated as required. Fields with `default` values are an exception to this as they always supply a value even when omitted from user input.
 
 ---
 
-# Advanced 'default' argument usage
+---
+
+**Note:** `HiddenField()` does not appear in `partial=True` serializer (when making `PATCH` request).
+
+---
+
+# Advanced field defaults
 
 Validators that are applied across multiple fields in the serializer can sometimes require a field input that should not be provided by the API client, but that *is* available as input to the validator.
+For this purposes use `HiddenField`. This field will be present in `validated_data` but *will not* be used in the serializer output representation.
 
-Two patterns that you may want to use for this sort of validation include:
-
-* Using `HiddenField`. This field will be present in `validated_data` but *will not* be used in the serializer output representation.
-* Using a standard field with `read_only=True`, but that also includes a `default=…` argument. This field *will* be used in the serializer output representation, but cannot be set directly by the user.
+**Note:** Using a `read_only=True` field is excluded from writable fields so it won't use a `default=…` argument. Look [3.8 announcement](https://www.django-rest-framework.org/community/3.8-announcement/#altered-the-behaviour-of-read_only-plus-default-on-field).
 
 REST framework includes a couple of defaults that may be useful in this context.
 
@@ -175,19 +187,83 @@ A default class that can be used to represent the current user. In order to use
         default=serializers.CurrentUserDefault()
     )
 
-#### CreateOnlyDefault
+#### CreateOnlyDefault
 
 A default class that can be used to *only set a default argument during create operations*. During updates the field is omitted.
 
 It takes a single argument, which is the default value or callable that should be used during create operations.
 
     created_at = serializers.DateTimeField(
-        read_only=True,
-        default=CreateOnlyDefault(timezone.now)
+        default=serializers.CreateOnlyDefault(timezone.now)
     )
 
 ---
 
+# Limitations of validators
+
+There are some ambiguous cases where you'll need to instead handle validation
+explicitly, rather than relying on the default serializer classes that
+`ModelSerializer` generates.
+
+In these cases you may want to disable the automatically generated validators,
+by specifying an empty list for the serializer `Meta.validators` attribute.
+
+## Optional fields
+
+By default "unique together" validation enforces that all fields be
+`required=True`. In some cases, you might want to explicit apply
+`required=False` to one of the fields, in which case the desired behavior
+of the validation is ambiguous.
+
+In this case you will typically need to exclude the validator from the
+serializer class, and instead write any validation logic explicitly, either
+in the `.validate()` method, or else in the view.
+
+For example:
+
+    class BillingRecordSerializer(serializers.ModelSerializer):
+        def validate(self, attrs):
+            # Apply custom validation either here, or in the view.
+
+        class Meta:
+            fields = ['client', 'date', 'amount']
+            extra_kwargs = {'client': {'required': False}}
+            validators = []  # Remove a default "unique together" constraint.
+
+## Updating nested serializers
+
+When applying an update to an existing instance, uniqueness validators will
+exclude the current instance from the uniqueness check. The current instance
+is available in the context of the uniqueness check, because it exists as
+an attribute on the serializer, having initially been passed using
+`instance=...` when instantiating the serializer.
+
+In the case of update operations on *nested* serializers there's no way of
+applying this exclusion, because the instance is not available.
+
+Again, you'll probably want to explicitly remove the validator from the
+serializer class, and write the code for the validation constraint
+explicitly, in a `.validate()` method, or in the view.
+
+## Debugging complex cases
+
+If you're not sure exactly what behavior a `ModelSerializer` class will
+generate it is usually a good idea to run `manage.py shell`, and print
+an instance of the serializer, so that you can inspect the fields and
+validators that it automatically generates for you.
+
+    >>> serializer = MyComplexModelSerializer()
+    >>> print(serializer)
+    class MyComplexModelSerializer:
+        my_fields = ...
+
+Also keep in mind that with complex cases it can often be better to explicitly
+define your serializer classes, rather than relying on the default
+`ModelSerializer` behavior. This involves a little more code, but ensures
+that the resulting behavior is more transparent.
+
+---
+
 # Writing custom validators
 
 You can use any of Django's existing validators, or write your own custom validators.
@@ -200,26 +276,37 @@ A validator may be any callable that raises a `serializers.ValidationError` on f
         if value % 2 != 0:
             raise serializers.ValidationError('This field must be an even number.')
 
-## Class based
+#### Field-level validation
 
-To write a class based validator, use the `__call__` method. Class based validators are useful as they allow you to parameterize and reuse behavior.
+You can specify custom field-level validation by adding `.validate_<field_name>` methods
+to your `Serializer` subclass. This is documented in the
+[Serializer docs](https://www.django-rest-framework.org/api-guide/serializers/#field-level-validation)
+
+## Class-based
+
+To write a class-based validator, use the `__call__` method. Class-based validators are useful as they allow you to parameterize and reuse behavior.
 
     class MultipleOf:
         def __init__(self, base):
             self.base = base
 
         def __call__(self, value):
-            if value % self.base != 0
+            if value % self.base != 0:
                 message = 'This field must be a multiple of %d.' % self.base
                 raise serializers.ValidationError(message)
 
-#### Using `set_context()`
+#### Accessing the context
 
-In some advanced cases you might want a validator to be passed the serializer field it is being used with as additional context. You can do so by declaring a `set_context` method on a class based validator.
+In some advanced cases you might want a validator to be passed the serializer
+field it is being used with as additional context. You can do so by setting
+a `requires_context = True` attribute on the validator class. The `__call__` method
+will then be called with the `serializer_field`
+or `serializer` as an additional argument.
 
-    def set_context(self, serializer_field):
-        # Determine if this is an update or a create operation.
-        # In `__call__` we can then use that information to modify the validation behavior.
-        self.is_update = serializer_field.parent.instance is not None
+    class MultipleOf:
+        requires_context = True
 
-[cite]: https://docs.djangoproject.com/en/dev/ref/validators/
+        def __call__(self, value, serializer_field):
+            ...
+
+[cite]: https://docs.djangoproject.com/en/stable/ref/validators/

docs/api-guide/versioning.md

@@ -1,9 +1,12 @@
-source: versioning.py
+---
+source:
+    - versioning.py
+---
 
 # Versioning
 
 > Versioning an interface is just a "polite" way to kill deployed clients.
-> 
+>
 > — [Roy Fielding][cite].
 
 API versioning allows you to alter behavior between different clients. REST framework provides for a number of different versioning schemes.
@@ -37,7 +40,7 @@ The `reverse` function included by REST framework ties in with the versioning sc
 
 The above function will apply any URL transformations appropriate to the request version. For example:
 
-* If `NamespacedVersioning` was being used, and the API version was 'v1', then the URL lookup used would be `'v1:bookings-list'`, which might resolve to a URL like `http://example.org/v1/bookings/`.
+* If `NamespaceVersioning` was being used, and the API version was 'v1', then the URL lookup used would be `'v1:bookings-list'`, which might resolve to a URL like `http://example.org/v1/bookings/`.
 * If `QueryParameterVersioning` was being used, and the API version was `1.0`, then the returned URL might be something like `http://example.org/bookings/?version=1.0`
 
 #### Versioned APIs and hyperlinked serializers
@@ -71,8 +74,21 @@ You can also set the versioning scheme on an individual view. Typically you won'
 The following settings keys are also used to control versioning:
 
 * `DEFAULT_VERSION`. The value that should be used for `request.version` when no versioning information is present. Defaults to `None`.
-* `ALLOWED_VERSIONS`. If set, this value will restrict the set of versions that may be returned by the versioning scheme, and will raise an error if the provided version if not in this set. Defaults to `None`.
-* `VERSION_PARAMETER`. The string that should used for any versioning parameters, such as in the media type or URL query parameters. Defaults to `'version'`.
+* `ALLOWED_VERSIONS`. If set, this value will restrict the set of versions that may be returned by the versioning scheme, and will raise an error if the provided version is not in this set. Note that the value used for the `DEFAULT_VERSION` setting is always considered to be part of the `ALLOWED_VERSIONS` set (unless it is `None`). Defaults to `None`.
+* `VERSION_PARAM`. The string that should be used for any versioning parameters, such as in the media type or URL query parameters. Defaults to `'version'`.
+
+You can also set your versioning class plus those three values on a per-view or a per-viewset basis by defining your own versioning scheme and using the `default_version`, `allowed_versions` and `version_param` class variables. For example, if you want to use `URLPathVersioning`:
+
+    from rest_framework.versioning import URLPathVersioning
+    from rest_framework.views import APIView
+
+    class ExampleVersioning(URLPathVersioning):
+        default_version = ...
+        allowed_versions = ...
+        version_param = ...
+
+    class ExampleView(APIVIew):
+        versioning_class = ExampleVersioning
 
 ---
 
@@ -116,13 +132,13 @@ This scheme requires the client to specify the version as part of the URL path.
 Your URL conf must include a pattern that matches the version with a `'version'` keyword argument, so that this information is available to the versioning scheme.
 
     urlpatterns = [
-        url(
-            r'^(?P<version>{v1,v2})/bookings/$',
+        re_path(
+            r'^(?P<version>(v1|v2))/bookings/$',
             bookings_list,
             name='bookings-list'
         ),
-        url(
-            r'^(?P<version>{v1,v2})/bookings/(?P<pk>[0-9]+)/$',
+        re_path(
+            r'^(?P<version>(v1|v2))/bookings/(?P<pk>[0-9]+)/$',
             bookings_detail,
             name='bookings-detail'
         )
@@ -130,7 +146,7 @@ Your URL conf must include a pattern that matches the version with a `'version'`
 
 ## NamespaceVersioning
 
-To the client, this scheme is the same as `URLParameterVersioning`. The only difference is how it is configured in your Django application, as it uses URL namespacing, instead of URL keyword arguments.
+To the client, this scheme is the same as `URLPathVersioning`. The only difference is how it is configured in your Django application, as it uses URL namespacing, instead of URL keyword arguments.
 
     GET /v1/something/ HTTP/1.1
     Host: example.com
@@ -142,17 +158,17 @@ In the following example we're giving a set of views two different possible URL
 
     # bookings/urls.py
     urlpatterns = [
-        url(r'^$', bookings_list, name='bookings-list'),
-        url(r'^(?P<pk>[0-9]+)/$', bookings_detail, name='bookings-detail')
+        re_path(r'^$', bookings_list, name='bookings-list'),
+        re_path(r'^(?P<pk>[0-9]+)/$', bookings_detail, name='bookings-detail')
     ]
 
     # urls.py
     urlpatterns = [
-        url(r'^v1/bookings/', include('bookings.urls', namespace='v1')),
-        url(r'^v2/bookings/', include('bookings.urls', namespace='v2'))
+        re_path(r'^v1/bookings/', include('bookings.urls', namespace='v1')),
+        re_path(r'^v2/bookings/', include('bookings.urls', namespace='v2'))
     ]
 
-Both `URLParameterVersioning` and `NamespaceVersioning` are reasonable if you just need a simple versioning scheme. The `URLParameterVersioning` approach might be better suitable for small ad-hoc projects, and the `NamespaceVersioning` is probably easier to manage for larger projects.
+Both `URLPathVersioning` and `NamespaceVersioning` are reasonable if you just need a simple versioning scheme. The `URLPathVersioning` approach might be better suitable for small ad-hoc projects, and the `NamespaceVersioning` is probably easier to manage for larger projects.
 
 ## HostNameVersioning
 
@@ -170,7 +186,7 @@ By default this implementation expects the hostname to match this simple regular
 
 Note that the first group is enclosed in brackets, indicating that this is the matched portion of the hostname.
 
-The `HostNameVersioning` scheme can be awkward to use in debug mode as you will typically be accessing a raw IP address such as `127.0.0.1`. There are various online services which you to [access localhost with a custom subdomain][lvh] which you may find helpful in this case.
+The `HostNameVersioning` scheme can be awkward to use in debug mode as you will typically be accessing a raw IP address such as `127.0.0.1`. There are various online tutorials on how to [access localhost with a custom subdomain][lvh] which you may find helpful in this case.
 
 Hostname based versioning can be particularly useful if you have requirements to route incoming requests to different servers based on the version, as you can configure different DNS records for different API versions.
 
@@ -198,10 +214,10 @@ The following example uses a custom `X-API-Version` header to determine the requ
 
 If your versioning scheme is based on the request URL, you will also want to alter how versioned URLs are determined. In order to do so you should override the `.reverse()` method on the class. See the source code for examples.
 
-[cite]: http://www.slideshare.net/evolve_conference/201308-fielding-evolve/31
-[roy-fielding-on-versioning]: http://www.infoq.com/articles/roy-fielding-on-versioning
+[cite]: https://www.slideshare.net/evolve_conference/201308-fielding-evolve/31
+[roy-fielding-on-versioning]: https://www.infoq.com/articles/roy-fielding-on-versioning
 [klabnik-guidelines]: http://blog.steveklabnik.com/posts/2011-07-03-nobody-understands-rest-or-http#i_want_my_api_to_be_versioned
-[heroku-guidelines]: https://github.com/interagent/http-api-design#version-with-accepts-header
-[json-parameters]: http://tools.ietf.org/html/rfc4627#section-6
-[vendor-media-type]: http://en.wikipedia.org/wiki/Internet_media_type#Vendor_tree
+[heroku-guidelines]: https://github.com/interagent/http-api-design/blob/master/en/foundations/require-versioning-in-the-accepts-header.md
+[json-parameters]: https://tools.ietf.org/html/rfc4627#section-6
+[vendor-media-type]: https://en.wikipedia.org/wiki/Internet_media_type#Vendor_tree
 [lvh]: https://reinteractive.net/posts/199-developing-and-testing-rails-applications-with-subdomains

docs/api-guide/views.md

@@ -1,9 +1,12 @@
-source: decorators.py
-        views.py
+---
+source:
+    - decorators.py
+    - views.py
+---
 
-# Class Based Views
+# Class-based Views
 
-> Django's class based views are a welcome departure from the old-style views.
+> Django's class-based views are a welcome departure from the old-style views.
 >
 > — [Reinout van Rees][cite]
 
@@ -23,6 +26,7 @@ For example:
     from rest_framework.views import APIView
     from rest_framework.response import Response
     from rest_framework import authentication, permissions
+    from django.contrib.auth.models import User
 
     class ListUsers(APIView):
         """
@@ -31,8 +35,8 @@ For example:
         * Requires token authentication.
         * Only admin users are able to access this view.
         """
-        authentication_classes = (authentication.TokenAuthentication,)
-        permission_classes = (permissions.IsAdminUser,)
+        authentication_classes = [authentication.TokenAuthentication]
+        permission_classes = [permissions.IsAdminUser]
 
         def get(self, request, format=None):
             """
@@ -41,6 +45,13 @@ For example:
             usernames = [user.username for user in User.objects.all()]
             return Response(usernames)
 
+---
+
+**Note**: The full methods, attributes on, and relations between Django REST Framework's `APIView`, `GenericAPIView`, various `Mixins`, and `Viewsets` can be initially complex. In addition to the documentation here, the [Classy Django REST Framework][classy-drf] resource provides a browsable reference, with full methods and attributes, for each of Django REST Framework's class-based views.
+
+---
+
+
 ## API policy attributes
 
 The following attributes control the pluggable aspects of API views.
@@ -73,6 +84,8 @@ The following methods are used by REST framework to instantiate the various plug
 
 ### .get_content_negotiator(self)
 
+### .get_exception_handler(self)
+
 ## API policy implementation methods
 
 The following methods are called before dispatching to the handler method.
@@ -119,7 +132,7 @@ You won't typically need to override this method.
 
 # Function Based Views
 
-> Saying [that Class based views] is always the superior solution is a mistake.
+> Saying [that class-based views] is always the superior solution is a mistake.
 >
 > — [Nick Coghlan][cite2]
 
@@ -132,6 +145,7 @@ REST framework also allows you to work with regular function based views.  It pr
 The core of this functionality is the `api_view` decorator, which takes a list of HTTP methods that your view should respond to. For example, this is how you would write a very simple view that just manually returns some data:
 
     from rest_framework.decorators import api_view
+    from rest_framework.response import Response
 
     @api_view()
     def hello_world(request):
@@ -147,6 +161,7 @@ By default only `GET` methods will be accepted. Other methods will respond with
             return Response({"message": "Got some data!", "data": request.data})
         return Response({"message": "Hello, world!"})
 
+
 ## API policy decorators
 
 To override the default settings, REST framework provides a set of additional decorators which can be added to your views.  These must come *after* (below) the `@api_view` decorator.  For example, to create a view that uses a [throttle][throttling] to ensure it can only be called once per day by a particular user, use the `@throttle_classes` decorator, passing a list of throttle classes:
@@ -155,7 +170,7 @@ To override the default settings, REST framework provides a set of additional de
     from rest_framework.throttling import UserRateThrottle
 
     class OncePerDayUserThrottle(UserRateThrottle):
-            rate = '1/day'
+        rate = '1/day'
 
     @api_view(['GET'])
     @throttle_classes([OncePerDayUserThrottle])
@@ -174,7 +189,39 @@ The available decorators are:
 
 Each of these decorators takes a single argument which must be a list or tuple of classes.
 
-[cite]: http://reinout.vanrees.org/weblog/2011/08/24/class-based-views-usage.html
+
+## View schema decorator
+
+To override the default schema generation for function based views you may use
+the `@schema` decorator. This must come *after* (below) the `@api_view`
+decorator. For example:
+
+    from rest_framework.decorators import api_view, schema
+    from rest_framework.schemas import AutoSchema
+
+    class CustomAutoSchema(AutoSchema):
+        def get_link(self, path, method, base_url):
+            # override view introspection here...
+
+    @api_view(['GET'])
+    @schema(CustomAutoSchema())
+    def view(request):
+        return Response({"message": "Hello for today! See you tomorrow!"})
+
+This decorator takes a single `AutoSchema` instance, an `AutoSchema` subclass
+instance or `ManualSchema` instance as described in the [Schemas documentation][schemas].
+You may pass `None` in order to exclude the view from schema generation.
+
+    @api_view(['GET'])
+    @schema(None)
+    def view(request):
+        return Response({"message": "Will not appear in schema!"})
+
+
+[cite]: https://reinout.vanrees.org/weblog/2011/08/24/class-based-views-usage.html
 [cite2]: http://www.boredomandlaziness.org/2012/05/djangos-cbvs-are-not-mistake-but.html
 [settings]: settings.md
 [throttling]: throttling.md
+[schemas]: schemas.md
+[classy-drf]: http://www.cdrf.co
+

docs/api-guide/viewsets.md

@@ -1,4 +1,7 @@
-source: viewsets.py
+---
+source:
+    - viewsets.py
+---
 
 # ViewSets
 
@@ -27,7 +30,7 @@ Let's define a simple viewset that can be used to list or retrieve all the users
 
     class UserViewSet(viewsets.ViewSet):
         """
-        A simple ViewSet that for listing or retrieving users.
+        A simple ViewSet for listing or retrieving users.
         """
         def list(self, request):
             queryset = User.objects.all()
@@ -51,7 +54,7 @@ Typically we wouldn't do this, but would instead register the viewset with a rou
     from rest_framework.routers import DefaultRouter
 
     router = DefaultRouter()
-    router.register(r'users', UserViewSet)
+    router.register(r'users', UserViewSet, basename='user')
     urlpatterns = router.urls
 
 Rather than writing your own viewsets, you'll often want to use the existing base classes that provide a default set of behavior.  For example:
@@ -70,9 +73,10 @@ There are two main advantages of using a `ViewSet` class over using a `View` cla
 
 Both of these come with a trade-off.  Using regular views and URL confs is more explicit and gives you more control.  ViewSets are helpful if you want to get up and running quickly, or when you have a large API and you want to enforce a consistent URL configuration throughout.
 
-## Marking extra actions for routing
 
-The default routers included with REST framework will provide routes for a standard set of create/retrieve/update/destroy style operations, as shown below:
+## ViewSet actions
+
+The default routers included with REST framework will provide routes for a standard set of create/retrieve/update/destroy style actions, as shown below:
 
     class UserViewSet(viewsets.ViewSet):
         """
@@ -101,16 +105,40 @@ The default routers included with REST framework will provide routes for a stand
         def destroy(self, request, pk=None):
             pass
 
-If you have ad-hoc methods that you need to be routed to, you can mark them as requiring routing using the `@detail_route` or `@list_route` decorators.
+## Introspecting ViewSet actions
 
-The `@detail_route` decorator contains `pk` in its URL pattern and is intended for methods which require a single instance. The `@list_route` decorator is intended for methods which operate on a list of objects.
+During dispatch, the following attributes are available on the `ViewSet`.
 
-For example:
+* `basename` - the base to use for the URL names that are created.
+* `action` - the name of the current action (e.g., `list`, `create`).
+* `detail` - boolean indicating if the current action is configured for a list or detail view.
+* `suffix` - the display suffix for the viewset type - mirrors the `detail` attribute.
+* `name` - the display name for the viewset. This argument is mutually exclusive to `suffix`.
+* `description` - the display description for the individual view of a viewset.
+
+You may inspect these attributes to adjust behavior based on the current action. For example, you could restrict permissions to everything except the `list` action similar to this:
+
+    def get_permissions(self):
+        """
+        Instantiates and returns the list of permissions that this view requires.
+        """
+        if self.action == 'list':
+            permission_classes = [IsAuthenticated]
+        else:
+            permission_classes = [IsAdminUser]
+        return [permission() for permission in permission_classes]
+
+**Note**: the `action` attribute is not available in the `get_parsers`, `get_authenticators` and `get_content_negotiator` methods, as it is set _after_ they are called in the framework lifecycle. If you override one of these methods and try to access the `action` attribute in them, you will get an `AttributeError` error.
+
+## Marking extra actions for routing
+
+If you have ad-hoc methods that should be routable, you can mark them as such with the `@action` decorator. Like regular actions, extra actions may be intended for either a single object, or an entire collection. To indicate this, set the `detail` argument to `True` or `False`. The router will configure its URL patterns accordingly. e.g., the `DefaultRouter` will configure detail actions to contain `pk` in their URL patterns.
+
+A more complete example of extra actions:
 
     from django.contrib.auth.models import User
-    from rest_framework import status
-    from rest_framework import viewsets
-    from rest_framework.decorators import detail_route, list_route
+    from rest_framework import status, viewsets
+    from rest_framework.decorators import action
     from rest_framework.response import Response
     from myapp.serializers import UserSerializer, PasswordSerializer
 
@@ -121,21 +149,21 @@ For example:
         queryset = User.objects.all()
         serializer_class = UserSerializer
 
-        @detail_route(methods=['post'])
+        @action(detail=True, methods=['post'])
         def set_password(self, request, pk=None):
             user = self.get_object()
             serializer = PasswordSerializer(data=request.data)
             if serializer.is_valid():
-                user.set_password(serializer.data['password'])
+                user.set_password(serializer.validated_data['password'])
                 user.save()
                 return Response({'status': 'password set'})
             else:
                 return Response(serializer.errors,
                                 status=status.HTTP_400_BAD_REQUEST)
 
-        @list_route()
+        @action(detail=False)
         def recent_users(self, request):
-            recent_users = User.objects.all().order('-last_login')
+            recent_users = User.objects.all().order_by('-last_login')
 
             page = self.paginate_queryset(recent_users)
             if page is not None:
@@ -145,19 +173,69 @@ For example:
             serializer = self.get_serializer(recent_users, many=True)
             return Response(serializer.data)
 
-The decorators can additionally take extra arguments that will be set for the routed view only.  For example...
 
-        @detail_route(methods=['post'], permission_classes=[IsAdminOrIsSelf])
-        def set_password(self, request, pk=None):
-           ...
+The `action` decorator will route `GET` requests by default, but may also accept other HTTP methods by setting the `methods` argument.  For example:
 
-These decorators will route `GET` requests by default, but may also accept other HTTP methods, by using the `methods` argument.  For example:
-
-        @detail_route(methods=['post', 'delete'])
+        @action(detail=True, methods=['post', 'delete'])
         def unset_password(self, request, pk=None):
            ...
 
-The two new actions will then be available at the urls `^users/{pk}/set_password/$` and `^users/{pk}/unset_password/$`
+Argument `methods` also supports HTTP methods defined as [HTTPMethod](https://docs.python.org/3/library/http.html#http.HTTPMethod). Example below is identical to the one above: 
+
+        from http import HTTPMethod
+
+        @action(detail=True, methods=[HTTPMethod.POST, HTTPMethod.DELETE])
+        def unset_password(self, request, pk=None):
+           ...
+
+The decorator allows you to override any viewset-level configuration such as `permission_classes`, `serializer_class`, `filter_backends`...:
+
+        @action(detail=True, methods=['post'], permission_classes=[IsAdminOrIsSelf])
+        def set_password(self, request, pk=None):
+           ...
+
+The two new actions will then be available at the urls `^users/{pk}/set_password/$` and `^users/{pk}/unset_password/$`. Use the `url_path` and `url_name` parameters to change the URL segment and the reverse URL name of the action.
+
+To view all extra actions, call the `.get_extra_actions()` method.
+
+### Routing additional HTTP methods for extra actions
+
+Extra actions can map additional HTTP methods to separate `ViewSet` methods. For example, the above password set/unset methods could be consolidated into a single route. Note that additional mappings do not accept arguments.
+
+```python
+@action(detail=True, methods=["put"], name="Change Password")
+def password(self, request, pk=None):
+    """Update the user's password."""
+    ...
+
+
+@password.mapping.delete
+def delete_password(self, request, pk=None):
+    """Delete the user's password."""
+    ...
+```
+
+## Reversing action URLs
+
+If you need to get the URL of an action, use the `.reverse_action()` method. This is a convenience wrapper for `reverse()`, automatically passing the view's `request` object and prepending the `url_name` with the `.basename` attribute.
+
+Note that the `basename` is provided by the router during `ViewSet` registration. If you are not using a router, then you must provide the `basename` argument to the `.as_view()` method.
+
+Using the example from the previous section:
+
+```pycon
+>>> view.reverse_action("set-password", args=["1"])
+'http://localhost:8000/api/users/1/set_password'
+```
+
+Alternatively, you can use the `url_name` attribute set by the `@action` decorator.
+
+```pycon
+>>> view.reverse_action(view.set_password.url_name, args=['1'])
+'http://localhost:8000/api/users/1/set_password'
+```
+
+The `url_name` argument for `.reverse_action()` should match the same argument to the `@action` decorator. Additionally, this method can be used to reverse the default actions, such as `list` and `create`.
 
 ---
 
@@ -179,7 +257,7 @@ In order to use a `GenericViewSet` class you'll override the class and either mi
 
 The `ModelViewSet` class inherits from `GenericAPIView` and includes implementations for various actions, by mixing in the behavior of the various mixin classes.
 
-The actions provided by the `ModelViewSet` class are `.list()`, `.retrieve()`,  `.create()`, `.update()`, and `.destroy()`.
+The actions provided by the `ModelViewSet` class are `.list()`, `.retrieve()`, `.create()`, `.update()`, `.partial_update()`, and `.destroy()`.
 
 #### Example
 
@@ -206,7 +284,7 @@ Note that you can use any of the standard attributes or method overrides provide
         def get_queryset(self):
             return self.request.user.accounts.all()
 
-Note however that upon removal of the `queryset` property from your `ViewSet`, any associated [router][routers] will be unable to derive the base_name of your Model automatically, and so you will have to specify the `base_name` kwarg as part of your [router registration][routers].
+Note however that upon removal of the `queryset` property from your `ViewSet`, any associated [router][routers] will be unable to derive the basename of your Model automatically, and so you will have to specify the `basename` kwarg as part of your [router registration][routers].
 
 Also note that although this class provides the complete set of create/list/retrieve/update/destroy actions by default, you can restrict the available operations by using the standard permission classes.
 
@@ -235,6 +313,8 @@ You may need to provide custom `ViewSet` classes that do not have the full set o
 
 To create a base viewset class that provides `create`, `list` and `retrieve` operations, inherit from `GenericViewSet`, and mixin the required actions:
 
+    from rest_framework import mixins, viewsets
+
     class CreateListRetrieveViewSet(mixins.CreateModelMixin,
                                     mixins.ListModelMixin,
                                     mixins.RetrieveModelMixin,
@@ -249,5 +329,5 @@ To create a base viewset class that provides `create`, `list` and `retrieve` ope
 
 By creating your own base `ViewSet` classes, you can provide common behavior that can be reused in multiple viewsets across your API.
 
-[cite]: http://guides.rubyonrails.org/routing.html
+[cite]: https://guides.rubyonrails.org/action_controller_overview.html
 [routers]: routers.md

docs/community/3.0-announcement.md

@@ -24,7 +24,7 @@ Notable features of this new release include:
 * Support for overriding how validation errors are handled by your API.
 * A metadata API that allows you to customize how `OPTIONS` requests are handled by your API.
 * A more compact JSON output with unicode style encoding turned on by default.
-* Templated based HTML form rendering for serializers. This will be finalized as  public API in the upcoming 3.1 release.
+* Templated based HTML form rendering for serializers. This will be finalized as public API in the upcoming 3.1 release.
 
 Significant new functionality continues to be planned for the 3.1 and 3.2 releases. These releases will correspond to the two [Kickstarter stretch goals](https://www.kickstarter.com/projects/tomchristie/django-rest-framework-3) - "Feature improvements" and "Admin interface". Further 3.x releases will present simple upgrades, without the same level of fundamental API changes necessary for the 3.0 release.
 
@@ -32,7 +32,7 @@ Significant new functionality continues to be planned for the 3.1 and 3.2 releas
 
 #### REST framework: Under the hood.
 
-This talk from the [Django: Under the Hood](http://www.djangounderthehood.com/) event in Amsterdam, Nov 2014, gives some good background context on the design decisions behind 3.0.
+This talk from the [Django: Under the Hood](https://www.djangounderthehood.com/) event in Amsterdam, Nov 2014, gives some good background context on the design decisions behind 3.0.
 
 <iframe style="display: block; margin: 0 auto 0 auto" width="560" height="315" src="//www.youtube.com/embed/3cSsbe-tA0E" frameborder="0" allowfullscreen></iframe>
 
@@ -119,7 +119,7 @@ This would now be split out into two separate methods.
         instance.save()
         return instance
 
-	def create(self, validated_data):
+    def create(self, validated_data):
         return Snippet.objects.create(**validated_data)
 
 Note that these methods should return the newly created object instance.
@@ -258,13 +258,13 @@ If you try to use a writable nested serializer without writing a custom `create(
     >>> class ProfileSerializer(serializers.ModelSerializer):
     >>>     class Meta:
     >>>         model = Profile
-    >>>         fields = ('address', 'phone')
+    >>>         fields = ['address', 'phone']
     >>>
     >>> class UserSerializer(serializers.ModelSerializer):
     >>>     profile = ProfileSerializer()
     >>>     class Meta:
     >>>         model = User
-    >>>         fields = ('username', 'email', 'profile')
+    >>>         fields = ['username', 'email', 'profile']
     >>>
     >>> data = {
     >>>     'username': 'lizzy',
@@ -283,7 +283,7 @@ To use writable nested serialization you'll want to declare a nested field on th
 
         class Meta:
             model = User
-            fields = ('username', 'email', 'profile')
+            fields = ['username', 'email', 'profile']
 
         def create(self, validated_data):
             profile_data = validated_data.pop('profile')
@@ -327,9 +327,9 @@ The `write_only_fields` option on `ModelSerializer` has been moved to `PendingDe
     class MySerializer(serializer.ModelSerializer):
         class Meta:
             model = MyModel
-            fields = ('id', 'email', 'notes', 'is_admin')
+            fields = ['id', 'email', 'notes', 'is_admin']
             extra_kwargs = {
-            	    'is_admin': {'write_only': True}
+                    'is_admin': {'write_only': True}
             }
 
 Alternatively, specify the field explicitly on the serializer class:
@@ -339,7 +339,7 @@ Alternatively, specify the field explicitly on the serializer class:
 
         class Meta:
             model = MyModel
-            fields = ('id', 'email', 'notes', 'is_admin')
+            fields = ['id', 'email', 'notes', 'is_admin']
 
 The `read_only_fields` option remains as a convenient shortcut for the more common case.
 
@@ -350,7 +350,7 @@ The `view_name` and `lookup_field` options have been moved to `PendingDeprecatio
     class MySerializer(serializer.HyperlinkedModelSerializer):
         class Meta:
             model = MyModel
-            fields = ('url', 'email', 'notes', 'is_admin')
+            fields = ['url', 'email', 'notes', 'is_admin']
             extra_kwargs = {
                 'url': {'lookup_field': 'uuid'}
             }
@@ -365,7 +365,7 @@ Alternatively, specify the field explicitly on the serializer class:
 
         class Meta:
             model = MyModel
-            fields = ('url', 'email', 'notes', 'is_admin')
+            fields = ['url', 'email', 'notes', 'is_admin']
 
 #### Fields for model methods and properties.
 
@@ -384,12 +384,12 @@ You can include `expiry_date` as a field option on a `ModelSerializer` class.
     class InvitationSerializer(serializers.ModelSerializer):
         class Meta:
             model = Invitation
-            fields = ('to_email', 'message', 'expiry_date')
+            fields = ['to_email', 'message', 'expiry_date']
 
 These fields will be mapped to `serializers.ReadOnlyField()` instances.
 
     >>> serializer = InvitationSerializer()
-    >>> print repr(serializer)
+    >>> print(repr(serializer))
     InvitationSerializer():
         to_email = EmailField(max_length=75)
         message = CharField(max_length=1000)
@@ -426,7 +426,7 @@ There are four methods that can be overridden, depending on what functionality y
 * `.to_internal_value()` - Override this to support deserialization, for write operations.
 * `.create()` and `.update()` - Override either or both of these to support saving instances.
 
-Because this class provides the same interface as the `Serializer` class, you can use it with the existing generic class based views exactly as you would for a regular `Serializer` or `ModelSerializer`.
+Because this class provides the same interface as the `Serializer` class, you can use it with the existing generic class-based views exactly as you would for a regular `Serializer` or `ModelSerializer`.
 
 The only difference you'll notice when doing so is the `BaseSerializer` classes will not generate HTML forms in the browsable API. This is because the data they return does not include all the field information that would allow each field to be rendered into a suitable HTML input.
 
@@ -454,7 +454,7 @@ We can now use this class to serialize single `HighScore` instances:
     def high_score(request, pk):
         instance = HighScore.objects.get(pk=pk)
         serializer = HighScoreSerializer(instance)
-	    return Response(serializer.data)
+        return Response(serializer.data)
 
 Or use it to serialize multiple instances:
 
@@ -462,7 +462,7 @@ Or use it to serialize multiple instances:
     def all_high_scores(request):
         queryset = HighScore.objects.order_by('-score')
         serializer = HighScoreSerializer(queryset, many=True)
-	    return Response(serializer.data)
+        return Response(serializer.data)
 
 ##### Read-write `BaseSerializer` classes.
 
@@ -493,8 +493,8 @@ Here's a complete example of our previous `HighScoreSerializer`, that's been upd
                     'player_name': 'May not be more than 10 characters.'
                 })
 
-			# Return the validated values. This will be available as
-			# the `.validated_data` property.
+            # Return the validated values. This will be available as
+            # the `.validated_data` property.
             return {
                 'score': int(score),
                 'player_name': player_name
@@ -523,7 +523,7 @@ The following class is an example of a generic serializer that can handle coerci
         def to_representation(self, obj):
             for attribute_name in dir(obj):
                 attribute = getattr(obj, attribute_name)
-                if attribute_name('_'):
+                if attribute_name.startswith('_'):
                     # Ignore private attributes.
                     pass
                 elif hasattr(attribute, '__call__'):
@@ -632,7 +632,7 @@ The `MultipleChoiceField` class has been added. This field acts like `ChoiceFiel
 
 The `from_native(self, value)` and `to_native(self, data)` method names have been replaced with the more obviously named `to_internal_value(self, data)` and `to_representation(self, value)`.
 
-The `field_from_native()` and `field_to_native()` methods are removed. Previously you could use these methods if you wanted to customise the behaviour in a way that did not simply lookup the field value from the object. For example...
+The `field_from_native()` and `field_to_native()` methods are removed. Previously you could use these methods if you wanted to customise the behavior in a way that did not simply lookup the field value from the object. For example...
 
     def field_to_native(self, obj, field_name):
         """A custom read-only field that returns the class name."""
@@ -738,7 +738,7 @@ The `UniqueTogetherValidator` should be applied to a serializer, and takes a `qu
         class Meta:
             validators = [UniqueTogetherValidator(
                 queryset=RaceResult.objects.all(),
-                fields=('category', 'position')
+                fields=['category', 'position']
             )]
 
 #### The `UniqueForDateValidator` classes.
@@ -801,7 +801,7 @@ This change means that you can now easily customize the style of error responses
 
 ## The metadata API
 
-Behavior for dealing with `OPTIONS` requests was previously built directly into the class based views. This has now been properly separated out into a Metadata API that allows the same pluggable style as other API policies in REST framework.
+Behavior for dealing with `OPTIONS` requests was previously built directly into the class-based views. This has now been properly separated out into a Metadata API that allows the same pluggable style as other API policies in REST framework.
 
 This makes it far easier to use a different style for `OPTIONS` responses throughout your API, and makes it possible to create third-party metadata policies.
 
@@ -870,7 +870,7 @@ The `COMPACT_JSON` setting has been added, and can be used to revert this behavi
 
 #### File fields as URLs
 
-The `FileField` and `ImageField` classes are now represented as URLs by default. You should ensure you set Django's [standard `MEDIA_URL` setting](https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-MEDIA_URL) appropriately, and ensure your application [serves the uploaded files](https://docs.djangoproject.com/en/dev/howto/static-files/#serving-uploaded-files-in-development).
+The `FileField` and `ImageField` classes are now represented as URLs by default. You should ensure you set Django's [standard `MEDIA_URL` setting](https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-MEDIA_URL) appropriately, and ensure your application [serves the uploaded files](https://docs.djangoproject.com/en/stable/howto/static-files/#serving-uploaded-files-in-development).
 
 You can revert this behavior, and display filenames in the representation by using the `UPLOADED_FILES_USE_URL` settings key:
 
@@ -894,11 +894,11 @@ If the request is omitted from the context, the returned URLs will be of the for
 
 The custom `X-Throttle-Wait-Second` header has now been dropped in favor of the standard `Retry-After` header. You can revert this behavior if needed by writing a custom exception handler for your application.
 
-#### Date and time objects as ISO-8859-1 strings in serializer data.
+#### Date and time objects as ISO-8601 strings in serializer data.
 
 Date and Time objects are now coerced to strings by default in the serializer output. Previously they were returned as `Date`, `Time` and `DateTime` objects, and later coerced to strings by the renderer.
 
-You can modify this behavior globally by settings the existing `DATE_FORMAT`, `DATETIME_FORMAT` and `TIME_FORMAT` settings keys. Setting these values to `None` instead of their default value of `'iso-8859-1'` will result in native objects being returned in serializer data.
+You can modify this behavior globally by settings the existing `DATE_FORMAT`, `DATETIME_FORMAT` and `TIME_FORMAT` settings keys. Setting these values to `None` instead of their default value of `'iso-8601'` will result in native objects being returned in serializer data.
 
     REST_FRAMEWORK = {
         # Return native `Date` and `Time` objects in `serializer.data`
@@ -940,7 +940,7 @@ The default JSON renderer will return float objects for un-coerced `Decimal` ins
 * The serializer `ChoiceField` does not currently display nested choices, as was the case in 2.4. This will be address as part of 3.1.
 * Due to the new templated form rendering, the 'widget' option is no longer valid. This means there's no easy way of using third party "autocomplete" widgets for rendering select inputs that contain a large number of choices. You'll either need to use a regular select or a plain text input. We may consider addressing this in 3.1 or 3.2 if there's sufficient demand.
 * Some of the default validation error messages were rewritten and might no longer be pre-translated. You can still [create language files with Django][django-localization] if you wish to localize them.
-* `APIException` subclasses could previously take could previously take any arbitrary type in the `detail` argument. These exceptions now use translatable text strings, and as a result call `force_text` on the `detail` argument, which *must be a string*. If you need complex arguments to an `APIException` class, you should subclass it and override the `__init__()` method. Typically you'll instead want to use a custom exception handler to provide for non-standard error responses.
+* `APIException` subclasses could previously take any arbitrary type in the `detail` argument. These exceptions now use translatable text strings, and as a result call `force_text` on the `detail` argument, which *must be a string*. If you need complex arguments to an `APIException` class, you should subclass it and override the `__init__()` method. Typically you'll instead want to use a custom exception handler to provide for non-standard error responses.
 
 ---
 
@@ -957,9 +957,9 @@ The 3.1 release is planned to address improvements in the following components:
 
 The 3.2 release is planned to introduce an alternative admin-style interface to the browsable API.
 
-You can follow development on the GitHub site, where we use [milestones to indicate planning timescales](https://github.com/tomchristie/django-rest-framework/milestones).
+You can follow development on the GitHub site, where we use [milestones to indicate planning timescales](https://github.com/encode/django-rest-framework/milestones).
 
-[kickstarter]: http://kickstarter.com/projects/tomchristie/django-rest-framework-3
-[sponsors]: http://www.django-rest-framework.org/topics/kickstarter-announcement/#sponsors
-[mixins.py]: https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/mixins.py
-[django-localization]: https://docs.djangoproject.com/en/dev/topics/i18n/translation/#localization-how-to-create-language-files
+[kickstarter]: https://www.kickstarter.com/projects/tomchristie/django-rest-framework-3
+[sponsors]: https://www.django-rest-framework.org/community/kickstarter-announcement/#sponsors
+[mixins.py]: https://github.com/encode/django-rest-framework/blob/master/rest_framework/mixins.py
+[django-localization]: https://docs.djangoproject.com/en/stable/topics/i18n/translation/#localization-how-to-create-language-files

docs/community/3.1-announcement.md

@@ -30,7 +30,7 @@ Note that as a result of this work a number of settings keys and generic view at
 
 Until now, there has only been a single built-in pagination style in REST framework. We now have page, limit/offset and cursor based schemes included by default.
 
-The cursor based pagination scheme is particularly smart, and is a better approach for clients iterating through large or frequently changing result sets. The scheme supports paging against non-unique indexes, by using both cursor and limit/offset information. It also allows for both forward and reverse cursor pagination. Much credit goes to David Cramer for [this blog post](http://cramer.io/2011/03/08/building-cursors-for-the-disqus-api/) on the subject.
+The cursor based pagination scheme is particularly smart, and is a better approach for clients iterating through large or frequently changing result sets. The scheme supports paging against non-unique indexes, by using both cursor and limit/offset information. It also allows for both forward and reverse cursor pagination. Much credit goes to David Cramer for [this blog post](https://cra.mr/2011/03/08/building-cursors-for-the-disqus-api) on the subject.
 
 #### Pagination controls in the browsable API.
 
@@ -61,7 +61,7 @@ For example, when using `NamespaceVersioning`, and the following hyperlinked ser
     class AccountsSerializer(serializer.HyperlinkedModelSerializer):
         class Meta:
             model = Accounts
-            fields = ('account_name', 'users')
+            fields = ['account_name', 'users']
 
 The output representation would match the version used on the incoming request. Like so:
 
@@ -110,11 +110,11 @@ When per-request internationalization is enabled, client requests will respect t
         "detail": "No se ha podido satisfacer la solicitud de cabecera de Accept."
     }
 
-Note that the structure of the error responses is still the same. We still have a `details` key in the response. If needed you can modify this behavior too, by using a [custom exception handler][custom-exception-handler].
+Note that the structure of the error responses is still the same. We still have a `detail` key in the response. If needed you can modify this behavior too, by using a [custom exception handler][custom-exception-handler].
 
 We include built-in translations both for standard exception cases, and for serializer validation errors.
 
-The full list of supported languages can be found on our [Transifex project page](https://www.transifex.com/projects/p/django-rest-framework/).
+The full list of supported languages can be found on our [Transifex project page](https://www.transifex.com/django-rest-framework-1/django-rest-framework/).
 
 If you only wish to support a subset of the supported languages, use Django's standard `LANGUAGES` setting:
 
@@ -123,7 +123,7 @@ If you only wish to support a subset of the supported languages, use Django's st
         ('en', _('English')),
     ]
 
-For more details, see the [internationalization documentation](internationalization.md).
+For more details, see the [internationalization documentation][internationalization].
 
 Many thanks to [Craig Blaszczyk](https://github.com/jakul) for helping push this through.
 
@@ -153,16 +153,16 @@ For more information, see the documentation on [customizing field mappings][cust
 
 We've now moved a number of packages out of the core of REST framework, and into separately installable packages. If you're currently using these you don't need to worry, you simply need to `pip install` the new packages, and change any import paths.
 
-We're making this change in order to help distribute the maintainance workload, and keep better focus of the core essentials of the framework.
+We're making this change in order to help distribute the maintenance workload, and keep better focus of the core essentials of the framework.
 
-The change also means we can be more flexible with which external packages we recommend. For example, the excellently maintained [Django OAuth toolkit](https://github.com/evonove/django-oauth-toolkit) has now been promoted as our recommended option for integrating OAuth support.
+The change also means we can be more flexible with which external packages we recommend. For example, the excellently maintained [Django OAuth toolkit](https://github.com/jazzband/django-oauth-toolkit) has now been promoted as our recommended option for integrating OAuth support.
 
 The following packages are now moved out of core and should be separately installed:
 
-* OAuth - [djangorestframework-oauth](http://jpadilla.github.io/django-rest-framework-oauth/)
-* XML - [djangorestframework-xml](http://jpadilla.github.io/django-rest-framework-xml)
-* YAML - [djangorestframework-yaml](http://jpadilla.github.io/django-rest-framework-yaml)
-* JSONP - [djangorestframework-jsonp](http://jpadilla.github.io/django-rest-framework-jsonp)
+* OAuth - [djangorestframework-oauth](https://jpadilla.github.io/django-rest-framework-oauth/)
+* XML - [djangorestframework-xml](https://jpadilla.github.io/django-rest-framework-xml/)
+* YAML - [djangorestframework-yaml](https://jpadilla.github.io/django-rest-framework-yaml/)
+* JSONP - [djangorestframework-jsonp](https://jpadilla.github.io/django-rest-framework-jsonp/)
 
 It's worth reiterating that this change in policy shouldn't mean any work in your codebase other than adding a new requirement and modifying some import paths. For example to install XML rendering, you would now do:
 
@@ -205,5 +205,5 @@ This will either be made as a single 3.2 release, or split across two separate r
 [custom-exception-handler]: ../api-guide/exceptions.md#custom-exception-handling
 [pagination]: ../api-guide/pagination.md
 [versioning]: ../api-guide/versioning.md
-[internationalization]: internationalization.md
+[internationalization]: ../topics/internationalization.md
 [customizing-field-mappings]: ../api-guide/serializers.md#customizing-field-mappings

docs/community/3.10-announcement.md

@@ -0,0 +1,148 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.10
+
+The 3.10 release drops support for Python 2.
+
+* Our supported Python versions are now: 3.5, 3.6, and 3.7.
+* Our supported Django versions are now: 1.11, 2.0, 2.1, and 2.2.
+
+## OpenAPI Schema Generation
+
+Since we first introduced schema support in Django REST Framework 3.5, OpenAPI has emerged as the widely adopted standard for modeling Web APIs.
+
+This release begins the deprecation process for the CoreAPI based schema generation, and introduces OpenAPI schema generation in its place.
+
+---
+
+## Continuing to use CoreAPI
+
+If you're currently using the CoreAPI schemas, you'll need to make sure to
+update your REST framework settings to include `DEFAULT_SCHEMA_CLASS` explicitly.
+
+**settings.py**:
+
+```python
+REST_FRAMEWORK = {
+    ...: ...,
+    "DEFAULT_SCHEMA_CLASS": "rest_framework.schemas.coreapi.AutoSchema",
+}
+```
+
+You'll still be able to keep using CoreAPI schemas, API docs, and client for the
+foreseeable future. We'll aim to ensure that the CoreAPI schema generator remains
+available as a third party package, even once it has eventually been removed
+from REST framework, scheduled for version 3.12.
+
+We have removed the old documentation for the CoreAPI based schema generation.
+You may view the [Legacy CoreAPI documentation here][legacy-core-api-docs].
+
+----
+
+## OpenAPI Quickstart
+
+You can generate a static OpenAPI schema, using the `generateschema` management
+command.
+
+Alternately, to have the project serve an API schema, use the `get_schema_view()`
+shortcut.
+
+In your `urls.py`:
+
+```python
+from rest_framework.schemas import get_schema_view
+
+urlpatterns = [
+    # ...
+    # Use the `get_schema_view()` helper to add a `SchemaView` to project URLs.
+    #   * `title` and `description` parameters are passed to `SchemaGenerator`.
+    #   * Provide view name for use with `reverse()`.
+    path(
+        "openapi",
+        get_schema_view(title="Your Project", description="API for all things …"),
+        name="openapi-schema",
+    ),
+    # ...
+]
+```
+
+### Customization
+
+For customizations that you want to apply across the entire API, you can subclass `rest_framework.schemas.openapi.SchemaGenerator` and provide it as an argument
+to the `generateschema` command or `get_schema_view()` helper function.
+
+For specific per-view customizations, you can subclass `AutoSchema`,
+making sure to set `schema = <YourCustomClass>` on the view.
+
+For more details, see the [API Schema documentation](../api-guide/schemas.md).
+
+### API Documentation
+
+There are some great third party options for documenting your API, based on the
+OpenAPI schema.
+
+See the [Documenting you API](../topics/documenting-your-api.md) section for more details.
+
+---
+
+## Feature Roadmap
+
+Given that our OpenAPI schema generation is a new feature, it's likely that there
+will still be some iterative improvements for us to make. There will be two
+main cases here:
+
+* Expanding the supported range of OpenAPI schemas that are generated by default.
+* Improving the ability for developers to customize the output.
+
+We'll aim to bring the first type of change quickly in point releases. For the
+second kind we'd like to adopt a slower approach, to make sure we keep the API
+simple, and as widely applicable as possible, before we bring in API changes.
+
+It's also possible that we'll end up implementing API documentation and API client
+tooling that are driven by the OpenAPI schema. The `apistar` project has a
+significant amount of work towards this. However, if we do so, we'll plan
+on keeping any tooling outside of the core framework.
+
+---
+
+## Funding
+
+REST framework is a *collaboratively funded project*. If you use
+REST framework commercially we strongly encourage you to invest in its
+continued development by **[signing up for a paid plan][funding]**.
+
+*Every single sign-up helps us make REST framework long-term financially sustainable.*
+
+<ul class="premium-promo promo">
+    <li><a href="https://getsentry.com/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://software.esg-usa.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/esg-new-logo.png)">ESG</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar2.png)">Rollbar</a></li>
+    <li><a href="https://cadre.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/cadre.png)">Cadre</a></li>
+    <li><a href="https://hubs.ly/H0f30Lf0" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/kloudless-plus-text.png)">Kloudless</a></li>
+    <li><a href="https://lightsonsoftware.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/lightson-dark.png)">Lights On Software</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), and [Lights On Software](https://lightsonsoftware.com).*
+
+[legacy-core-api-docs]:https://github.com/encode/django-rest-framework/blob/3.14.0/docs/coreapi/index.md
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[funding]: funding.md

docs/community/3.11-announcement.md

@@ -0,0 +1,118 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.11
+
+The 3.11 release adds support for Django 3.0.
+
+* Our supported Python versions are now: 3.5, 3.6, 3.7, and 3.8.
+* Our supported Django versions are now: 1.11, 2.0, 2.1, 2.2, and 3.0.
+
+This release will be the last to support Python 3.5 or Django 1.11.
+
+## OpenAPI Schema Generation Improvements
+
+The OpenAPI schema generation continues to mature. Some highlights in 3.11
+include:
+
+* Automatic mapping of Django REST Framework renderers and parsers into OpenAPI
+  request and response media-types.
+* Improved mapping JSON schema mapping types, for example in HStoreFields, and
+  with large integer values.
+* Porting of the old CoreAPI parsing of docstrings to form OpenAPI operation
+  descriptions.
+
+In this example view operation descriptions for the `get` and `post` methods will
+be extracted from the class docstring:
+
+```python
+class DocStringExampleListView(APIView):
+    """
+    get: A description of my GET operation.
+    post: A description of my POST operation.
+    """
+
+    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
+
+    def get(self, request, *args, **kwargs):
+        ...
+
+    def post(self, request, *args, **kwargs):
+        ...
+```
+
+## Validator / Default Context
+
+In some circumstances a Validator class or a Default class may need to access the serializer field with which it is called, or the `.context` with which the serializer was instantiated. In particular:
+
+* Uniqueness validators need to be able to determine the name of the field to which they are applied, in order to run an appropriate database query.
+* The `CurrentUserDefault` needs to be able to determine the context with which the serializer was instantiated, in order to return the current user instance.
+
+Our previous approach to this was that implementations could include a `set_context` method, which would be called prior to validation. However this approach had issues with potential race conditions. We have now move this approach into a pending deprecation state. It will continue to function, but will be escalated to a deprecated state in 3.12, and removed entirely in 3.13.
+
+Instead, validators or defaults which require the serializer context, should include a `requires_context = True` attribute on the class.
+
+The `__call__` method should then include an additional `serializer_field` argument.
+
+Validator implementations will look like this:
+
+```python
+class CustomValidator:
+    requires_context = True
+
+    def __call__(self, value, serializer_field):
+        ...
+```
+
+Default implementations will look like this:
+
+```python
+class CustomDefault:
+    requires_context = True
+
+    def __call__(self, serializer_field):
+        ...
+```
+
+---
+
+## Funding
+
+REST framework is a *collaboratively funded project*. If you use
+REST framework commercially we strongly encourage you to invest in its
+continued development by **[signing up for a paid plan][funding]**.
+
+*Every single sign-up helps us make REST framework long-term financially sustainable.*
+
+<ul class="premium-promo promo">
+    <li><a href="https://getsentry.com/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://software.esg-usa.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/esg-new-logo.png)">ESG</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar2.png)">Rollbar</a></li>
+    <li><a href="https://cadre.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/cadre.png)">Cadre</a></li>
+    <li><a href="https://hubs.ly/H0f30Lf0" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/kloudless-plus-text.png)">Kloudless</a></li>
+    <li><a href="https://lightsonsoftware.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/lightson-dark.png)">Lights On Software</a></li>
+    <li><a href="https://retool.com/?utm_source=djangorest&utm_medium=sponsorship" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/retool-sidebar.png)">Retool</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*
+
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[funding]: funding.md

docs/community/3.12-announcement.md

@@ -0,0 +1,181 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.12
+
+REST framework 3.12 brings a handful of refinements to the OpenAPI schema
+generation, plus support for Django's new database-agnostic `JSONField`,
+and some improvements to the `SearchFilter` class.
+
+## Grouping operations with tags.
+
+Open API schemas will now automatically include tags, based on the first element
+in the URL path.
+
+For example...
+
+Method                          | Path            | Tags
+--------------------------------|-----------------|-------------
+`GET`, `PUT`, `PATCH`, `DELETE` | `/users/{id}/`  | `['users']`
+`GET`, `POST`                   | `/users/`       | `['users']`
+`GET`, `PUT`, `PATCH`, `DELETE` | `/orders/{id}/` | `['orders']`
+`GET`, `POST`                   | `/orders/`      | `['orders']`
+
+The tags used for a particular view may also be overridden...
+
+```python
+class MyOrders(APIView):
+    schema = AutoSchema(tags=["users", "orders"])
+    ...
+```
+
+See [the schema documentation](https://www.django-rest-framework.org/api-guide/schemas/#grouping-operations-with-tags) for more information.
+
+## Customizing the operation ID.
+
+REST framework automatically determines operation IDs to use in OpenAPI
+schemas. The latest version provides more control for overriding the behaviour
+used to generate the operation IDs.
+
+See [the schema documentation](https://www.django-rest-framework.org/api-guide/schemas/#operationid) for more information.
+
+## Support for OpenAPI components.
+
+In order to output more graceful OpenAPI schemes, REST framework 3.12 now
+defines components in the schema, and then references them inside request
+and response objects. This is in contrast with the previous approach, which
+fully expanded the request and response bodies for each operation.
+
+The names used for a component default to using the serializer class name, [but
+may be overridden if needed](https://www.django-rest-framework.org/api-guide/schemas/#components
+)...
+
+```python
+class MyOrders(APIView):
+    schema = AutoSchema(component_name="OrderDetails")
+```
+
+## More Public API
+
+Many methods on the `AutoSchema` class have now been promoted to public API,
+allowing you to more fully customize the schema generation. The following methods
+are now available for overriding...
+
+* `get_path_parameters`
+* `get_pagination_parameters`
+* `get_filter_parameters`
+* `get_request_body`
+* `get_responses`
+* `get_serializer`
+* `get_paginator`
+* `map_serializer`
+* `map_field`
+* `map_choice_field`
+* `map_field_validators`
+* `allows_filters`.
+
+See [the schema docs](https://www.django-rest-framework.org/api-guide/schemas/#per-view-customization)
+for details on using custom `AutoSchema` subclasses.
+
+## Support for JSONField.
+
+Django 3.1 deprecated the existing `django.contrib.postgres.fields.JSONField`
+in favour of a new database-agnositic `JSONField`.
+
+REST framework 3.12 now supports this new model field, and `ModelSerializer`
+classes will correctly map the model field.
+
+## SearchFilter improvements
+
+There are a couple of significant improvements to the `SearchFilter` class.
+
+### Nested searches against JSONField and HStoreField
+
+The class now supports nested search within `JSONField` and `HStoreField`, using
+the double underscore notation for traversing which element of the field the
+search should apply to.
+
+```python
+class SitesSearchView(generics.ListAPIView):
+    """
+    An API view to return a list of archaeological sites, optionally filtered
+    by a search against the site name or location. (Location searches are
+    matched against the region and country names.)
+    """
+
+    queryset = Sites.objects.all()
+    serializer_class = SitesSerializer
+    filter_backends = [filters.SearchFilter]
+    search_fields = ["site_name", "location__region", "location__country"]
+```
+
+### Searches against annotate fields
+
+Django allows querysets to create additional virtual fields, using the `.annotate`
+method. We now support searching against annotate fields.
+
+```python
+class PublisherSearchView(generics.ListAPIView):
+    """
+    Search for publishers, optionally filtering the search against the average
+    rating of all their books.
+    """
+
+    queryset = Publisher.objects.annotate(avg_rating=Avg("book__rating"))
+    serializer_class = PublisherSerializer
+    filter_backends = [filters.SearchFilter]
+    search_fields = ["avg_rating"]
+```
+
+---
+
+## Deprecations
+
+### `serializers.NullBooleanField`
+
+`serializers.NullBooleanField` is now pending deprecation, and will be removed in 3.14.
+
+Instead use `serializers.BooleanField` field and set `allow_null=True` which does the same thing.
+
+---
+
+## Funding
+
+REST framework is a *collaboratively funded project*. If you use
+REST framework commercially we strongly encourage you to invest in its
+continued development by **[signing up for a paid plan][funding]**.
+
+*Every single sign-up helps us make REST framework long-term financially sustainable.*
+
+<ul class="premium-promo promo">
+    <li><a href="https://getsentry.com/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://software.esg-usa.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/esg-new-logo.png)">ESG</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar2.png)">Rollbar</a></li>
+    <li><a href="https://cadre.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/cadre.png)">Cadre</a></li>
+    <li><a href="https://hubs.ly/H0f30Lf0" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/kloudless-plus-text.png)">Kloudless</a></li>
+    <li><a href="https://lightsonsoftware.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/lightson-dark.png)">Lights On Software</a></li>
+    <li><a href="https://retool.com/?utm_source=djangorest&utm_medium=sponsorship" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/retool-sidebar.png)">Retool</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*
+
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[funding]: funding.md

docs/community/3.13-announcement.md

@@ -0,0 +1,55 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.13
+
+## Django 4.0 support
+
+The latest release now fully supports Django 4.0.
+
+Our requirements are now:
+
+* Python 3.6+
+* Django 4.0, 3.2, 3.1, 2.2 (LTS)
+
+## Fields arguments are now keyword-only
+
+When instantiating fields on serializers, you should always use keyword arguments,
+such as `serializers.CharField(max_length=200)`. This has always been the case,
+and all the examples that we have in the documentation use keyword arguments,
+rather than positional arguments.
+
+From REST framework 3.13 onwards, this is now *explicitly enforced*.
+
+The most feasible cases where users might be accidentally omitting the keyword arguments
+are likely in the composite fields, `ListField` and `DictField`. For instance...
+
+```python
+aliases = serializers.ListField(serializers.CharField())
+```
+
+They must now use the more explicit keyword argument style...
+
+```python
+aliases = serializers.ListField(child=serializers.CharField())
+```
+
+This change has been made because using positional arguments here *does not* result in the expected behaviour.
+
+See Pull Request [#7632](https://github.com/encode/django-rest-framework/pull/7632) for more details.

docs/community/3.14-announcement.md

@@ -0,0 +1,72 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.14
+
+## Django 4.1 support
+
+The latest release now fully supports Django 4.1, and drops support for Django 2.2.
+
+Our requirements are now:
+
+* Python 3.6+
+* Django 4.1, 4.0, 3.2, 3.1, 3.0
+
+## `raise_exception` argument for `is_valid` is now keyword-only.
+
+Calling `serializer_instance.is_valid(True)` is no longer acceptable syntax.
+If you'd like to use the `raise_exception` argument, you must use it as a
+keyword argument.
+
+See Pull Request [#7952](https://github.com/encode/django-rest-framework/pull/7952) for more details.
+
+## `ManyRelatedField` supports returning the default when the source attribute doesn't exist.
+
+Previously, if you used a serializer field with `many=True` with a dot notated source field
+that didn't exist, it would raise an `AttributeError`. Now it will return the default or be
+skipped depending on the other arguments.
+
+See Pull Request [#7574](https://github.com/encode/django-rest-framework/pull/7574) for more details.
+
+
+## Make Open API `get_reference` public.
+
+Returns a reference to the serializer component. This may be useful if you override `get_schema()`.
+
+## Change semantic of OR of two permission classes.
+
+When OR-ing two permissions, the request has to pass either class's `has_permission() and has_object_permission()`.
+
+Previously, both class's `has_permission()` was ignored when OR-ing two permissions together.
+
+See Pull Request [#7522](https://github.com/encode/django-rest-framework/pull/7522) for more details.
+
+## Minor fixes and improvements
+
+There are a number of minor fixes and improvements in this release. See the [release notes](release-notes.md) page for a complete listing.
+
+---
+
+## Deprecations
+
+### `serializers.NullBooleanField`
+
+`serializers.NullBooleanField` was moved to pending deprecation in 3.12, and deprecated in 3.13. It has now been removed from the core framework.
+
+Instead use `serializers.BooleanField` field and set `allow_null=True` which does the same thing.

docs/community/3.15-announcement.md

@@ -0,0 +1,50 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.15
+
+At the Internet, on March 15th, 2024, with 176 commits by 138 authors, we are happy to announce the release of Django REST framework 3.15.
+
+## Django 5.0 and Python 3.12 support
+
+The latest release now fully supports Django 5.0 and Python 3.12.
+
+The current minimum versions of Django still is 3.0 and Python 3.6.
+
+## Primary Support of UniqueConstraint
+
+`ModelSerializer` generates validators for [UniqueConstraint](https://docs.djangoproject.com/en/4.0/ref/models/constraints/#uniqueconstraint) (both UniqueValidator and UniqueTogetherValidator)
+
+## SimpleRouter non-regex matching support
+
+By default the URLs created by `SimpleRouter` use regular expressions. This behavior can be modified by setting the `use_regex_path` argument to `False` when instantiating the router.
+
+## ZoneInfo as the primary source of timezone data
+
+Dependency on pytz has been removed and deprecation warnings have been added, Django will provide ZoneInfo instances as long as USE_DEPRECATED_PYTZ is not enabled. More info on the migration can be found [in this guide](https://pytz-deprecation-shim.readthedocs.io/en/latest/migration.html).
+
+##  Align `SearchFilter` behaviour to `django.contrib.admin` search
+
+Searches now may contain _quoted phrases_ with spaces, each phrase is considered as a single search term, and it will raise a validation error if any null-character is provided in search. See the [Filtering API guide](../api-guide/filtering.md) for more information.
+
+## Other fixes and improvements
+
+There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behaviour.
+
+See the [release notes](release-notes.md) page for a complete listing.

docs/community/3.16-announcement.md

@@ -0,0 +1,42 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.16
+
+At the Internet, on March 28th, 2025, we are happy to announce the release of Django REST framework 3.16.
+
+## Updated Django and Python support
+
+The latest release now fully supports Django 5.1 and the upcoming 5.2 LTS as well as Python 3.13.
+
+The current minimum versions of Django is now 4.2 and Python 3.9.
+
+## Django LoginRequiredMiddleware
+
+The new `LoginRequiredMiddleware` introduced by Django 5.1 can now be used alongside Django REST Framework, however it is not honored for API views as an equivalent behaviour can be configured via `DEFAULT_AUTHENTICATION_CLASSES`. See [our dedicated section](../api-guide/authentication.md#django-51-loginrequiredmiddleware) in the docs for more information.
+
+## Improved support for UniqueConstraint
+
+The generation of validators for [UniqueConstraint](https://docs.djangoproject.com/en/stable/ref/models/constraints/#uniqueconstraint) has been improved to support better nullable fields and constraints with conditions.
+
+## Other fixes and improvements
+
+There are a number of fixes and minor improvements in this release, ranging from documentation, internal infrastructure (typing, testing, requirements, deprecation, etc.), security and overall behaviour.
+
+See the [release notes](release-notes.md) page for a complete listing.

docs/community/3.2-announcement.md

@@ -0,0 +1,113 @@
+# Django REST framework 3.2
+
+The 3.2 release is the first version to include an admin interface for the browsable API.
+
+![The AdminRenderer](../img/admin.png)
+
+This interface is intended to act as a more user-friendly interface to the API. It can be used either as a replacement to the existing `BrowsableAPIRenderer`, or used together with it, allowing you to switch between the two styles as required.
+
+We've also fixed a huge number of issues, and made numerous cleanups and improvements.
+
+Over the course of the 3.1.x series we've [resolved nearly 600 tickets](https://github.com/encode/django-rest-framework/issues?utf8=%E2%9C%93&q=closed%3A%3E2015-03-05) on our GitHub issue tracker. This means we're currently running at a rate of **closing around 100 issues or pull requests per month**.
+
+None of this would have been possible without the support of our wonderful Kickstarter backers. If you're looking for a job in Django development we'd strongly recommend taking [a look through our sponsors](https://www.django-rest-framework.org/community/kickstarter-announcement/#sponsors) and finding out who's hiring.
+
+## AdminRenderer
+
+To include `AdminRenderer` simply add it to your settings:
+
+    REST_FRAMEWORK = {
+        'DEFAULT_RENDERER_CLASSES': [
+            'rest_framework.renderers.JSONRenderer',
+            'rest_framework.renderers.AdminRenderer',
+            'rest_framework.renderers.BrowsableAPIRenderer'
+        ],
+        'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
+        'PAGE_SIZE': 100
+    }
+
+There are some limitations to the `AdminRenderer`, in particular it is not yet able to handle list or dictionary inputs, as we do not have any HTML form fields that support those.
+
+Also note that this is an initial release and we do not yet have a public API for modifying the behavior or documentation on overriding the templates.
+
+The idea is to get this released to users early, so we can start getting feedback and release a more fully featured version in 3.3.
+
+## Supported versions
+
+This release drops support for Django 1.4.
+
+Our supported Django versions are now 1.5.6+, 1.6.3+, 1.7 and 1.8.
+
+## Deprecations
+
+There are no new deprecations in 3.2, although a number of existing deprecations have now escalated in line with our deprecation policy.
+
+* `request.DATA` was put on the deprecation path in 3.0. It has now been removed and its usage will result in an error. Use the more pythonic style of `request.data` instead.
+* `request.QUERY_PARAMS` was put on the deprecation path in 3.0. It has now been removed and its usage will result in an error. Use the more pythonic style of `request.query_params` instead.
+* The following `ModelSerializer.Meta` options have now been removed: `write_only_fields`, `view_name`, `lookup_field`. Use the more general `extra_kwargs` option instead.
+
+The following pagination view attributes and settings have been moved into attributes on the pagination class since 3.1. Their usage was formerly in 'pending deprecation', and has now escalated to 'deprecated'. They will continue to function but will raise errors.
+
+* `view.paginate_by` - Use `paginator.page_size` instead.
+* `view.page_query_param` - Use `paginator.page_query_param` instead.
+* `view.paginate_by_param` - Use `paginator.page_size_query_param` instead.
+* `view.max_paginate_by` - Use `paginator.max_page_size` instead.
+* `settings.PAGINATE_BY` - Use `paginator.page_size` instead.
+* `settings.PAGINATE_BY_PARAM` - Use `paginator.page_size_query_param` instead.
+* `settings.MAX_PAGINATE_BY` - Use `paginator.max_page_size` instead.
+
+## Modifications to list behaviors
+
+There are a couple of bug fixes that are worth calling out as they introduce differing behavior.
+
+These are a little subtle and probably won't affect most users, but are worth understanding before upgrading your project.
+
+### ManyToMany fields and blank=True
+
+We've now added an `allow_empty` argument, which can be used with `ListSerializer`, or with `many=True` relationships. This is `True` by default, but can be set to `False` if you want to disallow empty lists as valid input.
+
+As a follow-up to this we are now able to properly mirror the behavior of Django's `ModelForm` with respect to how many-to-many fields are validated.
+
+Previously a many-to-many field on a model would map to a serializer field that would allow either empty or non-empty list inputs. Now, a many-to-many field will map to a serializer field that requires at least one input, unless the model field has `blank=True` set.
+
+Here's what the mapping looks like in practice:
+
+* `models.ManyToManyField()` → `serializers.PrimaryKeyRelatedField(many=True, allow_empty=False)`
+* `models.ManyToManyField(blank=True)` → `serializers.PrimaryKeyRelatedField(many=True)`
+
+The upshot is this: If you have many to many fields in your models, then make sure you've included the argument `blank=True` if you want to allow empty inputs in the equivalent `ModelSerializer` fields.
+
+### List fields and allow_null
+
+When using `allow_null` with `ListField` or a nested `many=True` serializer the previous behavior was to allow `null` values as items in the list. The behavior is now to allow `null` values instead of the list.
+
+For example, take the following field:
+
+    NestedSerializer(many=True, allow_null=True)
+
+Previously the validation behavior would be:
+
+* `[{…}, null, {…}]` is **valid**.
+* `null` is **invalid**.
+
+Our validation behavior as of 3.2.0 is now:
+
+* `[{…}, null, {…}]` is **invalid**.
+* `null` is **valid**.
+
+If you want to allow `null` child items, you'll need to instead specify `allow_null` on the child class, using an explicit `ListField` instead of `many=True`. For example:
+
+    ListField(child=NestedSerializer(allow_null=True))
+
+## What's next?
+
+The 3.3 release is currently planned for the start of October, and will be the last Kickstarter-funded release.
+
+This release is planned to include:
+
+* Search and filtering controls in the browsable API and admin interface.
+* Improvements and public API for the admin interface.
+* Improvements and public API for our templated HTML forms and fields.
+* Nested object and list support in HTML forms.
+
+Thanks once again to all our sponsors and supporters.

docs/community/3.3-announcement.md

@@ -0,0 +1,60 @@
+# Django REST framework 3.3
+
+The 3.3 release marks the final work in the Kickstarter funded series. We'd like to offer a final resounding **thank you** to all our wonderful sponsors and supporters.
+
+The amount of work that has been achieved as a direct result of the funding is immense. We've added a huge amounts of new functionality, resolved nearly 2,000 tickets, and redesigned & refined large parts of the project.
+
+In order to continue driving REST framework forward, we'll shortly be announcing a new set of funding plans. Follow [@_tomchristie](https://twitter.com/_tomchristie) to keep up to date with these announcements, and be among the first set of sign ups.
+
+We strongly believe that collaboratively funded software development yields outstanding results for a relatively low investment-per-head. If you or your company use REST framework commercially, then we would strongly urge you to participate in this latest funding drive, and help us continue to build an increasingly polished & professional product.
+
+---
+
+## Release notes
+
+Significant new functionality in the 3.3 release includes:
+
+* Filters presented as HTML controls in the browsable API.
+* A [forms API][forms-api], allowing serializers to be rendered as HTML forms.
+* Django 1.9 support.
+* A [`JSONField` serializer field][jsonfield], corresponding to Django 1.9's Postgres `JSONField` model field.
+* Browsable API support [via AJAX][ajax-form], rather than server side request overloading.
+
+![Filter Controls](../img/filter-controls.png)
+
+*Example of the new filter controls*
+
+---
+
+## Supported versions
+
+This release drops support for Django 1.5 and 1.6. Django 1.7, 1.8 or 1.9 are now required.
+
+This brings our supported versions into line with Django's [currently supported versions][django-supported-versions]
+
+## Deprecations
+
+The AJAX based support for the browsable API means that there are a number of internal cleanups in the `request` class. For the vast majority of developers this should largely remain transparent:
+
+* To support form based `PUT` and `DELETE`, or to support form content types such as JSON, you should now use the [AJAX forms][ajax-form] javascript library. This replaces the previous 'method and content type overloading' that required significant internal complexity to the request class.
+* The `accept` query parameter is no longer supported by the default content negotiation class. If you require it then you'll need to [use a custom content negotiation class][accept-headers].
+* The custom `HTTP_X_HTTP_METHOD_OVERRIDE` header is no longer supported by default. If you require it then you'll need to [use custom middleware][method-override].
+
+The following pagination view attributes and settings have been moved into attributes on the pagination class since 3.1. Their usage was formerly deprecated, and has now been removed entirely, in line with the deprecation policy.
+
+* `view.paginate_by` - Use `paginator.page_size` instead.
+* `view.page_query_param` - Use `paginator.page_query_param` instead.
+* `view.paginate_by_param` - Use `paginator.page_size_query_param` instead.
+* `view.max_paginate_by` - Use `paginator.max_page_size` instead.
+* `settings.PAGINATE_BY` - Use `paginator.page_size` instead.
+* `settings.PAGINATE_BY_PARAM` - Use `paginator.page_size_query_param` instead.
+* `settings.MAX_PAGINATE_BY` - Use `paginator.max_page_size` instead.
+
+The `ModelSerializer` and `HyperlinkedModelSerializer` classes should now include either a `fields` or `exclude` option, although the `fields = '__all__'` shortcut may be used. Failing to include either of these two options is currently pending deprecation, and will be removed entirely in the 3.5 release. This behavior brings `ModelSerializer` more closely in line with Django's `ModelForm` behavior.
+
+[forms-api]: ../topics/html-and-forms.md
+[ajax-form]: https://github.com/encode/ajax-form
+[jsonfield]: ../api-guide/fields#jsonfield
+[accept-headers]: ../topics/browser-enhancements.md#url-based-accept-headers
+[method-override]: ../topics/browser-enhancements.md#http-header-based-method-overriding
+[django-supported-versions]: https://www.djangoproject.com/download/#supported-versions

docs/community/3.4-announcement.md

@@ -0,0 +1,194 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.4
+
+The 3.4 release is the first in a planned series that will be addressing schema
+generation, hypermedia support, API clients, and finally realtime support.
+
+---
+
+## Funding
+
+The 3.4 release has been made possible a recent [Mozilla grant][moss], and by our
+[collaborative funding model][funding]. If you use REST framework commercially, and would
+like to see this work continue, we strongly encourage you to invest in its
+continued development by **[signing up for a paid plan][funding]**.
+
+The initial aim is to provide a single full-time position on REST framework.
+Right now we're over 60% of the way towards achieving that.
+*Every single sign-up makes a significant impact.*
+
+<ul class="premium-promo promo">
+    <li><a href="https://www.rover.com/careers/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rover_130x130.png)">Rover.com</a></li>
+    <li><a href="https://sentry.io/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [awesome sponsors][sponsors], and in particular to our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), and [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf).*
+
+---
+
+## Schemas & client libraries
+
+REST framework 3.4 brings built-in support for generating API schemas.
+
+We provide this support by using [Core API][core-api], a Document Object Model
+for describing APIs.
+
+Because Core API represents the API schema in an format-independent
+manner, we're able to render the Core API `Document` object into many different
+schema formats, by allowing the renderer class to determine how the internal
+representation maps onto the external schema format.
+
+This approach should also open the door to a range of auto-generated API
+documentation options in the future, by rendering the `Document` object into
+HTML documentation pages.
+
+Alongside the built-in schema support, we're also now providing the following:
+
+* A [command line tool][command-line-client] for interacting with APIs.
+* A [Python client library][client-library] for interacting with APIs.
+
+These API clients are dynamically driven, and able to interact with any API
+that exposes a supported schema format.
+
+Dynamically driven clients allow you to interact with an API at an application
+layer interface, rather than a network layer interface, while still providing
+the benefits of RESTful Web API design.
+
+We're expecting to expand the range of languages that we provide client libraries
+for over the coming months.
+
+Further work on maturing the API schema support is also planned, including
+documentation on supporting file upload and download, and improved support for
+documentation generation and parameter annotation.
+
+---
+
+Current support for schema formats is as follows:
+
+Name                             | Support                             | PyPI package
+---------------------------------|-------------------------------------|--------------------------------
+[Core JSON][core-json]           | Schema generation & client support. | Built-in support in `coreapi`.
+[Swagger / OpenAPI][swagger]     | Schema generation & client support. | The `openapi-codec` package.
+[JSON Hyper-Schema][hyperschema] | Currently client support only.      | The `hyperschema-codec` package.
+[API Blueprint][api-blueprint]   | Not yet available.                  | Not yet available.
+
+---
+
+You can read more about any of this new functionality in the following:
+
+* New tutorial section on [schemas & client libraries][tut-7].
+* Documentation page on [schema generation][schema-generation].
+* Topic page on [API clients][api-clients].
+
+It is also worth noting that Marc Gibbons is currently working towards a 2.0 release of
+the popular Django REST Swagger package, which will tie in with our new built-in support.
+
+---
+
+## Supported versions
+
+The 3.4.0 release adds support for Django 1.10.
+
+The following versions of Python and Django are now supported:
+
+* Django versions 1.8, 1.9, and 1.10.
+* Python versions 2.7, 3.2(\*), 3.3(\*), 3.4, 3.5.
+
+(\*) Note that Python 3.2 and 3.3 are not supported from Django 1.9 onwards.
+
+---
+
+## Deprecations and changes
+
+The 3.4 release includes very limited deprecation or behavioral changes, and
+should present a straightforward upgrade.
+
+### Use fields or exclude on serializer classes.
+
+The following change in 3.3.0 is now escalated from "pending deprecation" to
+"deprecated". Its usage will continue to function but will raise warnings:
+
+`ModelSerializer` and `HyperlinkedModelSerializer` should include either a `fields`
+option, or an `exclude` option. The `fields = '__all__'` shortcut may be used
+to explicitly include all fields.
+
+### Microsecond precision when returning time or datetime.
+
+Using the default JSON renderer and directly returning a `datetime` or `time`
+instance will now render with microsecond precision (6 digits), rather than
+millisecond precision (3 digits). This makes the output format consistent with the
+default string output of `serializers.DateTimeField` and `serializers.TimeField`.
+
+This change *does not affect the default behavior when using serializers*,
+which is to serialize `datetime` and `time` instances into strings with
+microsecond precision.
+
+The serializer behavior can be modified if needed, using the `DATETIME_FORMAT`
+and `TIME_FORMAT` settings.
+
+The renderer behavior can be modified by setting a custom `encoder_class`
+attribute on a `JSONRenderer` subclass.
+
+### Relational choices no longer displayed in OPTIONS requests.
+
+Making an `OPTIONS` request to views that have a serializer choice field
+will result in a list of the available choices being returned in the response.
+
+In cases where there is a relational field, the previous behavior would be
+to return a list of available instances to choose from for that relational field.
+
+In order to minimise exposed information the behavior now is to *not* return
+choices information for relational fields.
+
+If you want to override this new behavior you'll need to [implement a custom
+metadata class][metadata].
+
+See [issue #3751][gh3751] for more information on this behavioral change.
+
+---
+
+## Other improvements
+
+This release includes further work from a huge number of [pull requests and issues][milestone].
+
+Many thanks to all our contributors who've been involved in the release, either through raising issues, giving feedback, improving the documentation, or suggesting and implementing code changes.
+
+The full set of itemized release notes [are available here][release-notes].
+
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[moss]: mozilla-grant.md
+[funding]: funding.md
+[core-api]: https://www.coreapi.org/
+[command-line-client]: api-clients#command-line-client
+[client-library]: api-clients#python-client-library
+[core-json]: https://www.coreapi.org/specification/encoding/#core-json-encoding
+[swagger]: https://openapis.org/specification
+[hyperschema]: https://json-schema.org/latest/json-schema-hypermedia.html
+[api-blueprint]: https://apiblueprint.org/
+[tut-7]: ../tutorial/7-schemas-and-client-libraries/
+[schema-generation]: ../api-guide/schemas/
+[api-clients]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md
+[milestone]: https://github.com/encode/django-rest-framework/milestone/35
+[release-notes]: release-notes#34
+[metadata]: ../api-guide/metadata/#custom-metadata-classes
+[gh3751]: https://github.com/encode/django-rest-framework/issues/3751

docs/community/3.5-announcement.md

@@ -0,0 +1,262 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.5
+
+The 3.5 release is the second in a planned series that is addressing schema
+generation, hypermedia support, API client libraries, and finally realtime support.
+
+---
+
+## Funding
+
+The 3.5 release would not have been possible without our [collaborative funding model][funding].
+If you use REST framework commercially and would like to see this work continue,
+we strongly encourage you to invest in its continued development by
+**[signing up for a paid&nbsp;plan][funding]**.
+
+<ul class="premium-promo promo">
+    <li><a href="https://www.rover.com/careers/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rover_130x130.png)">Rover.com</a></li>
+    <li><a href="https://sentry.io/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://www.machinalis.com/#services" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/Machinalis130.png)">Machinalis</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [sponsors][sponsors], and in particular to our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), and [Machinalis](https://www.machinalis.com/#services).*
+
+---
+
+## Improved schema generation
+
+Docstrings on views are now pulled through into schema definitions, allowing
+you to [use the schema definition to document your&nbsp;API][schema-docs].
+
+There is now also a shortcut function, `get_schema_view()`, which makes it easier to
+[adding schema views][schema-view] to your API.
+
+For example, to include a swagger schema to your API, you would do the following:
+
+* Run `pip install django-rest-swagger`.
+
+* Add `'rest_framework_swagger'` to your `INSTALLED_APPS` setting.
+
+* Include the schema view in your URL conf:
+
+```py
+from rest_framework.schemas import get_schema_view
+from rest_framework_swagger.renderers import OpenAPIRenderer, SwaggerUIRenderer
+
+schema_view = get_schema_view(
+    title="Example API", renderer_classes=[OpenAPIRenderer, SwaggerUIRenderer]
+)
+
+urlpatterns = [path("swagger/", schema_view), ...]
+```
+
+There have been a large number of fixes to the schema generation. These should
+resolve issues for anyone using the latest version of the `django-rest-swagger`
+package.
+
+Some of these changes do affect the resulting schema structure,
+so if you're already using schema generation you should make sure to review
+[the deprecation notes](#deprecations), particularly if you're currently using
+a dynamic client library to interact with your API.
+
+Finally, we're also now exposing the schema generation as a
+[publicly documented API][schema-generation-api], allowing you to more easily
+override the behaviour.
+
+## Requests test client
+
+You can now test your project using the `requests` library.
+
+This exposes exactly the same interface as if you were using a standard
+requests session instance.
+
+    client = RequestsClient()
+    response = client.get('http://testserver/users/')
+    assert response.status_code == 200
+
+Rather than sending any HTTP requests to the network, this interface will
+coerce all outgoing requests into WSGI, and call into your application directly.
+
+## Core API client
+
+You can also now test your project by interacting with it using the `coreapi`
+client library.
+
+    # Fetch the API schema
+    client = CoreAPIClient()
+    schema = client.get('http://testserver/schema/')
+
+    # Create a new organisation
+    params = {'name': 'MegaCorp', 'status': 'active'}
+    client.action(schema, ['organisations', 'create'], params)
+
+    # Ensure that the organisation exists in the listing
+    data = client.action(schema, ['organisations', 'list'])
+    assert(len(data) == 1)
+    assert(data == [{'name': 'MegaCorp', 'status': 'active'}])
+
+Again, this will call directly into the application using the WSGI interface,
+rather than making actual network calls.
+
+This is a good option if you are planning for clients to mainly interact with
+your API using the `coreapi` client library, or some other auto-generated client.
+
+## Live tests
+
+One interesting aspect of both the `requests` client and the `coreapi` client
+is that they allow you to write tests in such a way that they can also be made
+to run against a live service.
+
+By switching the WSGI based client instances to actual instances of `requests.Session`
+or `coreapi.Client` you can have the test cases make actual network calls.
+
+Being able to write test cases that can exercise your staging or production
+environment is a powerful tool. However in order to do this, you'll need to pay
+close attention to how you handle setup and teardown to ensure a strict isolation
+of test data from other live or staging data.
+
+## RAML support
+
+We now have preliminary support for [RAML documentation generation][django-rest-raml].
+
+![RAML Example][raml-image]
+
+Further work on the encoding and documentation generation is planned, in order to
+make features such as the 'Try it now' support available at a later date.
+
+This work also now means that you can use the Core API client libraries to interact
+with APIs that expose a RAML specification. The [RAML codec][raml-codec] gives some examples of
+interacting with the Spotify API in this way.
+
+## Validation codes
+
+Exceptions raised by REST framework now include short code identifiers.
+When used together with our customizable error handling, this now allows you to
+modify the style of API error messages.
+
+As an example, this allows for the following style of error responses:
+
+    {
+        "message": "You do not have permission to perform this action.",
+        "code": "permission_denied"
+    }
+
+This is particularly useful with validation errors, which use appropriate
+codes to identify differing kinds of failure...
+
+    {
+        "name": {"message": "This field is required.", "code": "required"},
+        "age": {"message": "A valid integer is required.", "code": "invalid"}
+    }
+
+## Client upload & download support
+
+The Python `coreapi` client library and the Core API command line tool both
+now fully support file [uploads][uploads] and [downloads][downloads].
+
+---
+
+## Deprecations
+
+### Generating schemas from Router
+
+The router arguments for generating a schema view, such as `schema_title`,
+are now pending deprecation.
+
+Instead of using `DefaultRouter(schema_title='Example API')`, you should use
+the `get_schema_view()` function, and include the view in your URL conf.
+
+Make sure to include the view before your router urls. For example:
+
+    from rest_framework.schemas import get_schema_view
+    from my_project.routers import router
+
+    schema_view = get_schema_view(title='Example API')
+
+    urlpatterns = [
+        path('', schema_view),
+        path('', include(router.urls)),
+    ]
+
+### Schema path representations
+
+The `'pk'` identifier in schema paths is now mapped onto the actually model field
+name by default. This will typically be `'id'`.
+
+This gives a better external representation for schemas, with less implementation
+detail being exposed. It also reflects the behaviour of using a ModelSerializer
+class with `fields = '__all__'`.
+
+You can revert to the previous behaviour by setting `'SCHEMA_COERCE_PATH_PK': False`
+in the REST framework settings.
+
+### Schema action name representations
+
+The internal `retrieve()` and `destroy()` method names are now coerced to an
+external representation of `read` and `delete`.
+
+You can revert to the previous behaviour by setting `'SCHEMA_COERCE_METHOD_NAMES': {}`
+in the REST framework settings.
+
+### DjangoFilterBackend
+
+The functionality of the built-in `DjangoFilterBackend` is now completely
+included by the `django-filter` package.
+
+You should change your imports and REST framework filter settings as follows:
+
+* `rest_framework.filters.DjangoFilterBackend` becomes `django_filters.rest_framework.DjangoFilterBackend`.
+* `rest_framework.filters.FilterSet` becomes `django_filters.rest_framework.FilterSet`.
+
+The existing imports will continue to work but are now pending deprecation.
+
+### CoreJSON media type
+
+The media type for `CoreJSON` is now `application/json+coreapi`, rather than
+the previous `application/vnd.json+coreapi`. This brings it more into line with
+other custom media types, such as those used by Swagger and RAML.
+
+The clients currently accept either media type. The old style-media type will
+be deprecated at a later date.
+
+### ModelSerializer 'fields' and 'exclude'
+
+ModelSerializer and HyperlinkedModelSerializer must include either a fields
+option, or an exclude option. The `fields = '__all__'` shortcut may be used to
+explicitly include all fields.
+
+Failing to set either `fields` or `exclude` raised a pending deprecation warning
+in version 3.3 and raised a deprecation warning in 3.4. Its usage is now mandatory.
+
+---
+
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[funding]: funding.md
+[uploads]: https://core-api.github.io/python-client/api-guide/utils/#file
+[downloads]: https://core-api.github.io/python-client/api-guide/codecs/#downloadcodec
+[schema-generation-api]: ../api-guide/schemas/#schemagenerator
+[schema-docs]: ../api-guide/schemas/#schemas-as-documentation
+[schema-view]: ../api-guide/schemas/#the-get_schema_view-shortcut
+[django-rest-raml]: https://github.com/encode/django-rest-raml
+[raml-image]: ../img/raml.png
+[raml-codec]: https://github.com/core-api/python-raml-codec

docs/community/3.6-announcement.md

@@ -0,0 +1,199 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.6
+
+The 3.6 release adds two major new features to REST framework.
+
+1. Built-in interactive API documentation support.
+2. A new JavaScript client&nbsp;library.
+
+![API Documentation](/img/api-docs.gif)
+
+*Above: The interactive API documentation.*
+
+---
+
+## Funding
+
+The 3.6 release would not have been possible without our [backing from Mozilla](mozilla-grant.md) to the project, and our [collaborative funding&nbsp;model][funding].
+
+If you use REST framework commercially and would like to see this work continue,
+we strongly encourage you to invest in its continued development by
+**[signing up for a paid&nbsp;plan][funding]**.
+
+<ul class="premium-promo promo">
+    <li><a href="https://www.rover.com/careers/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rover_130x130.png)">Rover.com</a></li>
+    <li><a href="https://sentry.io/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://machinalis.com/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/Machinalis130.png)">Machinalis</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar.png)">Rollbar</a></li>
+    <li><a href="https://micropyramid.com/django-rest-framework-development-services/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/mp-text-logo.png)">MicroPyramid</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [sponsors][sponsors], and in particular to our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [Machinalis](https://machinalis.com/), [Rollbar](https://rollbar.com), and [MicroPyramid](https://micropyramid.com/django-rest-framework-development-services/).*
+
+---
+
+## Interactive API documentation
+
+REST framework's new API documentation supports a number of features:
+
+* Live API interaction.
+* Support for various authentication schemes.
+* Code snippets for the Python, JavaScript, and Command Line clients.
+
+The `coreapi` library is required as a dependency for the API docs. Make sure
+to install the latest version (2.3.0 or above). The `pygments` and `markdown`
+libraries are optional but recommended.
+
+To install the API documentation, you'll need to include it in your projects URLconf:
+
+    from rest_framework.documentation import include_docs_urls
+
+    API_TITLE = 'API title'
+    API_DESCRIPTION = '...'
+
+    urlpatterns = [
+        ...
+        path('docs/', include_docs_urls(title=API_TITLE, description=API_DESCRIPTION))
+    ]
+
+Once installed you should see something a little like this:
+
+![API Documentation](/img/api-docs.png)
+
+We'll likely be making further refinements to the API documentation over the
+coming weeks. Keep in mind that this is a new feature, and please do give
+us feedback if you run into any issues or limitations.
+
+For more information on documenting your API endpoints see the ["Documenting your API"][api-docs] section.
+
+---
+
+## JavaScript client library
+
+The JavaScript client library allows you to load an API schema, and then interact
+with that API at an application layer interface, rather than constructing fetch
+requests explicitly.
+
+Here's a brief example that demonstrates:
+
+* Loading the client library and schema.
+* Instantiating an authenticated client.
+* Making an API request using the client.
+
+**index.html**
+
+    <html>
+        <head>
+            <script src="/static/rest_framework/js/coreapi-0.1.0.js"></script>
+            <script src="/docs/schema.js"></script>
+            <script>
+                const coreapi = window.coreapi
+                const schema = window.schema
+
+                // Instantiate a client...
+                let auth = coreapi.auth.TokenAuthentication({scheme: 'JWT', token: 'xxx'})
+                let client = coreapi.Client({auth: auth})
+
+                // Make an API request...
+                client.action(schema, ['projects', 'list']).then(function(result) {
+                    alert(result)
+                })
+            </script>
+        </head>
+    </html>
+
+The JavaScript client library supports various authentication schemes, and can be
+used by your project itself, or as an external client interacting with your API.
+
+The client is not limited to usage with REST framework APIs, although it does
+currently only support loading CoreJSON API schemas. Support for Swagger and
+other API schemas is planned.
+
+For more details see the [JavaScript client library documentation][js-docs].
+
+## Authentication classes for the Python client library
+
+Previous authentication support in the Python client library was limited to
+allowing users to provide explicit header values.
+
+We now have better support for handling the details of authentication, with
+the introduction of the `BasicAuthentication`, `TokenAuthentication`, and
+`SessionAuthentication` schemes.
+
+You can include the authentication scheme when instantiating a new client.
+
+    auth = coreapi.auth.TokenAuthentication(scheme='JWT', token='xxx-xxx-xxx')
+    client = coreapi.Client(auth=auth)
+
+For more information see the [Python client library documentation][py-docs].
+
+---
+
+## Deprecations
+
+### Updating coreapi
+
+If you're using REST framework's schema generation, or want to use the API docs,
+then you'll need to update to the latest version of coreapi. (2.3.0)
+
+### Generating schemas from Router
+
+The 3.5 "pending deprecation" of router arguments for generating a schema view, such as `schema_title`, `schema_url` and `schema_renderers`, have now been escalated to a
+"deprecated" warning.
+
+Instead of using `DefaultRouter(schema_title='Example API')`, you should use the `get_schema_view()` function, and include the view explicitly in your URL conf.
+
+### DjangoFilterBackend
+
+The 3.5 "pending deprecation" warning of the built-in `DjangoFilterBackend` has now
+been escalated to a "deprecated" warning.
+
+You should change your imports and REST framework filter settings as follows:
+
+* `rest_framework.filters.DjangoFilterBackend` becomes `django_filters.rest_framework.DjangoFilterBackend`.
+* `rest_framework.filters.FilterSet` becomes `django_filters.rest_framework.FilterSet`.
+
+---
+
+## What's next
+
+There are likely to be a number of refinements to the API documentation and
+JavaScript client library over the coming weeks, which could include some of the following:
+
+* Support for private API docs, requiring login.
+* File upload and download support in the JavaScript client & API docs.
+* Comprehensive documentation for the JavaScript client library.
+* Automatically including authentication details in the API doc code snippets.
+* Adding authentication support in the command line client.
+* Support for loading Swagger and other schemas in the JavaScript client.
+* Improved support for documenting parameter schemas and response schemas.
+* Refining the API documentation interaction modal.
+
+Once work on those refinements is complete, we'll be starting feature work
+on realtime support, for the 3.7 release.
+
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
+[funding]: funding.md
+[api-docs]: ../topics/documenting-your-api.md
+[js-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#javascript-client-library
+[py-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#python-client-library

docs/community/3.7-announcement.md

@@ -0,0 +1,130 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.7
+
+The 3.7 release focuses on improvements to schema generation and the interactive API documentation.
+
+This release has been made possible by [Bayer](https://www.bayer.com/) who have sponsored the release.
+
+<a href="https://www.bayer.com/"><img src="/img/bayer.png"/></a>
+
+---
+
+## Funding
+
+If you use REST framework commercially and would like to see this work continue, we strongly encourage you to invest in its continued development by
+**[signing up for a paid&nbsp;plan][funding]**.
+
+<ul class="premium-promo promo">
+    <li><a href="https://www.rover.com/careers/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rover_130x130.png)">Rover.com</a></li>
+    <li><a href="https://sentry.io/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://machinalis.com/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/Machinalis130.png)">Machinalis</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar.png)">Rollbar</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*As well as our release sponsor, we'd like to say thanks in particular our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [Machinalis](https://machinalis.com/), and [Rollbar](https://rollbar.com).*
+
+---
+
+## Customizing API docs & schema generation.
+
+The schema generation introduced in 3.5 and the related API docs generation in 3.6 are both hugely powerful features, however they've been somewhat limited in cases where the view introspection isn't able to correctly identify the schema for a particular view.
+
+In order to try to address this we're now adding the ability for per-view customization of the API schema. The interface that we're adding for this allows either basic manual overrides over which fields should be included on a view, or for more complex programmatic overriding of the schema generation. We believe this release comprehensively addresses some of the existing shortcomings of the schema features.
+
+Let's take a quick look at using the new functionality...
+
+The `APIView` class has a `schema` attribute, that is used to control how the Schema for that particular view is generated. The default behaviour is to use the `AutoSchema` class.
+
+    from rest_framework.views import APIView
+    from rest_framework.schemas import AutoSchema
+
+    class CustomView(APIView):
+        schema = AutoSchema()  # Included for demonstration only. This is the default behavior.
+
+We can remove a view from the API schema and docs, like so:
+
+    class CustomView(APIView):
+        schema = None
+
+If we want to mostly use the default behavior, but additionally include some additional fields on a particular view, we can now do so easily...
+
+    class CustomView(APIView):
+        schema = AutoSchema(manual_fields=[
+            coreapi.Field('search', location='query')
+        ])
+
+To ignore the automatic generation for a particular view, and instead specify the schema explicitly, we use the `ManualSchema` class instead...
+
+    class CustomView(APIView):
+        schema = ManualSchema(fields=[...])
+
+For more advanced behaviors you can subclass `AutoSchema` to provide for customized schema generation, and apply that to particular views.
+
+    class CustomView(APIView):
+        schema = CustomizedSchemaGeneration()
+
+For full details on the new functionality, please see the [Schema Documentation][schema-docs].
+
+---
+
+## Django 2.0 support
+
+REST framework 3.7 supports Django versions 1.10, 1.11, and 2.0 alpha.
+
+---
+
+## Minor fixes and improvements
+
+There are a large number of minor fixes and improvements in this release. See the [release notes](release-notes.md) page for a complete listing.
+
+The number of [open tickets against the project](https://github.com/encode/django-rest-framework/issues) currently at its lowest number in quite some time, and we're continuing to focus on reducing these to a manageable amount.
+
+---
+
+## Deprecations
+
+### `exclude_from_schema`
+
+Both `APIView.exclude_from_schema` and the `exclude_from_schema` argument to the `@api_view` decorator and now `PendingDeprecation`. They will be moved to deprecated in the 3.8 release, and removed entirely in 3.9.
+
+For `APIView` you should instead set a `schema = None` attribute on the view class.
+
+For function based views the `@schema` decorator can be used to exclude the view from the schema, by using `@schema(None)`.
+
+### `DjangoFilterBackend`
+
+The `DjangoFilterBackend` was moved to pending deprecation in 3.5, and deprecated in 3.6. It has now been removed from the core framework.
+
+The functionality remains fully available, but is instead provided in the `django-filter` package.
+
+---
+
+## What's next
+
+We're still planning to work on improving real-time support for REST framework by providing documentation on integrating with Django channels, as well adding support for more easily adding WebSocket support to existing HTTP endpoints.
+
+This will likely be timed so that any REST framework development here ties in with similar work on [API Star][api-star].
+
+[funding]: funding.md
+[schema-docs]: ../api-guide/schemas.md
+[api-star]: https://github.com/encode/apistar

docs/community/3.8-announcement.md

@@ -0,0 +1,97 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.8
+
+The 3.8 release is a maintenance focused release resolving a large number of previously outstanding issues and laying
+the foundations for future changes.
+
+---
+
+## Funding
+
+If you use REST framework commercially and would like to see this work continue, we strongly encourage you to invest in its continued development by
+**[signing up for a paid&nbsp;plan][funding]**.
+
+
+*We'd like to say thanks in particular our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [Machinalis](https://machinalis.com/), and [Rollbar](https://rollbar.com).*
+
+---
+
+## Breaking Changes
+
+### Altered the behaviour of `read_only` plus `default` on Field.
+
+[#5886][gh5886] `read_only` fields will now **always** be excluded from writable fields.
+
+Previously `read_only` fields when combined with a `default` value would use the `default` for create and update
+operations. This was counter-intuitive in some circumstances and led to difficulties supporting dotted `source`
+attributes on nullable relations.
+
+In order to maintain the old behaviour you may need to pass the value of `read_only` fields when calling `save()` in
+the view:
+
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
+
+Alternatively you may override `save()` or `create()` or `update()` on the serializer as appropriate.
+
+---
+
+## Deprecations
+
+### `action` decorator replaces `list_route` and `detail_route`
+
+[#5705][gh5705] `list_route` and `detail_route` have been merge into a single `action` decorator. This improves viewset action introspection, and will allow extra actions to be displayed in the Browsable API in future versions.
+
+Both `list_route` and `detail_route` are now pending deprecation. They will be deprecated in 3.9 and removed entirely
+in 3.10.
+
+The new `action` decorator takes a boolean `detail` argument.
+
+* Replace `detail_route` uses with `@action(detail=True)`.
+* Replace `list_route` uses with `@action(detail=False)`.
+
+
+### `exclude_from_schema`
+
+Both `APIView.exclude_from_schema` and the `exclude_from_schema` argument to the `@api_view` decorator are now deprecated. They will be removed entirely in 3.9.
+
+For `APIView` you should instead set a `schema = None` attribute on the view class.
+
+For function based views the `@schema` decorator can be used to exclude the view from the schema, by using `@schema(None)`.
+
+---
+
+## Minor fixes and improvements
+
+There are a large number of minor fixes and improvements in this release. See the [release notes](release-notes.md) page
+for a complete listing.
+
+
+## What's next
+
+We're currently working towards moving to using [OpenAPI][openapi] as our default schema output. We'll also be revisiting our API documentation generation and client libraries.
+
+We're doing some consolidation in order to make this happen. It's planned that 3.9 will drop the `coreapi` and `coreschema` libraries, and instead use `apistar` for the API documentation generation, schema generation, and API client libraries.
+
+[funding]: funding.md
+[gh5886]: https://github.com/encode/django-rest-framework/issues/5886
+[gh5705]: https://github.com/encode/django-rest-framework/issues/5705
+[openapi]: https://www.openapis.org/

docs/community/3.9-announcement.md

@@ -0,0 +1,210 @@
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+</style>
+
+# Django REST framework 3.9
+
+The 3.9 release gives access to _extra actions_ in the Browsable API, introduces composable permissions and built-in [OpenAPI][openapi] schema support. (Formerly known as Swagger)
+
+---
+
+## Funding
+
+If you use REST framework commercially and would like to see this work continue, we strongly encourage you to invest in its continued development by
+**[signing up for a paid&nbsp;plan][funding]**.
+
+
+<ul class="premium-promo promo">
+    <li><a href="https://www.rover.com/careers/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rover_130x130.png)">Rover.com</a></li>
+    <li><a href="https://sentry.io/welcome/" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/sentry130.png)">Sentry</a></li>
+    <li><a href="https://getstream.io/try-the-api/?utm_source=drf&utm_medium=banner&utm_campaign=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/stream-130.png)">Stream</a></li>
+    <li><a href="https://auklet.io" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/auklet-new.png)">Auklet</a></li>
+    <li><a href="https://rollbar.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/rollbar2.png)">Rollbar</a></li>
+    <li><a href="https://cadre.com" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/cadre.png)">Cadre</a></li>
+    <li><a href="https://loadimpact.com/?utm_campaign=Sponsorship%20links&utm_source=drf&utm_medium=drf" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/load-impact.png)">Load Impact</a></li>
+    <li><a href="https://hubs.ly/H0f30Lf0" style="background-image: url(https://fund-rest-framework.s3.amazonaws.com/kloudless.png)">Kloudless</a></li>
+</ul>
+<div style="clear: both; padding-bottom: 20px;"></div>
+
+*Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Rover](https://www.rover.com/careers/), [Sentry](https://sentry.io/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [Auklet](https://auklet.io/), [Rollbar](https://rollbar.com), [Cadre](https://cadre.com), [Load Impact](https://loadimpact.com/?utm_campaign=Sponsorship%20links&utm_source=drf&utm_medium=drf), and [Kloudless](https://hubs.ly/H0f30Lf0).*
+
+---
+
+## Built-in OpenAPI schema support
+
+REST framework now has a first-pass at directly including OpenAPI schema support. (Formerly known as Swagger)
+
+Specifically:
+
+* There are now `OpenAPIRenderer`, and `JSONOpenAPIRenderer` classes that deal with encoding `coreapi.Document` instances into OpenAPI YAML or OpenAPI JSON.
+* The `get_schema_view(...)` method now defaults to OpenAPI YAML, with CoreJSON as a secondary
+option if it is selected via HTTP content negotiation.
+* There is a new management command `generateschema`, which you can use to dump
+the schema into your repository.
+
+Here's an example of adding an OpenAPI schema to the URL conf:
+
+```python
+from rest_framework.schemas import get_schema_view
+from rest_framework.renderers import JSONOpenAPIRenderer
+from django.urls import path
+
+schema_view = get_schema_view(
+    title="Server Monitoring API",
+    url="https://www.example.org/api/",
+    renderer_classes=[JSONOpenAPIRenderer],
+)
+
+urlpatterns = [path("schema.json", schema_view), ...]
+```
+
+And here's how you can use the `generateschema` management command:
+
+```shell
+$ python manage.py generateschema --format openapi > schema.yml
+```
+
+There's lots of different tooling that you can use for working with OpenAPI
+schemas. One option that we're working on is the [API Star](https://docs.apistar.com/)
+command line tool.
+
+You can use `apistar` to validate your API schema:
+
+```shell
+$ apistar validate --path schema.json --format openapi
+✓ Valid OpenAPI schema.
+```
+
+Or to build API documentation:
+
+```shell
+$ apistar docs --path schema.json --format openapi
+✓ Documentation built at "build/index.html".
+```
+
+API Star also includes a [dynamic client library](https://docs.apistar.com/client-library/)
+that uses an API schema to automatically provide a client library interface for making requests.
+
+## Composable permission classes
+
+You can now compose permission classes using the and/or operators, `&` and `|`.
+
+For example...
+
+```python
+permission_classes = [IsAuthenticated & (ReadOnly | IsAdminUser)]
+```
+
+If you're using custom permission classes then make sure that you are subclassing
+from `BasePermission` in order to enable this support.
+
+## ViewSet _Extra Actions_ available in the Browsable API
+
+Following the introduction of the `action` decorator in v3.8, _extra actions_ defined on a ViewSet are now available
+from the Browsable API.
+
+![Extra Actions displayed in the Browsable API](https://user-images.githubusercontent.com/2370209/32976956-1ca9ab7e-cbf1-11e7-981a-a20cb1e83d63.png)
+
+When defined, a dropdown of "Extra Actions", appropriately filtered to detail/non-detail actions, is displayed.
+
+---
+
+## Supported Versions
+
+REST framework 3.9 supports Django versions 1.11, 2.0, and 2.1.
+
+---
+
+## Deprecations
+
+### `DjangoObjectPermissionsFilter` moved to third-party package.
+
+The `DjangoObjectPermissionsFilter` class is pending deprecation, will be deprecated in 3.10 and removed entirely in 3.11.
+
+It has been moved to the third-party [`djangorestframework-guardian`](https://github.com/rpkilby/django-rest-framework-guardian)
+package. Please use this instead.
+
+### Router argument/method renamed to use `basename` for consistency.
+
+* The `Router.register` `base_name` argument has been renamed in favor of `basename`.
+* The `Router.get_default_base_name` method has been renamed in favor of `Router.get_default_basename`. [#5990][gh5990]
+
+See [#5990][gh5990].
+
+[gh5990]: https://github.com/encode/django-rest-framework/pull/5990
+
+`base_name` and `get_default_base_name()` are pending deprecation. They will be deprecated in 3.10 and removed entirely in 3.11.
+
+### `action` decorator replaces `list_route` and `detail_route`
+
+Both `list_route` and `detail_route` are now deprecated in favour of the single `action` decorator.
+They will be removed entirely in 3.10.
+
+The `action` decorator takes a boolean `detail` argument.
+
+* Replace `detail_route` uses with `@action(detail=True)`.
+* Replace `list_route` uses with `@action(detail=False)`.
+
+### `exclude_from_schema`
+
+Both `APIView.exclude_from_schema` and the `exclude_from_schema` argument to the `@api_view` have now been removed.
+
+For `APIView` you should instead set a `schema = None` attribute on the view class.
+
+For function-based views the `@schema` decorator can be used to exclude the view from the schema, by using `@schema(None)`.
+
+---
+
+## Minor fixes and improvements
+
+There are a large number of minor fixes and improvements in this release. See the [release notes](release-notes.md) page for a complete listing.
+
+
+## What's next
+
+We're planning to iteratively work towards OpenAPI becoming the standard schema
+representation. This will mean that the `coreapi` dependency will gradually become
+removed, and we'll instead generate the schema directly, rather than building
+a CoreAPI `Document` object.
+
+OpenAPI has clearly become the standard for specifying Web APIs, so there's not
+much value any more in our schema-agnostic document model. Making this change
+will mean that we'll more easily be able to take advantage of the full set of
+OpenAPI functionality.
+
+This will also make a wider range of tooling available.
+
+We'll focus on continuing to develop the [API Star](https://docs.apistar.com/)
+library and client tool into a recommended option for generating API docs,
+validating API schemas, and providing a dynamic client library.
+
+There's also a huge amount of ongoing work on maturing the ASGI landscape,
+with the possibility that some of this work will eventually [feed back into
+Django](https://www.aeracode.org/2018/06/04/django-async-roadmap/).
+
+There will be further work on the [Uvicorn](https://www.uvicorn.org/)
+web server, as well as lots of functionality planned for the [Starlette](https://www.starlette.io/)
+web framework, which is building a foundational set of tooling for working with
+ASGI.
+
+
+[funding]: funding.md
+[gh5886]: https://github.com/encode/django-rest-framework/issues/5886
+[gh5705]: https://github.com/encode/django-rest-framework/issues/5705
+[openapi]: https://www.openapis.org/
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors

docs/community/contributing.md

@@ -4,7 +4,9 @@
 >
 > — [Tim Berners-Lee][cite]
 
-There are many ways you can contribute to Django REST framework.  We'd like it to be a community-led project, so please get involved and help shape the future of the project.
+!!! note
+
+    At this point in its lifespan we consider Django REST framework to be feature-complete. We focus on pull requests that track the continued development of Django versions, and generally do not accept new features or code formatting changes.
 
 ## Community
 
@@ -26,41 +28,39 @@ The [Django code of conduct][code-of-conduct] gives a fuller set of guidelines f
 
 # Issues
 
-It's really helpful if you can make sure to address issues on the correct channel.  Usage questions should be directed to the [discussion group][google-group].  Feature requests, bug reports and other issues should be raised on the GitHub [issue tracker][issues].
-
-Some tips on good issue reporting:
-
-* When describing issues try to phrase your ticket in terms of the *behavior* you think needs changing rather than the *code* you think need changing.
-* Search the issue list first for related items, and make sure you're running the latest version of REST framework before reporting an issue.
-* If reporting a bug, then try to include a pull request with a failing test case.  This will help us quickly identify if there is a valid issue, and make sure that it gets fixed more quickly if there is one.
-* Feature requests will often be closed with a recommendation that they be implemented outside of the core REST framework library.  Keeping new feature requests implemented as third party libraries allows us to keep down the maintenance overhead of REST framework, so that the focus can be on continued stability, bugfixes, and great documentation.
-* Closing an issue doesn't necessarily mean the end of a discussion.  If you believe your issue has been closed incorrectly, explain why and we'll consider if it needs to be reopened.
-
-## Triaging issues
-
-Getting involved in triaging incoming issues is a good way to start contributing.  Every single ticket that comes into the ticket tracker needs to be reviewed in order to determine what the next steps should be.  Anyone can help out with this, you just need to be willing to
-
-* Read through the ticket - does it make sense, is it missing any context that would help explain it better?
-* Is the ticket reported in the correct place, would it be better suited as a discussion on the discussion group?
-* If the ticket is a bug report, can you reproduce it? Are you able to write a failing test case that demonstrates the issue and that can be submitted as a pull request?
-* If the ticket is a feature request, do you agree with it, and could the feature request instead be implemented as a third party package?
-* If a ticket hasn't had much activity and it addresses something you need, then comment on the ticket and try to find out what's needed to get it moving again.
+* Django REST framework is considered feature-complete. Please do not file requests to change behavior, unless it is required for security reasons or to maintain compatibility with upcoming Django or Python versions.
+* Feature requests will typically be closed with a recommendation that they be implemented outside the core REST framework library (e.g. as third-party libraries).  This approach allows us to keep down the maintenance overhead of REST framework, so that the focus can be on continued stability and great documentation.
 
 # Development
 
-To start developing on Django REST framework, clone the repo:
+To start developing on Django REST framework, first create a Fork from the
+[Django REST Framework repo][repo] on GitHub.
 
-    git clone git@github.com:tomchristie/django-rest-framework.git
+Then clone your fork. The clone command will look like this, with your GitHub
+username instead of YOUR-USERNAME:
+
+    git clone https://github.com/YOUR-USERNAME/django-rest-framework
+
+See GitHub's [_Fork a Repo_][how-to-fork] Guide for more help.
 
 Changes should broadly follow the [PEP 8][pep-8] style conventions, and we recommend you set up your editor to automatically indicate non-conforming styles.
+You can check your contributions against these conventions each time you commit using the [pre-commit](https://pre-commit.com/) hooks, which we also run on CI.
+To set them up, first ensure you have the pre-commit tool installed, for example:
+
+    python -m pip install pre-commit
+
+Then run:
+
+    pre-commit install
 
 ## Testing
 
 To run the tests, clone the repository, and then:
 
     # Setup the virtual environment
-    virtualenv env
+    python3 -m venv env
     source env/bin/activate
+    pip install -e .
     pip install -r requirements.txt
 
     # Run the tests
@@ -72,18 +72,6 @@ Run using a more concise output style.
 
     ./runtests.py -q
 
-Run the tests using a more concise output style, no coverage, no flake8.
-
-    ./runtests.py --fast
-
-Don't run the flake8 code linting.
-
-    ./runtests.py --nolint
-
-Only run the flake8 code linting, don't run the tests.
-
-    ./runtests.py --lintonly
-
 Run the tests for a given test case.
 
     ./runtests.py MyTestCase
@@ -114,13 +102,13 @@ It's also useful to remember that if you have an outstanding pull request then p
 
 GitHub's documentation for working on pull requests is [available here][pull-requests].
 
-Always run the tests before submitting pull requests, and ideally run `tox` in order to check that your modifications are compatible with both Python 2 and Python 3, and that they run properly on all supported versions of Django.
+Always run the tests before submitting pull requests, and ideally run `tox` in order to check that your modifications are compatible on all supported versions of Python and Django.
 
-Once you've made a pull request take a look at the Travis build status in the GitHub interface and make sure the tests are running as you'd expect.
+Once you've made a pull request take a look at the build status in the GitHub interface and make sure the tests are running as you'd expect.
 
-![Travis status][travis-status]
+![Build status][build-status]
 
-*Above: Travis build notifications*
+*Above: build notifications*
 
 ## Managing compatibility issues
 
@@ -197,15 +185,16 @@ If you want to draw attention to a note or warning, use a pair of enclosing line
     ---
 
 
-[cite]: http://www.w3.org/People/Berners-Lee/FAQ.html
+[cite]: https://www.w3.org/People/Berners-Lee/FAQ.html
 [code-of-conduct]: https://www.djangoproject.com/conduct/
 [google-group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
-[so-filter]: http://stackexchange.com/filters/66475/rest-framework
-[issues]: https://github.com/tomchristie/django-rest-framework/issues?state=open
-[pep-8]: http://www.python.org/dev/peps/pep-0008/
-[travis-status]: ../img/travis-status.png
+[so-filter]: https://stackexchange.com/filters/66475/rest-framework
+[pep-8]: https://www.python.org/dev/peps/pep-0008/
+[build-status]: ../img/build-status.png
 [pull-requests]: https://help.github.com/articles/using-pull-requests
-[tox]: http://tox.readthedocs.org/en/latest/
-[markdown]: http://daringfireball.net/projects/markdown/basics
-[docs]: https://github.com/tomchristie/django-rest-framework/tree/master/docs
+[tox]: https://tox.readthedocs.io/en/latest/
+[markdown]: https://daringfireball.net/projects/markdown/basics
+[docs]: https://github.com/encode/django-rest-framework/tree/master/docs
 [mou]: http://mouapp.com/
+[repo]: https://github.com/encode/django-rest-framework
+[how-to-fork]: https://help.github.com/articles/fork-a-repo/

docs/community/funding.md

@@ -0,0 +1,388 @@
+<script>
+// Imperfect, but easier to fit in with the existing docs build.
+// Hyperlinks should point directly to the "fund." subdomain, but this'll
+// handle the nav bar links without requiring any docs build changes for the moment.
+if (window.location.hostname == "www.django-rest-framework.org") {
+    window.location.replace("https://fund.django-rest-framework.org/topics/funding/");
+}
+</script>
+
+<style>
+.promo li a {
+    float: left;
+    width: 130px;
+    height: 20px;
+    text-align: center;
+    margin: 10px 30px;
+    padding: 150px 0 0 0;
+    background-position: 0 50%;
+    background-size: 130px auto;
+    background-repeat: no-repeat;
+    font-size: 120%;
+    color: black;
+}
+.promo li {
+    list-style: none;
+}
+.chart {
+    background-color: #e3e3e3;
+    background: -webkit-linear-gradient(top, #fff 0, #e3e3e3 100%);
+    border: 1px solid #E6E6E6;
+    border-radius: 5px;
+    box-shadow: 0px 0px 2px 0px rgba(181, 181, 181, 0.3);
+    padding: 40px 0px 5px;
+    position: relative;
+    text-align: center;
+    width: 97%;
+    min-height: 255px;
+    position: relative;
+    top: 37px;
+    margin-bottom: 20px
+}
+.quantity {
+    text-align: center
+}
+.dollar {
+    font-size: 19px;
+    position: relative;
+    top: -18px;
+}
+.price {
+    font-size: 49px;
+}
+.period {
+    font-size: 17px;
+    position: relative;
+    top: -8px;
+    margin-left: 4px;
+}
+.plan-name {
+    text-align: center;
+    font-size: 20px;
+    font-weight: 400;
+    color: #777;
+    border-bottom: 1px solid #d5d5d5;
+    padding-bottom: 15px;
+    width: 90%;
+    margin: 0 auto;
+    margin-top: 8px;
+}
+.specs {
+    margin-top: 20px;
+    min-height: 130px;
+}
+.specs.freelancer {
+    min-height: 0px;
+}
+.spec {
+    font-size: 15px;
+    color: #474747;
+    text-align: center;
+    font-weight: 300;
+    margin-bottom: 13px;
+}
+.variable {
+    color: #1FBEE7;
+    font-weight: 400;
+}
+form.signup {
+    margin-top: 35px
+}
+.clear-promo {
+    padding-top: 30px
+}
+#main-content h1:first-of-type {
+    margin: 0 0 50px;
+    font-size: 60px;
+    font-weight: 200;
+    text-align: center
+}
+#main-content {
+    padding-top: 10px; line-height: 23px
+}
+#main-content li {
+    line-height: 23px
+}
+</style>
+
+# Funding
+
+If you use REST framework commercially we strongly encourage you to invest in its continued development by signing up for a paid plan.
+
+**We believe that collaboratively funded software can offer outstanding returns on investment, by encouraging our users to collectively share the cost of development.**
+
+Signing up for a paid plan will:
+
+* Directly contribute to faster releases, more features, and higher quality software.
+* Allow more time to be invested in keeping the package up to date.
+* Safeguard the future development of REST framework.
+
+REST framework continues to be open-source and permissively licensed, but we firmly believe it is in the commercial best-interest for users of the project to invest in its ongoing development.
+
+---
+
+## What funding has enabled so far
+
+* The [3.4](https://www.django-rest-framework.org/community/3.4-announcement/) and [3.5](https://www.django-rest-framework.org/community/3.5-announcement/) releases, including schema generation for both Swagger and RAML, a Python client library, a Command Line client, and addressing of a large number of outstanding issues.
+* The [3.6](https://www.django-rest-framework.org/community/3.6-announcement/) release, including JavaScript client library, and API documentation, complete with auto-generated code samples.
+* The [3.7 release](https://www.django-rest-framework.org/community/3.7-announcement/), made possible due to our collaborative funding model, focuses on improvements to schema generation and the interactive API documentation.
+* The recent [3.8 release](https://www.django-rest-framework.org/community/3.8-announcement/).
+* Tom Christie, the creator of Django REST framework, working on the project full-time.
+* Around 80-90 issues and pull requests closed per month since Tom Christie started working on the project full-time.
+* A community & operations manager position part-time for 4 months, helping mature the business and grow sponsorship.
+* Contracting development time for the work on the JavaScript client library and API documentation tooling.
+
+---
+
+## What our sponsors and users say
+
+> As a developer, Django REST framework feels like an obvious and natural extension to all the great things that make up Django and it's community. Getting started is easy while providing simple abstractions which makes it flexible and customizable. Contributing and supporting Django REST framework helps ensure its future and one way or another it also helps Django, and the Python ecosystem.
+>
+> &mdash; José Padilla, Django REST framework contributor
+
+&nbsp;
+
+> The number one feature of the Python programming language is its community. Such a community is only possible because of the Open Source nature of the language and all the culture that comes from it. Building great Open Source projects require great minds. Given that, we at Vinta are not only proud to sponsor the team behind DRF but we also recognize the ROI that comes from it.
+>
+> &mdash; Filipe Ximenes, Vinta Software
+
+&nbsp;
+
+> It's really awesome that this project continues to endure. The code base is top notch and the maintainers are committed to the highest level of quality.
+DRF is one of the core reasons why Django is top choice among web frameworks today. In my opinion, it sets the standard for rest frameworks for the development community at large.
+>
+> &mdash; Andrew Conti, Django REST framework user
+
+Sign up for a paid plan today, and help ensure that REST framework becomes a sustainable, full-time funded project.
+
+---
+
+## Individual plan
+
+This subscription is recommended for individuals with an interest in seeing REST framework continue to&nbsp;improve.
+
+If you are using REST framework as a full-time employee, consider recommending that your company takes out a [corporate&nbsp;plan](#corporate-plans).
+
+<div class="pricing">
+                <div class="span4">
+                    <div class="chart first">
+                        <div class="quantity">
+                            <span class="dollar">{{ symbol }}</span>
+                            <span class="price">{{ rates.personal1 }}</span>
+                            <span class="period">/month{% if vat %} +VAT{% endif %}</span>
+                        </div>
+                        <div class="plan-name">Individual</div>
+                        <div class="specs freelancer">
+                            <div class="spec">
+                                Support ongoing development
+                            </div>
+                            <div class="spec">
+                                Credited on the site
+                            </div>
+                        </div>
+                        <form class="signup" action="/signup/{{ currency }}-{{ rates.personal1 }}/" method="POST">
+  <script
+    src="https://checkout.stripe.com/checkout.js" class="stripe-button"
+    data-key="{{ stripe_public }}"
+    data-amount="{{ stripe_amounts.personal1 }}"
+    data-name="Django REST framework"
+    data-description="Individual"
+    data-currency="{{ currency }}"
+    data-allow-remember-me=false
+    data-billing-address=true
+    data-label='Sign up'
+    data-panel-label='Sign up - {% verbatim %}{{amount}}{% endverbatim %}/mo'>
+  </script>
+</form>
+                    </div>
+                </div>
+            </div>
+<div style="clear: both; padding-top: 50px"></div>
+
+*Billing is monthly and you can cancel at any time.*
+
+---
+
+## Corporate plans
+
+These subscriptions are recommended for companies and organizations using REST framework either publicly or privately.
+
+In exchange for funding you'll also receive advertising space on our site, allowing you to **promote your company or product to many tens of thousands of developers worldwide**.
+
+Our professional and premium plans also include **priority support**. At any time your engineers can escalate an issue or discussion group thread, and we'll ensure it gets a guaranteed response within the next working day.
+
+<div class="pricing">
+                <div class="span4">
+                    <div class="chart first">
+                        <div class="quantity">
+                            <span class="dollar">{{ symbol }}</span>
+                            <span class="price">{{ rates.corporate1 }}</span>
+                            <span class="period">/month{% if vat %} +VAT{% endif %}</span>
+                        </div>
+                        <div class="plan-name">Basic</div>
+                        <div class="specs startup">
+                            <div class="spec">
+                                Support ongoing development
+                            </div>
+                            <div class="spec">
+                                <span class="variable">Funding page</span> ad placement
+                            </div>
+                        </div>
+                        <form class="signup" action="/signup/{{ currency }}-{{ rates.corporate1 }}/" method="POST">
+  <script
+    src="https://checkout.stripe.com/checkout.js" class="stripe-button"
+    data-key="{{ stripe_public }}"
+    data-amount="{{ stripe_amounts.corporate1 }}"
+    data-name="Django REST framework"
+    data-description="Basic"
+    data-currency="{{ currency }}"
+    data-allow-remember-me=false
+    data-billing-address=true
+    data-label='Sign up'
+    data-panel-label='Sign up - {% verbatim %}{{amount}}{% endverbatim %}/mo'>
+  </script>
+</form>
+                    </div>
+                </div>
+                <div class="span4">
+                    <div class="chart">
+                        <div class="quantity">
+                            <span class="dollar">{{ symbol }}</span>
+                            <span class="price">{{ rates.corporate2 }}</span>
+                            <span class="period">/month{% if vat %} +VAT{% endif %}</span>
+                        </div>
+                        <div class="plan-name">Professional</div>
+                        <div class="specs">
+                            <div class="spec">
+                                Support ongoing development
+                            </div>
+                            <div class="spec">
+                                <span class="variable">Sidebar</span> ad placement
+                            </div>
+                            <div class="spec">
+                                <span class="variable">Priority support</span> for your engineers
+                            </div>
+                        </div>
+                        <form class="signup" action="/signup/{{ currency }}-{{ rates.corporate2 }}/" method="POST">
+  <script
+    src="https://checkout.stripe.com/checkout.js" class="stripe-button"
+    data-key="{{ stripe_public }}"
+    data-amount="{{ stripe_amounts.corporate2 }}"
+    data-name="Django REST framework"
+    data-description="Professional"
+    data-currency="{{ currency }}"
+    data-allow-remember-me=false
+    data-billing-address=true
+    data-label='Sign up'
+    data-panel-label='Sign up - {% verbatim %}{{amount}}{% endverbatim %}/mo'>
+  </script>
+</form>
+                    </div>
+                </div>
+                <div class="span4">
+                    <div class="chart last">
+                        <div class="quantity">
+                            <span class="dollar">{{ symbol }}</span>
+                            <span class="price">{{ rates.corporate3 }}</span>
+                            <span class="period">/month{% if vat %} +VAT{% endif %}</span>
+                        </div>
+                        <div class="plan-name">Premium</div>
+                        <div class="specs">
+                        <div class="spec">
+                            Support ongoing development
+                        </div>
+                            <div class="spec">
+                                <span class="variable">Homepage</span> ad placement
+                            </div>
+                            <div class="spec">
+                                <span class="variable">Sidebar</span> ad placement
+                            </div>
+                            <div class="spec">
+                                <span class="variable">Priority support</span> for your engineers
+                            </div>
+                        </div>
+                        <form class="signup" action="/signup/{{ currency }}-{{ rates.corporate3 }}/" method="POST">
+  <script
+    src="https://checkout.stripe.com/checkout.js" class="stripe-button"
+    data-key="{{ stripe_public }}"
+    data-amount="{{ stripe_amounts.corporate3 }}"
+    data-name="Django REST framework"
+    data-description="Premium"
+    data-currency="{{ currency }}"
+    data-allow-remember-me=false
+    data-billing-address=true
+    data-label='Sign up'
+    data-panel-label='Sign up - {% verbatim %}{{amount}}{% endverbatim %}/mo'>
+  </script>
+</form>
+                    </div>
+                </div>
+            </div>
+
+<div style="clear: both; padding-top: 50px"></div>
+
+*Billing is monthly and you can cancel at any time.*
+
+Once you've signed up, we will contact you via email and arrange your ad placements on the site.
+
+For further enquires please contact <a href=mailto:funding@django-rest-framework.org>funding@django-rest-framework.org</a>.
+
+---
+
+## Accountability
+
+In an effort to keep the project as transparent as possible, we are releasing [monthly progress reports](https://www.encode.io/reports/march-2018/) and regularly include financial reports and cost breakdowns.
+
+<!-- Begin MailChimp Signup Form -->
+<link href="//cdn-images.mailchimp.com/embedcode/classic-10_7.css" rel="stylesheet" type="text/css">
+<style type="text/css">
+    #mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; }
+    /* Add your own MailChimp form style overrides in your site stylesheet or in this style block.
+       We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */
+</style>
+<div id="mc_embed_signup">
+<form action="//encode.us13.list-manage.com/subscribe/post?u=b6b66bb5e4c7cb484a85c8dd7&amp;id=e382ef68ef" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate>
+    <div id="mc_embed_signup_scroll">
+    <h2>Stay up to date, with our monthly progress reports...</h2>
+<div class="mc-field-group">
+    <label for="mce-EMAIL">Email Address </label>
+    <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL">
+</div>
+    <div id="mce-responses" class="clear">
+        <div class="response" id="mce-error-response" style="display:none"></div>
+        <div class="response" id="mce-success-response" style="display:none"></div>
+    </div>    <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
+    <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_b6b66bb5e4c7cb484a85c8dd7_e382ef68ef" tabindex="-1" value=""></div>
+    <div class="clear"><input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button"></div>
+    </div>
+</form>
+</div>
+<script type='text/javascript' src='//s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js'></script><script type='text/javascript'>(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='LNAME';ftypes[2]='text';}(jQuery));var $mcj = jQuery.noConflict(true);</script>
+<!--End mc_embed_signup-->
+
+---
+
+## Frequently asked questions
+
+**Q: Can you issue monthly invoices?**
+A: Yes, we are happy to issue monthly invoices. Please just <a href=mailto:funding@django-rest-framework.org>email us</a> and let us know who to issue the invoice to (name and address) and which email address to send it to each month.
+
+**Q: Does sponsorship include VAT?**
+A: Sponsorship is VAT exempt.
+
+**Q: Do I have to sign up for a certain time period?**
+A: No, we appreciate your support for any time period that is convenient for you. Also, you can cancel your sponsorship anytime.
+
+**Q: Can I pay yearly? Can I pay upfront fox X amount of months at a time?**
+A: We are currently only set up to accept monthly payments. However, if you'd like to support Django REST framework and you can only do yearly/upfront payments, we are happy to work with you and figure out a convenient solution.
+
+**Q: Are you only looking for corporate sponsors?**
+A: No, we value individual sponsors just as much as corporate sponsors and appreciate any kind of support.
+
+---
+
+## Our sponsors
+
+<div id="fundingInclude"></div>
+
+<script src="https://fund.django-rest-framework.org/funding_include.js"></script>

docs/community/jobs.md

@@ -0,0 +1,43 @@
+# Jobs
+
+Looking for a new Django REST Framework related role? On this site we provide a list of job resources that may be helpful. It's also worth checking out if any of [our sponsors are hiring][drf-funding].
+
+
+## Places to look for Django REST Framework Jobs
+
+* [https://www.djangoproject.com/community/jobs/][djangoproject-website]
+* [https://www.python.org/jobs/][python-org-jobs]
+* [https://django.on-remote.com][django-on-remote]
+* [https://djangogigs.com][django-gigs-com]
+* [https://djangojobs.net/jobs/][django-jobs-net]
+* [https://findwork.dev/django-rest-framework-jobs][findwork-dev]
+* [https://www.indeed.com/q-Django-jobs.html][indeed-com]
+* [https://stackoverflow.com/jobs/companies?tl=django][stackoverflow-com]
+* [https://www.upwork.com/o/jobs/browse/skill/django-framework/][upwork-com]
+* [https://www.technojobs.co.uk/django-jobs][technobjobs-co-uk]
+* [https://remoteok.com/remote-django-jobs][remoteok-com]
+* [https://www.remotepython.com/jobs/][remotepython-com]
+* [https://www.pyjobs.com/][pyjobs-com]
+
+
+Know of any other great resources for Django REST Framework jobs that are missing in our list? Please [submit a pull request][submit-pr] or [email us][anna-email].
+
+Wonder how else you can help? One of the best ways you can help Django REST Framework is to ask interviewers if their company is signed up for [REST Framework sponsorship][drf-funding] yet.
+
+
+[djangoproject-website]: https://www.djangoproject.com/community/jobs/
+[python-org-jobs]: https://www.python.org/jobs/
+[django-on-remote]: https://django.on-remote.com/
+[django-gigs-com]: https://djangogigs.com
+[django-jobs-net]: https://djangojobs.net/jobs/
+[findwork-dev]: https://findwork.dev/django-rest-framework-jobs
+[indeed-com]: https://www.indeed.com/q-Django-jobs.html
+[stackoverflow-com]: https://stackoverflow.com/jobs/companies?tl=django
+[upwork-com]: https://www.upwork.com/o/jobs/browse/skill/django-framework/
+[technobjobs-co-uk]: https://www.technojobs.co.uk/django-jobs
+[remoteok-com]: https://remoteok.com/remote-django-jobs
+[remotepython-com]: https://www.remotepython.com/jobs/
+[pyjobs-com]: https://www.pyjobs.com/
+[drf-funding]: https://fund.django-rest-framework.org/topics/funding/
+[submit-pr]: https://github.com/encode/django-rest-framework
+[anna-email]: mailto:anna@django-rest-framework.org

docs/community/kickstarter-announcement.md

@@ -47,8 +47,8 @@ Our platinum sponsors have each made a hugely substantial contribution to the fu
 </ul>
 
 <ul class="sponsor platinum">
-<li><a href="https://www.divio.ch/" rel="nofollow" style="background-image:url(../../img/sponsors/1-divio.png);">Divio</a></li>
-<li><a href="http://company.onlulu.com/en/" rel="nofollow" style="background-image:url(../../img/sponsors/1-lulu.png);">Lulu</a></li>
+<li><a href="https://www.divio.com/" rel="nofollow" style="background-image:url(../../img/sponsors/1-divio.png);">Divio</a></li>
+<li><a href="https://onlulu.com" rel="nofollow" style="background-image:url(../../img/sponsors/1-lulu.png);">Lulu</a></li>
 <li><a href="https://p.ota.to/" rel="nofollow" style="background-image:url(../../img/sponsors/1-potato.png);">Potato</a></li>
 <li><a href="http://www.wiredrive.com/" rel="nofollow" style="background-image:url(../../img/sponsors/1-wiredrive.png);">Wiredrive</a></li>
 <li><a href="http://www.cyaninc.com/" rel="nofollow" style="background-image:url(../../img/sponsors/1-cyan.png);">Cyan</a></li>
@@ -72,27 +72,27 @@ Our gold sponsors include companies large and small. Many thanks for their signi
 <li><a href="https://www.schubergphilis.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-schuberg_philis.png);">Schuberg Philis</a></li>
 <li><a href="http://prorenata.se/" rel="nofollow" style="background-image:url(../../img/sponsors/2-prorenata.png);">ProReNata AB</a></li>
 <li><a href="https://www.sgawebsites.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-sga.png);">SGA Websites</a></li>
-<li><a href="http://www.sirono.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-sirono.png);">Sirono</a></li>
-<li><a href="http://www.vinta.com.br/" rel="nofollow" style="background-image:url(../../img/sponsors/2-vinta.png);">Vinta Software Studio</a></li>
-<li><a href="http://www.rapasso.nl/index.php/en" rel="nofollow" style="background-image:url(../../img/sponsors/2-rapasso.png);">Rapasso</a></li>
+<li><a href="https://www.sirono.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-sirono.png);">Sirono</a></li>
+<li><a href="https://www.vinta.com.br/" rel="nofollow" style="background-image:url(../../img/sponsors/2-vinta.png);">Vinta Software Studio</a></li>
+<li><a href="https://www.rapasso.nl/" rel="nofollow" style="background-image:url(../../img/sponsors/2-rapasso.png);">Rapasso</a></li>
 <li><a href="https://mirusresearch.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-mirus_research.png);">Mirus Research</a></li>
-<li><a href="http://hipolabs.com" rel="nofollow" style="background-image:url(../../img/sponsors/2-hipo.png);">Hipo</a></li>
-<li><a href="http://www.byte.nl" rel="nofollow" style="background-image:url(../../img/sponsors/2-byte.png);">Byte</a></li>
-<li><a href="http://lightningkite.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-lightning_kite.png);">Lightning Kite</a></li>
+<li><a href="https://hipolabs.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-hipo.png);">Hipo</a></li>
+<li><a href="https://www.byte.nl/" rel="nofollow" style="background-image:url(../../img/sponsors/2-byte.png);">Byte</a></li>
+<li><a href="https://www.lightningkite.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-lightning_kite.png);">Lightning Kite</a></li>
 <li><a href="https://opbeat.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-opbeat.png);">Opbeat</a></li>
 <li><a href="https://koordinates.com" rel="nofollow" style="background-image:url(../../img/sponsors/2-koordinates.png);">Koordinates</a></li>
-<li><a href="http://pulsecode.ca" rel="nofollow" style="background-image:url(../../img/sponsors/2-pulsecode.png);">Pulsecode Inc.</a></li>
-<li><a href="http://singinghorsestudio.com" rel="nofollow" style="background-image:url(../../img/sponsors/2-singing-horse.png);">Singing Horse Studio Ltd.</a></li>
+<li><a rel="nofollow" style="background-image:url(../../img/sponsors/2-pulsecode.png);">Pulsecode Inc.</a></li>
+<li><a rel="nofollow" style="background-image:url(../../img/sponsors/2-singing-horse.png);">Singing Horse Studio Ltd.</a></li>
 <li><a href="https://www.heroku.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-heroku.png);">Heroku</a></li>
 <li><a href="https://www.rheinwerk-verlag.de/" rel="nofollow" style="background-image:url(../../img/sponsors/2-rheinwerk_verlag.png);">Rheinwerk Verlag</a></li>
-<li><a href="http://www.securitycompass.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-security_compass.png);">Security Compass</a></li>
+<li><a href="https://www.securitycompass.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-security_compass.png);">Security Compass</a></li>
 <li><a href="https://www.djangoproject.com/foundation/" rel="nofollow" style="background-image:url(../../img/sponsors/2-django.png);">Django Software Foundation</a></li>
 <li><a href="http://www.hipflaskapp.com" rel="nofollow" style="background-image:url(../../img/sponsors/2-hipflask.png);">Hipflask</a></li>
 <li><a href="http://www.crate.io/" rel="nofollow" style="background-image:url(../../img/sponsors/2-crate.png);">Crate</a></li>
 <li><a href="http://crypticocorp.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-cryptico.png);">Cryptico Corp</a></li>
-<li><a href="http://www.nexthub.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-nexthub.png);">NextHub</a></li>
+<li><a rel="nofollow" style="background-image:url(../../img/sponsors/2-nexthub.png);">NextHub</a></li>
 <li><a href="https://www.compile.com/" rel="nofollow" style="background-image:url(../../img/sponsors/2-compile.png);">Compile</a></li>
-<li><a href="http://wusawork.org" rel="nofollow" style="background-image:url(../../img/sponsors/2-wusawork.png);">WusaWork</a></li>
+<li><a rel="nofollow" style="background-image:url(../../img/sponsors/2-wusawork.png);">WusaWork</a></li>
 <li><a href="http://envisionlinux.org/blog" rel="nofollow">Envision Linux</a></li>
 </ul>
 
@@ -102,41 +102,41 @@ Our gold sponsors include companies large and small. Many thanks for their signi
 
 ### Silver sponsors
 
-The serious financial contribution that our silver sponsors have made is very much appreciated. I'd like to say a particular thank&nbsp;you to individuals who have choosen to privately support the project at this level.
+The serious financial contribution that our silver sponsors have made is very much appreciated. I'd like to say a particular thank&nbsp;you to individuals who have chosen to privately support the project at this level.
 
 <ul class="sponsor silver">
-<li><a href="http://www.imtapps.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-imt_computer_services.png);">IMT Computer Services</a></li>
-<li><a href="http://wildfish.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-wildfish.png);">Wildfish</a></li>
-<li><a href="http://www.thermondo.de/" rel="nofollow" style="background-image:url(../../img/sponsors/3-thermondo-gmbh.png);">Thermondo GmbH</a></li>
-<li><a href="http://providenz.fr/" rel="nofollow" style="background-image:url(../../img/sponsors/3-providenz.png);">Providenz</a></li>
+<li><a href="https://www.imtapps.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-imt_computer_services.png);">IMT Computer Services</a></li>
+<li><a href="https://wildfish.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-wildfish.png);">Wildfish</a></li>
+<li><a href="https://www.thermondo.de/" rel="nofollow" style="background-image:url(../../img/sponsors/3-thermondo-gmbh.png);">Thermondo GmbH</a></li>
+<li><a href="https://providenz.fr/" rel="nofollow" style="background-image:url(../../img/sponsors/3-providenz.png);">Providenz</a></li>
 <li><a href="https://www.alwaysdata.com" rel="nofollow" style="background-image:url(../../img/sponsors/3-alwaysdata.png);">alwaysdata.com</a></li>
-<li><a href="http://www.triggeredmessaging.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-triggered_messaging.png);">Triggered Messaging</a></li>
+<li><a href="https://www.freshrelevance.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-triggered_messaging.png);">Triggered Messaging</a></li>
 <li><a href="https://www.ipushpull.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-ipushpull.png);">PushPull Technology Ltd</a></li>
 <li><a href="http://www.transcode.de/" rel="nofollow" style="background-image:url(../../img/sponsors/3-transcode.png);">Transcode</a></li>
 <li><a href="https://garfo.io/" rel="nofollow" style="background-image:url(../../img/sponsors/3-garfo.png);">Garfo</a></li>
 <li><a href="https://goshippo.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-shippo.png);">Shippo</a></li>
 <li><a href="http://www.gizmag.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-gizmag.png);">Gizmag</a></li>
-<li><a href="http://www.tivix.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-tivix.png);">Tivix</a></li>
-<li><a href="http://www.safaribooksonline.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-safari.png);">Safari</a></li>
+<li><a href="https://www.tivix.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-tivix.png);">Tivix</a></li>
+<li><a href="https://www.safaribooksonline.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-safari.png);">Safari</a></li>
 <li><a href="http://brightloop.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-brightloop.png);">Bright Loop</a></li>
 <li><a href="http://www.aba-systems.com.au/" rel="nofollow" style="background-image:url(../../img/sponsors/3-aba.png);">ABA Systems</a></li>
 <li><a href="http://beefarm.ru/" rel="nofollow" style="background-image:url(../../img/sponsors/3-beefarm.png);">beefarm.ru</a></li>
 <li><a href="http://www.vzzual.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-vzzual.png);">Vzzual.com</a></li>
 <li><a href="http://infinite-code.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-infinite_code.png);">Infinite Code</a></li>
-<li><a href="http://crosswordtracker.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-crosswordtracker.png);">Crossword Tracker</a></li>
+<li><a href="https://crosswordtracker.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-crosswordtracker.png);">Crossword Tracker</a></li>
 <li><a href="https://www.pkgfarm.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-pkgfarm.png);">PkgFarm</a></li>
 <li><a href="http://life.tl/" rel="nofollow" style="background-image:url(../../img/sponsors/3-life_the_game.png);">Life. The Game.</a></li>
 <li><a href="http://blimp.io/" rel="nofollow" style="background-image:url(../../img/sponsors/3-blimp.png);">Blimp</a></li>
-<li><a href="http://pathwright.com" rel="nofollow" style="background-image:url(../../img/sponsors/3-pathwright.png);">Pathwright</a></li>
-<li><a href="http://fluxility.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-fluxility.png);">Fluxility</a></li>
-<li><a href="http://teonite.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-teonite.png);">Teonite</a></li>
-<li><a href="http://trackmaven.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-trackmaven.png);">TrackMaven</a></li>
-<li><a href="http://www.phurba.net/" rel="nofollow" style="background-image:url(../../img/sponsors/3-phurba.png);">Phurba</a></li>
-<li><a href="http://www.nephila.co.uk/" rel="nofollow" style="background-image:url(../../img/sponsors/3-nephila.png);">Nephila</a></li>
+<li><a href="https://www.pathwright.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-pathwright.png);">Pathwright</a></li>
+<li><a href="https://fluxility.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-fluxility.png);">Fluxility</a></li>
+<li><a href="https://teonite.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-teonite.png);">Teonite</a></li>
+<li><a href="https://trackmaven.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-trackmaven.png);">TrackMaven</a></li>
+<li><a href="https://www.phurba.net/" rel="nofollow" style="background-image:url(../../img/sponsors/3-phurba.png);">Phurba</a></li>
+<li><a href="https://www.nephila.it/it/" rel="nofollow" style="background-image:url(../../img/sponsors/3-nephila.png);">Nephila</a></li>
 <li><a href="http://www.aditium.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-aditium.png);">Aditium</a></li>
-<li><a href="http://www.eyesopen.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-openeye.png);">OpenEye Scientific Software</a></li>
+<li><a href="https://www.eyesopen.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-openeye.png);">OpenEye Scientific Software</a></li>
 <li><a href="https://holvi.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-holvi.png);">Holvi</a></li>
-<li><a href="http://cantemo.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-cantemo.gif);">Cantemo</a></li>
+<li><a href="https://www.cantemo.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-cantemo.gif);">Cantemo</a></li>
 <li><a href="https://www.makespace.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-makespace.png);">MakeSpace</a></li>
 <li><a href="https://www.ax-semantics.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-ax_semantics.png);">AX Semantics</a></li>
 <li><a href="http://istrategylabs.com/" rel="nofollow" style="background-image:url(../../img/sponsors/3-isl.png);">ISL</a></li>
@@ -144,7 +144,7 @@ The serious financial contribution that our silver sponsors have made is very mu
 
 <div style="clear: both; padding-bottom: 40px;"></div>
 
-**Individual backers**: Paul Hallett, <a href="http://www.paulwhippconsulting.com/">Paul Whipp</a>, Dylan Roy, Jannis Leidel, <a href="https://linovia.com/en/">Xavier Ordoquy</a>, <a href="http://spielmannsolutions.com/">Johannes Spielmann</a>, <a href="http://brooklynhacker.com/">Rob Spectre</a>, <a href="http://chrisheisel.com/">Chris Heisel</a>, Marwan Alsabbagh, Haris Ali, Tuomas Toivonen.
+**Individual backers**: Paul Hallett, <a href="http://www.paulwhippconsulting.com/">Paul Whipp</a>, Dylan Roy, Jannis Leidel, <a href="https://linovia.com/en/">Xavier Ordoquy</a>, <a href="http://spielmannsolutions.com/">Johannes Spielmann</a>, <a href="http://brooklynhacker.com/">Rob Spectre</a>, <a href="https://chrisheisel.com/">Chris Heisel</a>, Marwan Alsabbagh, Haris Ali, Tuomas Toivonen.
 
 ---
 

docs/community/mozilla-grant.md

@@ -0,0 +1,67 @@
+# Mozilla Grant
+
+We have recently been [awarded a Mozilla grant](https://blog.mozilla.org/blog/2016/04/13/mozilla-open-source-support-moss-update-q1-2016/), in order to fund the next major releases of REST framework. This work will focus on seamless client-side integration by introducing supporting client libraries that are able to dynamically interact with REST framework APIs. The framework will provide for either hypermedia or schema endpoints, which will expose the available interface for the client libraries to interact with.
+
+Additionally, we will be building on the realtime support that Django Channels provides, supporting and documenting how to build realtime APIs with REST framework. Again, this will include supporting work in the associated client libraries, making it easier to build richly interactive applications.
+
+The [Core API](https://www.coreapi.org/) project will provide the foundations for our client library support, and will allow us to support interaction using a wide range of schemas and hypermedia formats. It's worth noting that these client libraries won't be tightly coupled to solely REST framework APIs either, and will be able to interact with *any* API that exposes a supported schema or hypermedia format.
+
+Specifically, the work includes:
+
+## Client libraries
+
+This work will include built-in schema and hypermedia support, allowing dynamic client libraries to interact with the API. I'll also be releasing both Python and Javascript client libraries, plus a command-line client, a new tutorial section, and further documentation.
+
+* Client library support in REST framework.
+  * Schema & hypermedia support for REST framework APIs.
+  * A test client, allowing you to write tests that emulate a client library interacting with your API.
+  * New tutorial sections on using client libraries to interact with REST framework APIs.
+* Python client library.
+* JavaScript client library.
+* Command line client.
+
+## Realtime APIs
+
+The next goal is to build on the realtime support offered by Django Channels, adding support & documentation for building realtime API endpoints.
+
+* Support for API subscription endpoints, using REST framework and Django Channels.
+* New tutorial section on building realtime API endpoints with REST framework.
+* Realtime support in the Python & Javascript client libraries.
+
+## Accountability
+
+In order to ensure that I can be fully focused on trying to secure a sustainable
+& well-funded open source business I will be leaving my current role at [DabApps](https://www.dabapps.com/)
+at the end of May 2016.
+
+I have formed a UK limited company, [Encode](https://www.encode.io/), which will
+act as the business entity behind REST framework. I will be issuing monthly reports
+from Encode on progress both towards the Mozilla grant, and for development time
+funded via the [REST framework paid plans](funding.md).
+
+<!-- Begin MailChimp Signup Form -->
+<link href="//cdn-images.mailchimp.com/embedcode/classic-10_7.css" rel="stylesheet" type="text/css">
+<style type="text/css">
+    #mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; }
+    /* Add your own MailChimp form style overrides in your site stylesheet or in this style block.
+       We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */
+</style>
+<div id="mc_embed_signup">
+<form action="//encode.us13.list-manage.com/subscribe/post?u=b6b66bb5e4c7cb484a85c8dd7&amp;id=e382ef68ef" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate>
+    <div id="mc_embed_signup_scroll">
+    <h2>Stay up to date, with our monthly progress reports...</h2>
+<div class="mc-field-group">
+    <label for="mce-EMAIL">Email Address </label>
+    <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL">
+</div>
+    <div id="mce-responses" class="clear">
+        <div class="response" id="mce-error-response" style="display:none"></div>
+        <div class="response" id="mce-success-response" style="display:none"></div>
+    </div>    <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
+    <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_b6b66bb5e4c7cb484a85c8dd7_e382ef68ef" tabindex="-1" value=""></div>
+    <div class="clear"><input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button"></div>
+    </div>
+</form>
+</div>
+<script type='text/javascript' src='//s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js'></script><script type='text/javascript'>(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='LNAME';ftypes[2]='text';}(jQuery));var $mcj = jQuery.noConflict(true);</script>
+<!--End mc_embed_signup-->

docs/community/project-management.md

@@ -6,62 +6,20 @@
 
 This document outlines our project management processes for REST framework.
 
-The aim is to ensure that the project has a high 
+The aim is to ensure that the project has a high
 ["bus factor"][bus-factor], and can continue to remain well supported for the foreseeable future. Suggestions for improvements to our process are welcome.
 
 ---
 
 ## Maintenance team
 
-We have a quarterly maintenance cycle where new members may join the maintenance team. We currently cap the size of the team at 5 members, and may encourage folks to step out of the team for a cycle to allow new members to participate.
+[Participating actively in the REST framework project](contributing.md) **does not require being part of the maintenance team**. Almost every important part of issue triage and project improvement can be actively worked on regardless of your collaborator status on the repository.
 
-#### Current team
+#### Composition
 
-The [maintenance team for Q1 2015](https://github.com/tomchristie/django-rest-framework/issues/2190):
+The composition of the maintenance team is handled by [@tomchristie](https://github.com/encode/). Team members will be added as collaborators to the repository.
 
-* [@tomchristie](https://github.com/tomchristie/)
-* [@xordoquy](https://github.com/xordoquy/) (Release manager.)
-* [@carltongibson](https://github.com/carltongibson/)
-* [@kevin-brown](https://github.com/kevin-brown/)
-* [@jpadilla](https://github.com/jpadilla/)
-
-#### Maintenance cycles
-
-Each maintenance cycle is initiated by an issue being opened with the `Process` label.
-
-* To be considered for a maintainer role simply comment against the issue.
-* Existing members must explicitly opt-in to the next cycle by check-marking their name.
-* The final decision on the incoming team will be made by `@tomchristie`.
-
-Members of the maintenance team will be added as collaborators to the repository.
-
-The following template should be used for the description of the issue, and serves as the formal process for selecting the team.
-
-    This issue is for determining the maintenance team for the *** period.
-    
-    Please see the [Project management](http://www.django-rest-framework.org/topics/project-management/) section of our documentation for more details.
-    
-    ---
-    
-    #### Renewing existing members.
-    
-    The following people are the current maintenance team. Please checkmark your name if you wish to continue to have write permission on the repository for the *** period.
-    
-    - [ ] @***
-    - [ ] @***
-    - [ ] @***
-    - [ ] @***
-    - [ ] @***
-    
-    ---
-    
-    #### New members.
-    
-    If you wish to be considered for this or a future date, please comment against this or subsequent issues.
-    
-    To modify this process for future maintenance cycles make a pull request to the [project management](http://www.django-rest-framework.org/topics/project-management/) documentation.
-
-#### Responsibilities of team members
+#### Responsibilities
 
 Team members have the following responsibilities.
 
@@ -76,18 +34,13 @@ Further notes for maintainers:
 * Code changes should come in the form of a pull request - do not push directly to master.
 * Maintainers should typically not merge their own pull requests.
 * Each issue/pull request should have exactly one label once triaged.
-* Search for un-triaged issues with [is:open no:label][un-triaged].
-
-It should be noted that participating actively in the REST framework project clearly **does not require being part of the maintenance team**. Almost every import part of issue triage and project improvement can be actively worked on regardless of your collaborator status on the repository.
 
 ---
 
 ## Release process
 
-The release manager is selected on every quarterly maintenance cycle.
-
-* The manager should be selected by `@tomchristie`.
-* The manager will then have the maintainer role added to PyPI package.
+* The release manager is selected by `@tomchristie`.
+* The release manager will then have the maintainer role added to PyPI package.
 * The previous manager will then have the maintainer role removed from the PyPI package.
 
 Our PyPI releases will be handled by either the current release manager, or by `@tomchristie`. Every release should have an open issue tagged with the `Release` label and marked against the appropriate milestone.
@@ -97,10 +50,24 @@ The following template should be used for the description of the issue, and serv
     Release manager is @***.
     Pull request is #***.
 
+    During development cycle:
+
+    - [ ] Upload the new content to be translated to [transifex](https://www.django-rest-framework.org/topics/project-management/#translations).
+
+
     Checklist:
 
-    - [ ] Create pull request for [release notes](https://github.com/tomchristie/django-rest-framework/blob/master/docs/topics/release-notes.md) based on the [*.*.* milestone](https://github.com/tomchristie/django-rest-framework/milestones/***).
-    - [ ] Ensure the pull request increments the version to `*.*.*` in [`restframework/__init__.py`](https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/__init__.py).
+    - [ ] Create pull request for [release notes](https://github.com/encode/django-rest-framework/blob/master/docs/topics/release-notes.md) based on the [*.*.* milestone](https://github.com/encode/django-rest-framework/milestones/***).
+    - [ ] Update supported versions:
+        - [ ] `setup.py` `python_requires` list
+        - [ ] `setup.py` Python & Django version trove classifiers
+        - [ ] `README` Python & Django versions
+        - [ ] `docs` Python & Django versions
+    - [ ] Update the translations from [transifex](https://www.django-rest-framework.org/topics/project-management/#translations).
+    - [ ] Ensure the pull request increments the version to `*.*.*` in [`restframework/__init__.py`](https://github.com/encode/django-rest-framework/blob/master/rest_framework/__init__.py).
+    - [ ] Ensure documentation validates
+        - Build and serve docs `mkdocs serve`
+        - Validate links `pylinkvalidate.py -P http://127.0.0.1:8000`
     - [ ] Confirm with @tomchristie that release is finalized and ready to go.
     - [ ] Ensure that release date is included in pull request.
     - [ ] Merge the release pull request.
@@ -110,8 +77,8 @@ The following template should be used for the description of the issue, and serv
     - [ ] Make a release announcement on the [discussion group](https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework).
     - [ ] Make a release announcement on twitter.
     - [ ] Close the milestone on GitHub.
-    
-    To modify this process for future releases make a pull request to the [project management](http://www.django-rest-framework.org/topics/project-management/) documentation.
+
+    To modify this process for future releases make a pull request to the [project management](https://www.django-rest-framework.org/topics/project-management/) documentation.
 
 When pushing the release to PyPI ensure that your environment has been installed from our development `requirement.txt`, so that documentation and PyPI installs are consistently being built against a pinned set of packages.
 
@@ -141,7 +108,7 @@ When any user visible strings are changed, they should be uploaded to Transifex
 
     # 1. Update the source django.po file, which is the US English version.
     cd rest_framework
-    django-admin.py makemessages -l en_US
+    django-admin makemessages -l en_US
     # 2. Push the source django.po file to Transifex.
     cd ..
     tx push -s
@@ -159,10 +126,10 @@ Here's how differences between the old and new source files will be handled:
 When a translator has finished translating their work needs to be downloaded from Transifex into the REST framework repository. To do this, run:
 
     # 3. Pull the translated django.po files from Transifex.
-    tx pull -a
+    tx pull -a --minimum-perc 10
     cd rest_framework
     # 4. Compile the binary .mo files for all supported languages.
-    django-admin.py compilemessages
+    django-admin compilemessages
 
 ---
 
@@ -184,17 +151,12 @@ If `@tomchristie` ceases to participate in the project then `@j4mie` has respons
 
 The following issues still need to be addressed:
 
-* [Consider moving the repo into a proper GitHub organization][github-org].
-* Ensure `@jamie` has back-up access to the `django-rest-framework.org` domain setup and admin.
-* Document ownership of the [live example][sandbox] API.
+* Ensure `@j4mie` has back-up access to the `django-rest-framework.org` domain setup and admin.
 * Document ownership of the [mailing list][mailing-list] and IRC channel.
 * Document ownership and management of the security mailing list.
 
-[bus-factor]: http://en.wikipedia.org/wiki/Bus_factor
-[un-triaged]: https://github.com/tomchristie/django-rest-framework/issues?q=is%3Aopen+no%3Alabel
+[bus-factor]: https://en.wikipedia.org/wiki/Bus_factor
 [transifex-project]: https://www.transifex.com/projects/p/django-rest-framework/
-[transifex-client]: https://pypi.python.org/pypi/transifex-client
+[transifex-client]: https://pypi.org/project/transifex-client/
 [translation-memory]: http://docs.transifex.com/guides/tm#let-tm-automatically-populate-translations
-[github-org]: https://github.com/tomchristie/django-rest-framework/issues/2162
-[sandbox]: http://restframework.herokuapp.com/
 [mailing-list]: https://groups.google.com/forum/#!forum/django-rest-framework

docs/community/third-party-packages.md

@@ -0,0 +1,261 @@
+# Third Party Packages
+
+> Software ecosystems […] establish a community that further accelerates the sharing of knowledge, content, issues, expertise and skills.
+>
+> — [Jan Bosch][cite].
+
+## About Third Party Packages
+
+Third Party Packages allow developers to share code that extends the functionality of Django REST framework, in order to support additional use-cases.
+
+We **support**, **encourage** and **strongly favor** the creation of Third Party Packages to encapsulate new behavior rather than adding additional functionality directly to Django REST Framework.
+
+We aim to make creating third party packages as easy as possible, whilst keeping a **simple** and **well maintained** core API. By promoting third party packages we ensure that the responsibility for a package remains with its author. If a package proves suitably popular it can always be considered for inclusion into the core REST framework.
+
+If you have an idea for a new feature please consider how it may be packaged as a Third Party Package. We're always happy to discuss ideas on the [Mailing List][discussion-group].
+
+## Creating a Third Party Package
+
+### Version compatibility
+
+Sometimes, in order to ensure your code works on various different versions of Django, Python or third party libraries, you'll need to run slightly different code depending on the environment. Any code that branches in this way should be isolated into a `compat.py` module, and should provide a single common interface that the rest of the codebase can use.
+
+Check out Django REST framework's [compat.py][drf-compat] for an example.
+
+### Once your package is available
+
+Once your package is decently documented and available on PyPI, you might want share it with others that might find it useful.
+
+#### Adding to the Django REST framework grid
+
+We suggest adding your package to the [REST Framework][rest-framework-grid] grid on Django Packages.
+
+#### Adding to the Django REST framework docs
+
+Create a [Pull Request][drf-create-pr] on GitHub, and we'll add a link to it from the main REST framework documentation. You can add your package under **Third party packages** of the API Guide section that best applies, like [Authentication][authentication] or [Permissions][permissions]. You can also link your package under the [Third Party Packages][third-party-packages] section.
+
+#### Announce on the discussion group.
+
+You can also let others know about your package through the [discussion group][discussion-group].
+
+## Existing Third Party Packages
+
+Django REST Framework has a growing community of developers, packages, and resources.
+
+Check out a grid detailing all the packages and ecosystem around Django REST Framework at [Django Packages][rest-framework-grid].
+
+To submit new content, [create a pull request][drf-create-pr].
+
+## Async Support
+
+*  [adrf](https://github.com/em1208/adrf) - Async support, provides async Views, ViewSets, and Serializers.
+
+### Authentication
+
+* [djangorestframework-digestauth][djangorestframework-digestauth] - Provides Digest Access Authentication support.
+* [django-oauth-toolkit][django-oauth-toolkit] - Provides OAuth 2.0 support.
+* [djangorestframework-simplejwt][djangorestframework-simplejwt] - Provides JSON Web Token Authentication support.
+* [hawkrest][hawkrest] - Provides Hawk HTTP Authorization.
+* [djangorestframework-httpsignature][djangorestframework-httpsignature] - Provides an easy to use HTTP Signature Authentication mechanism.
+* [djoser][djoser] - Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation.
+* [dj-rest-auth][dj-rest-auth] - Provides a set of REST API endpoints for registration, authentication (including social media authentication), password reset, retrieve and update user details, etc.
+* [drf-oidc-auth][drf-oidc-auth] - Implements OpenID Connect token authentication for DRF.
+* [drfpasswordless][drfpasswordless] - Adds (Medium, Square Cash inspired) passwordless logins and signups via email and mobile numbers.
+* [django-rest-authemail][django-rest-authemail] - Provides a RESTful API for user signup and authentication using email addresses.
+* [dango-pyoidc][django-pyoidc] adds support for OpenID Connect (OIDC) authentication.
+
+### Permissions
+
+* [drf-any-permissions][drf-any-permissions] - Provides alternative permission handling.
+* [djangorestframework-composed-permissions][djangorestframework-composed-permissions] - Provides a simple way to define complex permissions.
+* [rest_condition][rest-condition] - Another extension for building complex permissions in a simple and convenient way.
+* [dry-rest-permissions][dry-rest-permissions] - Provides a simple way to define permissions for individual api actions.
+* [drf-access-policy][drf-access-policy] - Declarative and flexible permissions inspired by AWS' IAM policies.
+* [drf-psq][drf-psq] - An extension that gives support for having action-based **permission_classes**, **serializer_class**, and **queryset** dependent on permission-based rules.
+
+### Serializers
+
+* [django-rest-framework-mongoengine][django-rest-framework-mongoengine] - Serializer class that supports using MongoDB as the storage layer for Django REST framework.
+* [djangorestframework-gis][djangorestframework-gis] - Geographic add-ons
+* [djangorestframework-hstore][djangorestframework-hstore] - Serializer class to support django-hstore DictionaryField model field and its schema-mode feature.
+* [djangorestframework-jsonapi][djangorestframework-jsonapi] - Provides a parser, renderer, serializers, and other tools to help build an API that is compliant with the jsonapi.org spec.
+* [html-json-forms][html-json-forms] - Provides an algorithm and serializer to process HTML JSON Form submissions per the (inactive) spec.
+* [django-rest-framework-serializer-extensions][drf-serializer-extensions] -
+  Enables black/whitelisting fields, and conditionally expanding child serializers on a per-view/request basis.
+* [djangorestframework-queryfields][djangorestframework-queryfields] - Serializer mixin allowing clients to control which fields will be sent in the API response.
+* [drf-flex-fields][drf-flex-fields] - Serializer providing dynamic field expansion and sparse field sets via URL parameters.
+* [drf-action-serializer][drf-action-serializer] - Serializer providing per-action fields config for use with ViewSets to prevent having to write multiple serializers.
+* [djangorestframework-dataclasses][djangorestframework-dataclasses] - Serializer providing automatic field generation for Python dataclasses, like the built-in ModelSerializer does for models.
+* [django-restql][django-restql] - Turn your REST API into a GraphQL like API(It allows clients to control which fields will be sent in a response, uses GraphQL like syntax, supports read and write on both flat and nested fields).
+* [graphwrap][graphwrap] - Transform your REST API into a fully compliant GraphQL API with just two lines of code. Leverages [Graphene-Django](https://docs.graphene-python.org/projects/django/en/latest/) to dynamically build, at runtime, a GraphQL ObjectType for each view in your API.
+
+### Serializer fields
+
+* [drf-compound-fields][drf-compound-fields] - Provides "compound" serializer fields, such as lists of simple values.
+* [drf-extra-fields][drf-extra-fields] - Provides extra serializer fields.
+* [django-versatileimagefield][django-versatileimagefield] - Provides a drop-in replacement for Django's stock `ImageField` that makes it easy to serve images in multiple sizes/renditions from a single field. For DRF-specific implementation docs, [click here][django-versatileimagefield-drf-docs].
+
+### Views
+
+* [django-rest-multiple-models][django-rest-multiple-models] - Provides a generic view (and mixin) for sending multiple serialized models and/or querysets via a single API request.
+* [drf-typed-views][drf-typed-views] - Use Python type annotations to validate/deserialize request parameters. Inspired by API Star, Hug and FastAPI.
+* [rest-framework-actions][rest-framework-actions] - Provides control over each action in ViewSets. Serializers per action, method.
+
+### Routers
+
+* [drf-nested-routers][drf-nested-routers] - Provides routers and relationship fields for working with nested resources.
+* [wq.db.rest][wq.db.rest] - Provides an admin-style model registration API with reasonable default URLs and viewsets.
+
+### Parsers
+
+* [djangorestframework-msgpack][djangorestframework-msgpack] - Provides MessagePack renderer and parser support.
+* [djangorestframework-jsonapi][djangorestframework-jsonapi] - Provides a parser, renderer, serializers, and other tools to help build an API that is compliant with the jsonapi.org spec.
+* [djangorestframework-camel-case][djangorestframework-camel-case] - Provides camel case JSON renderers and parsers.
+* [nested-multipart-parser][nested-multipart-parser] - Provides nested parser for http multipart request
+
+### Renderers
+
+* [djangorestframework-csv][djangorestframework-csv] - Provides CSV renderer support.
+* [djangorestframework-jsonapi][djangorestframework-jsonapi] - Provides a parser, renderer, serializers, and other tools to help build an API that is compliant with the jsonapi.org spec.
+* [drf_ujson2][drf_ujson2] - Implements JSON rendering using the UJSON package.
+* [rest-pandas][rest-pandas] - Pandas DataFrame-powered renderers including Excel, CSV, and SVG formats.
+* [djangorestframework-rapidjson][djangorestframework-rapidjson] - Provides rapidjson support with parser and renderer.
+
+### Filtering
+
+* [djangorestframework-chain][djangorestframework-chain] - Allows arbitrary chaining of both relations and lookup filters.
+* [django-url-filter][django-url-filter] - Allows a safe way to filter data via human-friendly URLs. It is a generic library which is not tied to DRF but it provides easy integration with DRF.
+* [drf-url-filter][drf-url-filter] is a simple Django app to apply filters on drf `ModelViewSet`'s `Queryset` in a clean, simple and configurable way. It also supports validations on incoming query params and their values.
+* [django-rest-framework-guardian2][django-rest-framework-guardian2] - Provides integration with django-guardian, including the `DjangoObjectPermissionsFilter` previously found in DRF.
+
+### Misc
+
+* [drf-sendables][drf-sendables] - User messages for Django REST Framework
+* [cookiecutter-django-rest][cookiecutter-django-rest] - A cookiecutter template that takes care of the setup and configuration so you can focus on making your REST apis awesome.
+* [djangorestrelationalhyperlink][djangorestrelationalhyperlink] - A hyperlinked serializer that can can be used to alter relationships via hyperlinks, but otherwise like a hyperlink model serializer.
+* [django-rest-framework-proxy][django-rest-framework-proxy] - Proxy to redirect incoming request to another API server.
+* [gaiarestframework][gaiarestframework] - Utils for django-rest-framework
+* [drf-extensions][drf-extensions] - A collection of custom extensions
+* [ember-django-adapter][ember-django-adapter] - An adapter for working with Ember.js
+* [django-versatileimagefield][django-versatileimagefield] - Provides a drop-in replacement for Django's stock `ImageField` that makes it easy to serve images in multiple sizes/renditions from a single field. For DRF-specific implementation docs, [click here][django-versatileimagefield-drf-docs].
+* [drf-tracking][drf-tracking] - Utilities to track requests to DRF API views.
+* [drf_tweaks][drf_tweaks] - Serializers with one-step validation (and more), pagination without counts and other tweaks.
+* [django-rest-framework-braces][django-rest-framework-braces] - Collection of utilities for working with Django Rest Framework. The most notable ones are [FormSerializer](https://django-rest-framework-braces.readthedocs.io/en/latest/overview.html#formserializer) and [SerializerForm](https://django-rest-framework-braces.readthedocs.io/en/latest/overview.html#serializerform), which are adapters between DRF serializers and Django forms.
+* [drf-haystack][drf-haystack] - Haystack search for Django Rest Framework
+* [django-rest-framework-version-transforms][django-rest-framework-version-transforms] - Enables the use of delta transformations for versioning of DRF resource representations.
+* [django-rest-messaging][django-rest-messaging], [django-rest-messaging-centrifugo][django-rest-messaging-centrifugo] and [django-rest-messaging-js][django-rest-messaging-js] - A real-time pluggable messaging service using DRM.
+* [djangorest-alchemy][djangorest-alchemy] - SQLAlchemy support for REST framework.
+* [djangorestframework-datatables][djangorestframework-datatables] - Seamless integration between Django REST framework and [Datatables](https://datatables.net).
+* [django-rest-framework-condition][django-rest-framework-condition] - Decorators for managing HTTP cache headers for Django REST framework (ETag and Last-modified).
+* [django-rest-witchcraft][django-rest-witchcraft] - Provides DRF integration with SQLAlchemy with SQLAlchemy model serializers/viewsets and a bunch of other goodies
+* [djangorestframework-mvt][djangorestframework-mvt] - An extension for creating views that serve Postgres data as Map Box Vector Tiles.
+* [drf-viewset-profiler][drf-viewset-profiler] - Lib to profile all methods from a viewset line by line.
+* [djangorestframework-features][djangorestframework-features] - Advanced schema generation and more based on named features.
+* [django-elasticsearch-dsl-drf][django-elasticsearch-dsl-drf] - Integrate Elasticsearch DSL with Django REST framework. Package provides views, serializers, filter backends, pagination and other handy add-ons.
+* [django-api-client][django-api-client] - DRF client that groups the Endpoint response, for use in CBVs and FBV as if you were working with Django's Native Models..
+* [fast-drf] - A model based library for making API development faster and easier.
+* [django-requestlogs] - Providing middleware and other helpers for audit logging for REST framework.
+* [drf-standardized-errors][drf-standardized-errors] - DRF exception handler to standardize error responses for all API endpoints.
+* [drf-api-action][drf-api-action] - uses the power of DRF also as a library functions
+
+### Customization
+
+* [drf-restwind][drf-restwind] - a modern re-imagining of the Django REST Framework utilizes TailwindCSS and DaisyUI to provide flexible and customizable UI solutions with minimal coding effort.
+* [drf-redesign][drf-redesign] - A project that gives a fresh look to the browse-able API using Bootstrap 5.
+* [drf-material][drf-material] - A project that gives a sleek and elegant look to the browsable API using Material Design.
+
+[drf-sendables]: https://github.com/amikrop/drf-sendables
+[cite]: http://www.software-ecosystems.com/Software_Ecosystems/Ecosystems.html
+[cookiecutter]: https://github.com/jpadilla/cookiecutter-django-rest-framework
+[new-repo]: https://github.com/new
+[create-a-repo]: https://help.github.com/articles/create-a-repo/
+[pypi-register]: https://pypi.org/account/register/
+[semver]: https://semver.org/
+[tox-docs]: https://tox.readthedocs.io/en/latest/
+[drf-compat]: https://github.com/encode/django-rest-framework/blob/master/rest_framework/compat.py
+[rest-framework-grid]: https://www.djangopackages.com/grids/g/django-rest-framework/
+[drf-create-pr]: https://github.com/encode/django-rest-framework/compare
+[authentication]: ../api-guide/authentication.md
+[permissions]: ../api-guide/permissions.md
+[third-party-packages]: ../topics/third-party-packages/#existing-third-party-packages
+[discussion-group]: https://groups.google.com/forum/#!forum/django-rest-framework
+[djangorestframework-digestauth]: https://github.com/juanriaza/django-rest-framework-digestauth
+[django-oauth-toolkit]: https://github.com/evonove/django-oauth-toolkit
+[djangorestframework-jwt]: https://github.com/GetBlimp/django-rest-framework-jwt
+[djangorestframework-simplejwt]: https://github.com/davesque/django-rest-framework-simplejwt
+[hawkrest]: https://github.com/kumar303/hawkrest
+[djangorestframework-httpsignature]: https://github.com/etoccalino/django-rest-framework-httpsignature
+[djoser]: https://github.com/sunscrapers/djoser
+[drf-any-permissions]: https://github.com/kevin-brown/drf-any-permissions
+[djangorestframework-composed-permissions]: https://github.com/niwibe/djangorestframework-composed-permissions
+[rest-condition]: https://github.com/caxap/rest_condition
+[django-rest-framework-mongoengine]: https://github.com/umutbozkurt/django-rest-framework-mongoengine
+[djangorestframework-gis]: https://github.com/djangonauts/django-rest-framework-gis
+[djangorestframework-hstore]: https://github.com/djangonauts/django-rest-framework-hstore
+[drf-compound-fields]: https://github.com/estebistec/drf-compound-fields
+[drf-extra-fields]: https://github.com/Hipo/drf-extra-fields
+[django-rest-multiple-models]: https://github.com/MattBroach/DjangoRestMultipleModels
+[drf-nested-routers]: https://github.com/alanjds/drf-nested-routers
+[wq.db.rest]: https://wq.io/docs/about-rest
+[djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack
+[djangorestframework-camel-case]: https://github.com/vbabiy/djangorestframework-camel-case
+[nested-multipart-parser]: https://github.com/remigermain/nested-multipart-parser
+[djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv
+[drf_ujson2]: https://github.com/Amertz08/drf_ujson2
+[rest-pandas]: https://github.com/wq/django-rest-pandas
+[djangorestframework-rapidjson]: https://github.com/allisson/django-rest-framework-rapidjson
+[djangorestframework-chain]: https://github.com/philipn/django-rest-framework-chain
+[djangorestrelationalhyperlink]: https://github.com/fredkingham/django_rest_model_hyperlink_serializers_project
+[django-rest-framework-proxy]: https://github.com/eofs/django-rest-framework-proxy
+[gaiarestframework]: https://github.com/AppsFuel/gaiarestframework
+[drf-extensions]: https://github.com/chibisov/drf-extensions
+[ember-django-adapter]: https://github.com/dustinfarris/ember-django-adapter
+[dj-rest-auth]: https://github.com/iMerica/dj-rest-auth
+[django-versatileimagefield]: https://github.com/WGBH/django-versatileimagefield
+[django-versatileimagefield-drf-docs]:https://django-versatileimagefield.readthedocs.io/en/latest/drf_integration.html
+[drf-tracking]: https://github.com/aschn/drf-tracking
+[django-rest-framework-braces]: https://github.com/dealertrack/django-rest-framework-braces
+[dry-rest-permissions]: https://github.com/FJNR-inc/dry-rest-permissions
+[django-url-filter]: https://github.com/miki725/django-url-filter
+[drf-url-filter]: https://github.com/manjitkumar/drf-url-filters
+[cookiecutter-django-rest]: https://github.com/agconti/cookiecutter-django-rest
+[drf-haystack]: https://drf-haystack.readthedocs.io/en/latest/
+[django-rest-framework-version-transforms]: https://github.com/mrhwick/django-rest-framework-version-transforms
+[djangorestframework-jsonapi]: https://github.com/django-json-api/django-rest-framework-json-api
+[html-json-forms]: https://github.com/wq/html-json-forms
+[django-rest-messaging]: https://github.com/raphaelgyory/django-rest-messaging
+[django-rest-messaging-centrifugo]: https://github.com/raphaelgyory/django-rest-messaging-centrifugo
+[django-rest-messaging-js]: https://github.com/raphaelgyory/django-rest-messaging-js
+[drf_tweaks]: https://github.com/ArabellaTech/drf_tweaks
+[drf-oidc-auth]: https://github.com/ByteInternet/drf-oidc-auth
+[drf-serializer-extensions]: https://github.com/evenicoulddoit/django-rest-framework-serializer-extensions
+[djangorestframework-queryfields]: https://github.com/wimglenn/djangorestframework-queryfields
+[drfpasswordless]: https://github.com/aaronn/django-rest-framework-passwordless
+[djangorest-alchemy]: https://github.com/dealertrack/djangorest-alchemy
+[djangorestframework-datatables]: https://github.com/izimobil/django-rest-framework-datatables
+[django-rest-framework-condition]: https://github.com/jozo/django-rest-framework-condition
+[django-rest-witchcraft]: https://github.com/shosca/django-rest-witchcraft
+[drf-access-policy]: https://github.com/rsinger86/drf-access-policy
+[drf-flex-fields]: https://github.com/rsinger86/drf-flex-fields
+[drf-typed-views]: https://github.com/rsinger86/drf-typed-views
+[drf-action-serializer]: https://github.com/gregschmit/drf-action-serializer
+[djangorestframework-dataclasses]: https://github.com/oxan/djangorestframework-dataclasses
+[django-restql]: https://github.com/yezyilomo/django-restql
+[djangorestframework-mvt]: https://github.com/corteva/djangorestframework-mvt
+[django-rest-framework-guardian2]: https://github.com/johnthagen/django-rest-framework-guardian2
+[drf-viewset-profiler]: https://github.com/fvlima/drf-viewset-profiler
+[djangorestframework-features]: https://github.com/cloudcode-hungary/django-rest-framework-features/
+[django-elasticsearch-dsl-drf]: https://github.com/barseghyanartur/django-elasticsearch-dsl-drf
+[django-api-client]: https://github.com/rhenter/django-api-client
+[drf-psq]: https://github.com/drf-psq/drf-psq
+[django-rest-authemail]: https://github.com/celiao/django-rest-authemail
+[graphwrap]: https://github.com/PaulGilmartin/graph_wrap
+[rest-framework-actions]: https://github.com/AlexisMunera98/rest-framework-actions
+[fast-drf]: https://github.com/iashraful/fast-drf
+[django-requestlogs]: https://github.com/Raekkeri/django-requestlogs
+[drf-standardized-errors]: https://github.com/ghazi-git/drf-standardized-errors
+[drf-api-action]: https://github.com/Ori-Roza/drf-api-action
+[drf-restwind]: https://github.com/youzarsiph/drf-restwind
+[drf-redesign]: https://github.com/youzarsiph/drf-redesign
+[drf-material]: https://github.com/youzarsiph/drf-material
+[django-pyoidc]: https://github.com/makinacorpus/django_pyoidc

docs/community/tutorials-and-resources.md

@@ -0,0 +1,140 @@
+# Tutorials and Resources
+
+There are a wide range of resources available for learning and using Django REST framework. We try to keep a comprehensive list available here.
+
+## Books
+
+<div class="book-covers">
+  <a class="book-cover" href="https://hellowebapp.com/order/">
+    <img src="../../img/books/hwa-cover.png"/>
+  </a>
+  <a class="book-cover" href="https://www.twoscoopspress.com/products/two-scoops-of-django-1-11">
+    <img src="../../img/books/tsd-cover.png"/>
+  </a>
+  <a class="book-cover" href="https://djangoforapis.com">
+    <img src="../../img/books/dfa-40-cover.jpg"/>
+  </a>
+  <a class="book-cover" href="https://books.agiliq.com/projects/django-api-polls-tutorial/en/latest/">
+    <img src="../../img/books/bda-cover.png"/>
+  </a>
+</div>
+
+## Courses
+
+* [Developing RESTful APIs with Django REST Framework][developing-restful-apis-with-django-rest-framework]
+
+## Tutorials
+
+* [Beginner's Guide to the Django REST Framework][beginners-guide-to-the-django-rest-framework]
+* [Django REST Framework - An Introduction][drf-an-intro]
+* [Django REST Framework Tutorial][drf-tutorial]
+* [Building a RESTful API with Django REST Framework][building-a-restful-api-with-drf]
+* [Getting Started with Django REST Framework and AngularJS][getting-started-with-django-rest-framework-and-angularjs]
+* [End to End Web App with Django REST Framework & AngularJS][end-to-end-web-app-with-django-rest-framework-angularjs]
+* [Start Your API - Django REST Framework Part 1][start-your-api-django-rest-framework-part-1]
+* [Permissions & Authentication - Django REST Framework Part 2][permissions-authentication-django-rest-framework-part-2]
+* [ViewSets and Routers - Django REST Framework Part 3][viewsets-and-routers-django-rest-framework-part-3]
+* [Django REST Framework User Endpoint][django-rest-framework-user-endpoint]
+* [Check Credentials Using Django REST Framework][check-credentials-using-django-rest-framework]
+* [Creating a Production Ready API with Python and Django REST Framework – Part 1][creating-a-production-ready-api-with-python-and-drf-part1]
+* [Creating a Production Ready API with Python and Django REST Framework – Part 2][creating-a-production-ready-api-with-python-and-drf-part2]
+* [Creating a Production Ready API with Python and Django REST Framework – Part 3][creating-a-production-ready-api-with-python-and-drf-part3]
+* [Creating a Production Ready API with Python and Django REST Framework – Part 4][creating-a-production-ready-api-with-python-and-drf-part4]
+* [Django Polls Tutorial API][django-polls-api]
+* [Django REST Framework Tutorial: Todo API][django-rest-framework-todo-api]
+* [Tutorial: Django REST with React (Django 2.0)][django-rest-react-valentinog]
+
+
+## Videos
+
+### Talks
+
+* [Level Up! Rethinking the Web API Framework][pycon-us-2017]
+* [How to Make a Full Fledged REST API with Django OAuth Toolkit][full-fledged-rest-api-with-django-oauth-toolkit]
+* [Django REST API - So Easy You Can Learn It in 25 Minutes][django-rest-api-so-easy]
+* [Tom Christie about Django Rest Framework at Django: Under The Hood][django-under-hood-2014]
+* [Django REST Framework: Schemas, Hypermedia & Client Libraries][pycon-uk-2016]
+* [Finally Understand Authentication in Django REST Framework][django-con-2018]
+
+### Tutorials
+
+
+* [Django REST Framework Part 1][django-rest-framework-part-1-video]
+* [Django REST Framework in Your PJ's!][drf-in-your-pjs]
+* [Building a REST API Using Django & Django REST Framework][building-a-rest-api-using-django-and-drf]
+* [Blog API with Django REST Framework][blog-api-with-drf]
+* [Ember and Django Part 1][ember-and-django-part 1-video]
+* [Django REST Framework Image Upload Tutorial (with AngularJS)][drf-image-upload-tutorial-with-angularjs]
+* [Django REST Framework Tutorials][drf-tutorials]
+
+
+## Articles
+
+* [Web API performance: Profiling Django REST Framework][web-api-performance-profiling-django-rest-framework]
+* [API Development with Django and Django REST Framework][api-development-with-django-and-django-rest-framework]
+* [Integrating Pandas, Django REST Framework and Bokeh][integrating-pandas-drf-and-bokeh]
+* [Controlling Uncertainty on Web Applications and APIs][controlling-uncertainty-on-web-apps-and-apis]
+* [Full Text Search in Django REST Framework with Database Backends][full-text-search-in-drf]
+* [OAuth2 Authentication with Django REST Framework and Custom Third-Party OAuth2 Backends][oauth2-authentication-with-drf]
+* [Nested Resources with Django REST Framework][nested-resources-with-drf]
+* [Image Fields with Django REST Framework][image-fields-with-drf]
+* [Chatbot Using Django REST Framework + api.ai + Slack — Part 1/3][chatbot-using-drf-part1]
+* [New Django Admin with DRF and EmberJS... What are the News?][new-django-admin-with-drf-and-emberjs]
+* [Blog posts about Django REST Framework][medium-django-rest-framework]
+* [Implementing Rest APIs With Embedded Privacy][doordash-implementing-rest-apis]
+
+### Documentations
+* [Classy Django REST Framework][cdrf.co]
+* [DRF-schema-adapter][drf-schema]
+
+Want your Django REST Framework talk/tutorial/article to be added to our website? Or know of a resource that's not yet included here? Please [submit a pull request][submit-pr] or [email us][anna-email]!
+
+
+[beginners-guide-to-the-django-rest-framework]: https://code.tutsplus.com/tutorials/beginners-guide-to-the-django-rest-framework--cms-19786
+[getting-started-with-django-rest-framework-and-angularjs]: https://blog.kevinastone.com/django-rest-framework-and-angular-js
+[end-to-end-web-app-with-django-rest-framework-angularjs]: https://mourafiq.com/2013/07/01/end-to-end-web-app-with-django-angular-1.html
+[start-your-api-django-rest-framework-part-1]: https://www.youtube.com/watch?v=hqo2kk91WpE
+[permissions-authentication-django-rest-framework-part-2]: https://www.youtube.com/watch?v=R3xvUDUZxGU
+[viewsets-and-routers-django-rest-framework-part-3]: https://www.youtube.com/watch?v=2d6w4DGQ4OU
+[django-rest-framework-user-endpoint]: https://richardtier.com/2014/02/25/django-rest-framework-user-endpoint/
+[check-credentials-using-django-rest-framework]: https://richardtier.com/2014/03/06/110/
+[ember-and-django-part 1-video]: http://www.neckbeardrepublic.com/screencasts/ember-and-django-part-1
+[django-rest-framework-part-1-video]: http://www.neckbeardrepublic.com/screencasts/django-rest-framework-part-1
+[web-api-performance-profiling-django-rest-framework]: https://www.dabapps.com/blog/api-performance-profiling-django-rest-framework/
+[api-development-with-django-and-django-rest-framework]: https://bnotions.com/news-and-insights/api-development-with-django-and-django-rest-framework/
+[cdrf.co]:http://www.cdrf.co
+[medium-django-rest-framework]: https://medium.com/django-rest-framework
+[pycon-uk-2016]: https://www.youtube.com/watch?v=FjmiGh7OqVg
+[django-under-hood-2014]: https://www.youtube.com/watch?v=3cSsbe-tA0E
+[integrating-pandas-drf-and-bokeh]: https://web.archive.org/web/20180104205117/http://machinalis.com/blog/pandas-django-rest-framework-bokeh/
+[controlling-uncertainty-on-web-apps-and-apis]: https://web.archive.org/web/20180104205043/https://machinalis.com/blog/controlling-uncertainty-on-web-applications-and-apis/
+[full-text-search-in-drf]: https://web.archive.org/web/20180104205059/http://machinalis.com/blog/full-text-search-on-django-rest-framework/
+[oauth2-authentication-with-drf]: https://web.archive.org/web/20180104205054/http://machinalis.com/blog/oauth2-authentication/
+[nested-resources-with-drf]: https://web.archive.org/web/20180104205109/http://machinalis.com/blog/nested-resources-with-django/
+[image-fields-with-drf]: https://web.archive.org/web/20180104205048/http://machinalis.com/blog/image-fields-with-django-rest-framework/
+[chatbot-using-drf-part1]: https://chatbotslife.com/chatbot-using-django-rest-framework-api-ai-slack-part-1-3-69c7e38b7b1e#.g2aceuncf
+[new-django-admin-with-drf-and-emberjs]: https://blog.levit.be/new-django-admin-with-emberjs-what-are-the-news/
+[drf-schema]: https://drf-schema-adapter.readthedocs.io/en/latest/
+[creating-a-production-ready-api-with-python-and-drf-part1]: https://www.andreagrandi.it/posts/creating-production-ready-api-python-django-rest-framework-part-1/
+[creating-a-production-ready-api-with-python-and-drf-part2]: https://www.andreagrandi.it/posts/creating-a-production-ready-api-with-python-and-django-rest-framework-part-2/
+[creating-a-production-ready-api-with-python-and-drf-part3]: https://www.andreagrandi.it/posts/creating-a-production-ready-api-with-python-and-django-rest-framework-part-3/
+[creating-a-production-ready-api-with-python-and-drf-part4]: https://www.andreagrandi.it/posts/creating-a-production-ready-api-with-python-and-django-rest-framework-part-4/
+[django-polls-api]: https://learndjango.com/tutorials/django-polls-tutorial-api
+[django-rest-framework-todo-api]: https://learndjango.com/tutorials/django-rest-framework-tutorial-todo-api
+[django-rest-api-so-easy]: https://www.youtube.com/watch?v=cqP758k1BaQ
+[full-fledged-rest-api-with-django-oauth-toolkit]: https://www.youtube.com/watch?v=M6Ud3qC2tTk
+[drf-in-your-pjs]: https://www.youtube.com/watch?v=xMtHsWa72Ww
+[building-a-rest-api-using-django-and-drf]: https://www.youtube.com/watch?v=PwssEec3IRw
+[drf-tutorials]: https://www.youtube.com/watch?v=axRCBgbOJp8&list=PLJtp8Jm8EDzjgVg9vVyIUMoGyqtegj7FH
+[drf-image-upload-tutorial-with-angularjs]: https://www.youtube.com/watch?v=hMiNTCIY7dw&list=PLUe5s-xycYk_X0vDjYBmKuIya2a2myF8O
+[blog-api-with-drf]: https://www.youtube.com/watch?v=XMu0T6L2KRQ&list=PLEsfXFp6DpzTOcOVdZF-th7BS_GYGguAS
+[drf-an-intro]: https://realpython.com/blog/python/django-rest-framework-quick-start/
+[drf-tutorial]: https://tests4geeks.com/django-rest-framework-tutorial/
+[building-a-restful-api-with-drf]: https://agiliq.com/blog/2014/12/building-a-restful-api-with-django-rest-framework/
+[submit-pr]: https://github.com/encode/django-rest-framework
+[anna-email]: mailto:anna@django-rest-framework.org
+[pycon-us-2017]: https://www.youtube.com/watch?v=Rk6MHZdust4
+[django-rest-react-valentinog]: https://www.valentinog.com/blog/tutorial-api-django-rest-react/
+[doordash-implementing-rest-apis]: https://doordash.engineering/2013/10/07/implementing-rest-apis-with-embedded-privacy/
+[developing-restful-apis-with-django-rest-framework]: https://testdriven.io/courses/django-rest-framework/
+[django-con-2018]: https://youtu.be/pY-oje5b5Qk?si=AOU6tLi0IL1_pVzq