REST framework 2.2 announcement
The 2.2 release represents an important point for REST framework, with the addition of Python 3 support, and the introduction of an official deprecation policy.
Python 3 support
Thanks to some fantastic work from Xavier Ordoquy, Django REST framework 2.2 now supports Python 3. You'll need to be running Django 1.5, and it's worth keeping in mind that Django's Python 3 support is currently considered experimental.
Django 1.6's Python 3 support is expected to be officially labeled as 'production-ready'.
If you want to start ensuring that your own projects are Python 3 ready, we can highly recommend Django's Porting to Python 3 documentation.
Django REST framework's Python 2.6 support now requires 2.6.5 or above, in line with Django 1.5's Python compatibility.
Deprecation policy
We've now introduced an official deprecation policy, which is in line with Django's deprecation policy. This policy will make it easy for you to continue to track the latest, greatest version of REST framework.
The timeline for deprecation works as follows:
-
Version 2.2 introduces some API changes as detailed in the release notes. It remains fully backwards compatible with 2.1, but will raise
PendingDeprecationWarning
warnings if you use bits of API that are due to be deprecated. These warnings are silent by default, but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests usingpython -Wd manage.py test
, you'll be warned of any API changes you need to make. -
Version 2.3 will escalate these warnings to
DeprecationWarning
, which is loud by default. -
Version 2.4 will remove the deprecated bits of API entirely.
Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change.
Community
As of the 2.2 merge, we've also hit an impressive milestone. The number of committers listed in the credits, is now at over one hundred individuals. Each name on that list represents at least one merged pull request, however large or small.
Our mailing list and #restframework IRC channel are also very active, and we've got a really impressive rate of development both on REST framework itself, and on third party packages such as the great django-rest-framework-docs package from Marc Gibbons.
API changes
The 2.2 release makes a few changes to the API, in order to make it more consistent, simple, and easier to use.
Cleaner to-many related fields
The ManyRelatedField()
style is being deprecated in favor of a new RelatedField(many=True)
syntax.
For example, if a user is associated with multiple questions, which we want to represent using a primary key relationship, we might use something like the following:
class UserSerializer(serializers.HyperlinkedModelSerializer):
questions = serializers.PrimaryKeyRelatedField(many=True)
class Meta:
fields = ('username', 'questions')
The new syntax is cleaner and more obvious, and the change will also make the documentation cleaner, simplify the internal API, and make writing custom relational fields easier.
The change also applies to serializers. If you have a nested serializer, you should start using many=True
for to-many relationships. For example, a serializer representation of an Album that can contain many Tracks might look something like this:
class TrackSerializer(serializer.ModelSerializer):
class Meta:
model = Track
fields = ('name', 'duration')
class AlbumSerializer(serializer.ModelSerializer):
tracks = TrackSerializer(many=True)
class Meta:
model = Album
fields = ('album_name', 'artist', 'tracks')
Additionally, the change also applies when serializing or deserializing data. For example to serialize a queryset of models you should now use the many=True
flag.
serializer = SnippetSerializer(Snippet.objects.all(), many=True)
serializer.data
This more explicit behavior on serializing and deserializing data makes integration with non-ORM backends such as MongoDB easier, as instances to be serialized can include the __iter__
method, without incorrectly triggering list-based serialization, or requiring workarounds.
The implicit to-many behavior on serializers, and the ManyRelatedField
style classes will continue to function, but will raise a PendingDeprecationWarning
, which can be made visible using the -Wd
flag.
Note: If you need to forcibly turn off the implicit "many=True
for __iter__
objects" behavior, you can now do so by specifying many=False
. This will become the default (instead of the current default of None
) once the deprecation of the implicit behavior is finalised in version 2.4.
Cleaner optional relationships
Serializer relationships for nullable Foreign Keys will change from using the current null=True
flag, to instead using required=False
.
For example, is a user account has an optional foreign key to a company, that you want to express using a hyperlink, you might use the following field in a Serializer
class:
current_company = serializers.HyperlinkedRelatedField(required=False)
This is in line both with the rest of the serializer fields API, and with Django's Form
and ModelForm
API.
Using required
throughout the serializers API means you won't need to consider if a particular field should take blank
or null
arguments instead of required
, and also means there will be more consistent behavior for how fields are treated when they are not present in the incoming data.
The null=True
argument will continue to function, and will imply required=False
, but will raise a PendingDeprecationWarning
.
Cleaner CharField syntax
The CharField
API previously took an optional blank=True
argument, which was intended to differentiate between null CharField input, and blank CharField input.
In keeping with Django's CharField API, REST framework's CharField
will only ever return the empty string, for missing or None
inputs. The blank
flag will no longer be in use, and you should instead just use the required=<bool>
flag. For example:
extra_details = CharField(required=False)
The blank
keyword argument will continue to function, but will raise a PendingDeprecationWarning
.
Simpler object-level permissions
Custom permissions classes previously used the signature .has_permission(self, request, view, obj=None)
. This method would be called twice, firstly for the global permissions check, with the obj
parameter set to None
, and again for the object-level permissions check when appropriate, with the obj
parameter set to the relevant model instance.
The global permissions check and object-level permissions check are now separated into two separate methods, which gives a cleaner, more obvious API.
- Global permission checks now use the
.has_permission(self, request, view)
signature. - Object-level permission checks use a new method
.has_object_permission(self, request, view, obj)
.
For example, the following custom permission class:
class IsOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to view or edit it.
Model instances are expected to include an `owner` attribute.
"""
def has_permission(self, request, view, obj=None):
if obj is None:
# Ignore global permissions check
return True
return obj.owner == request.user
Now becomes:
class IsOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to view or edit it.
Model instances are expected to include an `owner` attribute.
"""
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
If you're overriding the BasePermission
class, the old-style signature will continue to function, and will correctly handle both global and object-level permissions checks, but its use will raise a PendingDeprecationWarning
.
Note also that the usage of the internal APIs for permission checking on the View
class has been cleaned up slightly, and is now documented and subject to the deprecation policy in all future versions.
More explicit hyperlink relations behavior
When using a serializer with a HyperlinkedRelatedField
or HyperlinkedIdentityField
, the hyperlinks would previously use absolute URLs if the serializer context included a 'request'
key, and fall back to using relative URLs otherwise. This could lead to non-obvious behavior, as it might not be clear why some serializers generated absolute URLs, and others do not.
From version 2.2 onwards, serializers with hyperlinked relationships always require a 'request'
key to be supplied in the context dictionary. The implicit behavior will continue to function, but its use will raise a PendingDeprecationWarning
.