<h3id="specifying-which-fields-may-be-ordered-against">Specifying which fields may be ordered against</h3>
<p>It's recommended that you explicitly specify which fields the API should allowing in the ordering filter. You can do this by setting an <code>ordering_fields</code> attribute on the view, like so:</p>
<p>This helps prevent unexpected data leakage, such as allowing users to order against a password hash field or other sensitive data.</p>
<p>If you <em>don't</em> specify an <code>ordering_fields</code> attribute on the view, the filter class will default to allowing the user to filter on any readable fields on the serializer specified by the <code>serializer_class</code> attribute.</p>
<p>If you are confident that the queryset being used by the view doesn't contain any sensitive data, you can also explicitly specify that a view should allow ordering on <em>any</em> model field or queryset aggregate, by using the special value <code>'__all__'</code>.</p>
<h3id="specifying-a-default-ordering">Specifying a default ordering</h3>
<p>If an <code>ordering</code> attribute is set on the view, this will be used as the default ordering.</p>
<p>Typically you'd instead control this by setting <code>order_by</code> on the initial queryset, but using the <code>ordering</code> parameter on the view allows you to specify the ordering in a way that it can then be passed automatically as context to a rendered template. This makes it possible to automatically render column headers differently if they are being used to order the results.</p>
<p><strong>Note</strong>: The generic view implementations normally generate a <code>Location</code> header in response to successful <code>POST</code> requests. Serializers using <code>url_field_name</code> option will not have this header automatically included by the view. If you need to do so you will ned to also override the view's <code>get_success_headers()</code> method.</p>
<p>You can also overide the URL field's view name and lookup field without overriding the field explicitly, by using the <code>view_name</code> and <code>lookup_field</code> options, like so:</p>
<p>You can create customized subclasses of <code>ModelSerializer</code> or <code>HyperlinkedModelSerializer</code> that use a different set of default fields.</p>
<li><strong>Security fix</strong>: <code>OrderingField</code> now only allows ordering on readable serializer fields, or on fields explicitly specified using <code>ordering_fields</code>. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.</li>
<li>Bugfix: <code>write_only = True</code> fields now display in the browsable API.</li>
<h2id="setting-up-a-new-environment">Setting up a new environment</h2>
<p>Before we do anything else we'll create a new virtual environment, using <ahref="http://www.virtualenv.org/en/latest/index.html">virtualenv</a>. This will make sure our package configuration is kept nicely isolated from any other projects we're working on.</p>
<preclass="prettyprint lang-bsh">
mkdir ~/env
virtualenv ~/env/tutorial
source ~/env/tutorial/bin/activate
virtualenv env
source env/bin/activate
</code></pre>
<p>Now that we're inside a virtualenv environment, we can install our package requirements.</p>
