Skip to content

D
django-rest-framework
Commit 74fb366c by Tom Christie
Options

Merge branch 'master' into resources-routers

parents 4c639610 034c4ce4
Showing with 1860 additions and 831 deletions
.travis.yml
...@@ -3,16 +3,34 @@ language: python ...@@ -3,16 +3,34 @@ language: python
python: python:
- "2.6" - "2.6"
- "2.7" - "2.7"
- "3.2"
- "3.3"
env: env:
- DJANGO=https://github.com/django/django/zipball/master - DJANGO="django==1.5 --use-mirrors"
- DJANGO=django==1.4.3 --use-mirrors - DJANGO="django==1.4.3 --use-mirrors"
- DJANGO=django==1.3.5 --use-mirrors - DJANGO="django==1.3.5 --use-mirrors"
install: install:
- pip install $DJANGO - pip install $DJANGO
- pip install django-filter==0.5.4 --use-mirrors - pip install defusedxml==0.3
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install oauth2==1.5.211 --use-mirrors; fi"
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth-plus==2.0 --use-mirrors; fi"
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth2-provider==0.2.3 --use-mirrors; fi"
- "if [[ ${DJANGO::11} == 'django==1.3' ]]; then pip install django-filter==0.5.4 --use-mirrors; fi"
- "if [[ ${DJANGO::11} != 'django==1.3' ]]; then pip install django-filter==0.6a1 --use-mirrors; fi"
- export PYTHONPATH=. - export PYTHONPATH=.
script: script:
- python rest_framework/runtests/runtests.py - python rest_framework/runtests/runtests.py
matrix:
exclude:
- python: "3.2"
env: DJANGO="django==1.4.3 --use-mirrors"
- python: "3.2"
env: DJANGO="django==1.3.5 --use-mirrors"
- python: "3.3"
env: DJANGO="django==1.4.3 --use-mirrors"
- python: "3.3"
env: DJANGO="django==1.3.5 --use-mirrors"
MANIFEST.in
recursive-include rest_framework/static *.js *.css *.png recursive-include rest_framework/static *.js *.css *.png
recursive-include rest_framework/templates *.txt *.html recursive-include rest_framework/templates *.html
README.md
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
**Author:** Tom Christie. [Follow me on Twitter][twitter]. **Author:** Tom Christie. [Follow me on Twitter][twitter].
**Support:** [REST framework discussion group][group]. **Support:** [REST framework group][group], or `#restframework` on freenode IRC.
[![build-status-image]][travis] [![build-status-image]][travis]
...@@ -12,8 +12,6 @@ ...@@ -12,8 +12,6 @@
**Full documentation for REST framework is available on [http://django-rest-framework.org][docs].** **Full documentation for REST framework is available on [http://django-rest-framework.org][docs].**
Note that this is the 2.0 version of REST framework. If you are looking for earlier versions please see the [0.4.x branch][0.4] on GitHub.
--- ---
# Overview # Overview
...@@ -28,14 +26,15 @@ There is also a sandbox API you can use for testing purposes, [available here][s ...@@ -28,14 +26,15 @@ There is also a sandbox API you can use for testing purposes, [available here][s
# Requirements # Requirements
* Python (2.6, 2.7) * Python (2.6.5+, 2.7, 3.2, 3.3)
* Django (1.3, 1.4, 1.5) * Django (1.3, 1.4, 1.5)
**Optional:** **Optional:**
* [Markdown] - Markdown support for the self describing API. * [Markdown][markdown] - Markdown support for the self describing API.
* [PyYAML] - YAML content type support. * [PyYAML][pyyaml] - YAML content type support.
* [django-filter] - Filtering support. * [defusedxml][defusedxml] - XML content-type support.
* [django-filter][django-filter] - Filtering support.
# Installation # Installation
...@@ -44,6 +43,7 @@ Install using `pip`, including any optional packages you want... ...@@ -44,6 +43,7 @@ Install using `pip`, including any optional packages you want...
pip install djangorestframework pip install djangorestframework
pip install markdown # Markdown support for the browseable API. pip install markdown # Markdown support for the browseable API.
pip install pyyaml # YAML content-type support. pip install pyyaml # YAML content-type support.
pip install defusedxml # XML content-type support.
pip install django-filter # Filtering support pip install django-filter # Filtering support
...or clone the project from github. ...or clone the project from github.
...@@ -79,182 +79,9 @@ To run the tests. ...@@ -79,182 +79,9 @@ To run the tests.
./rest_framework/runtests/runtests.py ./rest_framework/runtests/runtests.py
# Changelog To run the tests against all supported configurations, first install [the tox testing tool][tox] globally, using `pip install tox`, then simply run `tox`:
### 2.1.16
**Date**: 14th Jan 2013
* Deprecate django.utils.simplejson in favor of Python 2.6's built-in json module.
* Bugfix: `auto_now`, `auto_now_add` and other `editable=False` fields now default to read-only.
* Bugfix: PK fields now only default to read-only if they are an AutoField or if `editable=False`.
* Bugfix: Validation errors instead of exceptions when serializers receive incorrect types.
* Bugfix: Validation errors instead of exceptions when related fields receive incorrect types.
* Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one
### 2.1.15
**Date**: 3rd Jan 2013
* Added `PATCH` support.
* Added `RetrieveUpdateAPIView`.
* Relation changes are now persisted in `.save` instead of in `.restore_object`.
* Remove unused internal `save_m2m` flag on `ModelSerializer.save()`.
* Tweak behavior of hyperlinked fields with an explicit format suffix.
* Bugfix: Fix issue with FileField raising exception instead of validation error when files=None.
* Bugfix: Partial updates should not set default values if field is not included.
### 2.1.14
**Date**: 31st Dec 2012
* Bugfix: ModelSerializers now include reverse FK fields on creation.
* Bugfix: Model fields with `blank=True` are now `required=False` by default.
* Bugfix: Nested serializers now support nullable relationships.
**Note**: From 2.1.14 onwards, relational fields move out of the `fields.py` module and into the new `relations.py` module, in order to seperate them from regular data type fields, such as `CharField` and `IntegerField`.
This change will not affect user code, so long as it's following the recommended import style of `from rest_framework import serializers` and refering to fields using the style `serializers.PrimaryKeyRelatedField`.
### 2.1.13
**Date**: 28th Dec 2012
* Support configurable `STATICFILES_STORAGE` storage.
* Bugfix: Related fields now respect the required flag, and may be required=False.
### 2.1.12
**Date**: 21st Dec 2012
* Bugfix: Fix bug that could occur using ChoiceField.
* Bugfix: Fix exception in browseable API on DELETE.
* Bugfix: Fix issue where pk was was being set to a string if set by URL kwarg.
## 2.1.11
**Date**: 17th Dec 2012
* Bugfix: Fix issue with M2M fields in browseable API.
## 2.1.10
**Date**: 17th Dec 2012
* Bugfix: Ensure read-only fields don't have model validation applied.
* Bugfix: Fix hyperlinked fields in paginated results.
## 2.1.9
**Date**: 11th Dec 2012
* Bugfix: Fix broken nested serialization.
* Bugfix: Fix `Meta.fields` only working as tuple not as list.
* Bugfix: Edge case if unnecessarily specifying `required=False` on read only field.
## 2.1.8
**Date**: 8th Dec 2012
* Fix for creating nullable Foreign Keys with `''` as well as `None`.
* Added `null=<bool>` related field option.
## 2.1.7
**Date**: 7th Dec 2012
* Serializers now properly support nullable Foreign Keys.
* Serializer validation now includes model field validation, such as uniqueness constraints.
* Support 'true' and 'false' string values for BooleanField.
* Added pickle support for serialized data.
* Support `source='dotted.notation'` style for nested serializers.
* Make `Request.user` settable.
* Bugfix: Fix `RegexField` to work with `BrowsableAPIRenderer`
## 2.1.6 tox
**Date**: 23rd Nov 2012
* Bugfix: Unfix DjangoModelPermissions. (I am a doofus.)
## 2.1.5
**Date**: 23rd Nov 2012
* Bugfix: Fix DjangoModelPermissions.
## 2.1.4
**Date**: 22nd Nov 2012
* Support for partial updates with serializers.
* Added `RegexField`.
* Added `SerializerMethodField`.
* Serializer performance improvements.
* Added `obtain_token_view` to get tokens when using `TokenAuthentication`.
* Bugfix: Django 1.5 configurable user support for `TokenAuthentication`.
## 2.1.3
**Date**: 16th Nov 2012
* Added `FileField` and `ImageField`. For use with `MultiPartParser`.
* Added `URLField` and `SlugField`.
* Support for `read_only_fields` on `ModelSerializer` classes.
* Support for clients overriding the pagination page sizes. Use the `PAGINATE_BY_PARAM` setting or set the `paginate_by_param` attribute on a generic view.
* 201 Responses now return a 'Location' header.
* Bugfix: Serializer fields now respect `max_length`.
## 2.1.2
**Date**: 9th Nov 2012
* **Filtering support.**
* Bugfix: Support creation of objects with reverse M2M relations.
## 2.1.1
**Date**: 7th Nov 2012
* Support use of HTML exception templates. Eg. `403.html`
* Hyperlinked fields take optional `slug_field`, `slug_url_kwarg` and `pk_url_kwarg` arguments.
* Bugfix: Deal with optional trailing slashs properly when generating breadcrumbs.
* Bugfix: Make textareas same width as other fields in browsable API.
* Private API change: `.get_serializer` now uses same `instance` and `data` ordering as serializer initialization.
## 2.1.0
**Date**: 5th Nov 2012
**Warning**: Please read [this thread][2.1.0-notes] regarding the `instance` and `data` keyword args before updating to 2.1.0.
* **Serializer `instance` and `data` keyword args have their position swapped.**
* `queryset` argument is now optional on writable model fields.
* Hyperlinked related fields optionally take `slug_field` and `slug_field_kwarg` arguments.
* Support Django's cache framework.
* Minor field improvements. (Don't stringify dicts, more robust many-pk fields.)
* Bugfixes (Support choice field in Browseable API)
## 2.0.2
**Date**: 2nd Nov 2012
* Fix issues with pk related fields in the browsable API.
## 2.0.1
**Date**: 1st Nov 2012
* Add support for relational fields in the browsable API.
* Added SlugRelatedField and ManySlugRelatedField.
* If PUT creates an instance return '201 Created', instead of '200 OK'.
## 2.0.0
**Date**: 30th Oct 2012
* Redesign of core components.
* Fix **all of the things**.
# License # License
...@@ -290,9 +117,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ...@@ -290,9 +117,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[rest-framework-2-announcement]: http://django-rest-framework.org/topics/rest-framework-2-announcement.html [rest-framework-2-announcement]: http://django-rest-framework.org/topics/rest-framework-2-announcement.html
[2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion
[tox]: http://testrun.org/tox/latest/
[docs]: http://django-rest-framework.org/ [docs]: http://django-rest-framework.org/
[urlobject]: https://github.com/zacharyvoase/urlobject [urlobject]: https://github.com/zacharyvoase/urlobject
[markdown]: http://pypi.python.org/pypi/Markdown/ [markdown]: http://pypi.python.org/pypi/Markdown/
[pyyaml]: http://pypi.python.org/pypi/PyYAML [pyyaml]: http://pypi.python.org/pypi/PyYAML
[defusedxml]: https://pypi.python.org/pypi/defusedxml
[django-filter]: http://pypi.python.org/pypi/django-filter [django-filter]: http://pypi.python.org/pypi/django-filter
docs/api-guide/exceptions.md
...@@ -53,11 +53,27 @@ Raised if the request contains malformed data when accessing `request.DATA` or ` ...@@ -53,11 +53,27 @@ Raised if the request contains malformed data when accessing `request.DATA` or `
By default this exception results in a response with the HTTP status code "400 Bad Request". By default this exception results in a response with the HTTP status code "400 Bad Request".
## AuthenticationFailed
**Signature:** `AuthenticationFailed(detail=None)`
Raised when an incoming request includes incorrect authentication.
By default this exception results in a response with the HTTP status code "401 Unauthenticated", but it may also result in a "403 Forbidden" response, depending on the authentication scheme in use. See the [authentication documentation][authentication] for more details.
## NotAuthenticated
**Signature:** `NotAuthenticated(detail=None)`
Raised when an unauthenticated request fails the permission checks.
By default this exception results in a response with the HTTP status code "401 Unauthenticated", but it may also result in a "403 Forbidden" response, depending on the authentication scheme in use. See the [authentication documentation][authentication] for more details.
## PermissionDenied ## PermissionDenied
**Signature:** `PermissionDenied(detail=None)` **Signature:** `PermissionDenied(detail=None)`
Raised when an incoming request fails the permission checks. Raised when an authenticated request fails the permission checks.
By default this exception results in a response with the HTTP status code "403 Forbidden". By default this exception results in a response with the HTTP status code "403 Forbidden".
...@@ -86,3 +102,4 @@ Raised when an incoming request fails the throttling checks. ...@@ -86,3 +102,4 @@ Raised when an incoming request fails the throttling checks.
By default this exception results in a response with the HTTP status code "429 Too Many Requests". By default this exception results in a response with the HTTP status code "429 Too Many Requests".
[cite]: http://www.doughellmann.com/articles/how-tos/python-exception-handling/index.html [cite]: http://www.doughellmann.com/articles/how-tos/python-exception-handling/index.html
[authentication]: authentication.md
docs/api-guide/fields.md
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
# Serializer fields # Serializer fields
> Each field in a Form class is responsible not only for validating data, but also for "cleaning" it -- normalizing it to a consistent format. > Each field in a Form class is responsible not only for validating data, but also for "cleaning" it &mdash; normalizing it to a consistent format.
> >
> &mdash; [Django documentation][cite] > &mdash; [Django documentation][cite]
...@@ -102,7 +102,7 @@ You can customize this behavior by overriding the `.to_native(self, value)` met ...@@ -102,7 +102,7 @@ You can customize this behavior by overriding the `.to_native(self, value)` met
## WritableField ## WritableField
A field that supports both read and write operations. By itself `WriteableField` does not perform any translation of input values into a given type. You won't typically use this field directly, but you may want to override it and implement the `.to_native(self, value)` and `.from_native(self, value)` methods. A field that supports both read and write operations. By itself `WritableField` does not perform any translation of input values into a given type. You won't typically use this field directly, but you may want to override it and implement the `.to_native(self, value)` and `.from_native(self, value)` methods.
## ModelField ## ModelField
...@@ -181,17 +181,56 @@ Corresponds to `django.forms.fields.RegexField` ...@@ -181,17 +181,56 @@ Corresponds to `django.forms.fields.RegexField`
**Signature:** `RegexField(regex, max_length=None, min_length=None)` **Signature:** `RegexField(regex, max_length=None, min_length=None)`
## DateTimeField
A date and time representation.
Corresponds to `django.db.models.fields.DateTimeField`
When using `ModelSerializer` or `HyperlinkedModelSerializer`, note that any model fields with `auto_now=True` or `auto_now_add=True` will use serializer fields that are `read_only=True` by default.
If you want to override this behavior, you'll need to declare the `DateTimeField` explicitly on the serializer. For example:
class CommentSerializer(serializers.ModelSerializer):
created = serializers.DateTimeField()
class Meta:
model = Comment
**Signature:** `DateTimeField(format=None, input_formats=None)`
* `format` - A string representing the output format. If not specified, the `DATETIME_FORMAT` setting will be used, which defaults to `'iso-8601'`.
* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATETIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
DateTime format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000'`)
## DateField ## DateField
A date representation. A date representation.
Corresponds to `django.db.models.fields.DateField` Corresponds to `django.db.models.fields.DateField`
## DateTimeField **Signature:** `DateField(format=None, input_formats=None)`
A date and time representation. * `format` - A string representing the output format. If not specified, the `DATE_FORMAT` setting will be used, which defaults to `'iso-8601'`.
* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATE_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
Corresponds to `django.db.models.fields.DateTimeField` Date format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style dates should be used. (eg `'2013-01-29'`)
## TimeField
A time representation.
Optionally takes `format` as parameter to replace the matching pattern.
Corresponds to `django.db.models.fields.TimeField`
**Signature:** `TimeField(format=None, input_formats=None)`
* `format` - A string representing the output format. If not specified, the `TIME_FORMAT` setting will be used, which defaults to `'iso-8601'`.
* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `TIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
Time format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style times should be used. (eg `'12:34:56.000000'`)
## IntegerField ## IntegerField
...@@ -230,7 +269,11 @@ Signature and validation is the same as with `FileField`. ...@@ -230,7 +269,11 @@ Signature and validation is the same as with `FileField`.
--- ---
**Note:** `FileFields` and `ImageFields` are only suitable for use with MultiPartParser, since e.g. json doesn't support file uploads. **Note:** `FileFields` and `ImageFields` are only suitable for use with MultiPartParser, since e.g. json doesn't support file uploads.
Django's regular [FILE_UPLOAD_HANDLERS] are used for handling uploaded files. Django's regular [FILE_UPLOAD_HANDLERS] are used for handling uploaded files.
---
[cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data [cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data
[FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS [FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS
[strftime]: http://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
[iso8601]: http://www.w3.org/TR/NOTE-datetime
docs/api-guide/filtering.md
...@@ -140,6 +140,14 @@ For more details on using filter sets see the [django-filter documentation][djan ...@@ -140,6 +140,14 @@ For more details on using filter sets see the [django-filter documentation][djan
--- ---
### Filtering and object lookups
Note that if a filter backend is configured for a view, then as well as being used to filter list views, it will also be used to filter the querysets used for returning a single object.
For instance, given the previous example, and a product with an id of `4675`, the following URL would either return the corresponding object, or return a 404 response, depending on if the filtering conditions were met by the given product instance:
http://example.com/api/products/4675/?category=clothing&max_price=10.00
## Overriding the initial queryset ## Overriding the initial queryset
Note that you can use both an overridden `.get_queryset()` and generic filtering together, and everything will work as expected. For example, if `Product` had a many-to-many relationship with `User`, named `purchase`, you might want to write a view like this: Note that you can use both an overridden `.get_queryset()` and generic filtering together, and everything will work as expected. For example, if `Product` had a many-to-many relationship with `User`, named `purchase`, you might want to write a view like this:
......
docs/api-guide/format-suffixes.md
...@@ -29,18 +29,27 @@ Example: ...@@ -29,18 +29,27 @@ Example:
urlpatterns = patterns('blog.views', urlpatterns = patterns('blog.views',
url(r'^/$', 'api_root'), url(r'^/$', 'api_root'),
url(r'^comment/$', 'comment_root'), url(r'^comments/$', 'comment_list'),
url(r'^comment/(?P<pk>[0-9]+)/$', 'comment_instance') url(r'^comments/(?P<pk>[0-9]+)/$', 'comment_detail')
) )
urlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html']) urlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'html'])
When using `format_suffix_patterns`, you must make sure to add the `'format'` keyword argument to the corresponding views. For example. When using `format_suffix_patterns`, you must make sure to add the `'format'` keyword argument to the corresponding views. For example:
@api_view(('GET',)) @api_view(('GET', 'POST'))
def api_root(request, format=None): def comment_list(request, format=None):
# do stuff... # do stuff...
Or with class based views:
class CommentList(APIView):
def get(self, request, format=None):
# do stuff...
def post(self, request, format=None):
# do stuff...
The name of the kwarg used may be modified by using the `FORMAT_SUFFIX_KWARG` setting. The name of the kwarg used may be modified by using the `FORMAT_SUFFIX_KWARG` setting.
Also note that `format_suffix_patterns` does not support descending into `include` URL patterns. Also note that `format_suffix_patterns` does not support descending into `include` URL patterns.
...@@ -58,4 +67,4 @@ It is actually a misconception. For example, take the following quote from Roy ...@@ -58,4 +67,4 @@ It is actually a misconception. For example, take the following quote from Roy
The quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern. The quote does not mention Accept headers, but it does make it clear that format suffixes should be considered an acceptable pattern.
[cite]: http://tech.groups.yahoo.com/group/rest-discuss/message/5857 [cite]: http://tech.groups.yahoo.com/group/rest-discuss/message/5857
[cite2]: http://tech.groups.yahoo.com/group/rest-discuss/message/14844 [cite2]: http://tech.groups.yahoo.com/group/rest-discuss/message/14844
\ No newline at end of file
docs/api-guide/generic-views.md
...@@ -131,6 +131,15 @@ Each of the generic views provided is built by combining one of the base views b ...@@ -131,6 +131,15 @@ Each of the generic views provided is built by combining one of the base views b
Extends REST framework's `APIView` class, adding support for serialization of model instances and model querysets. Extends REST framework's `APIView` class, adding support for serialization of model instances and model querysets.
**Methods**:
* `get_serializer_context(self)` - Returns a dictionary containing any extra context that should be supplied to the serializer. Defaults to including `'request'`, `'view'` and `'format'` keys.
* `get_serializer_class(self)` - Returns the class that should be used for the serializer.
* `get_serializer(self, instance=None, data=None, files=None, many=False, partial=False)` - Returns a serializer instance.
* `pre_save(self, obj)` - A hook that is called before saving an object.
* `post_save(self, obj, created=False)` - A hook that is called after saving an object.
**Attributes**: **Attributes**:
* `model` - The model that should be used for this view. Used as a fallback for determining the serializer if `serializer_class` is not set, and as a fallback for determining the queryset if `queryset` is not set. Otherwise not required. * `model` - The model that should be used for this view. Used as a fallback for determining the serializer if `serializer_class` is not set, and as a fallback for determining the queryset if `queryset` is not set. Otherwise not required.
......
docs/api-guide/pagination.md
...@@ -37,7 +37,7 @@ We could now return that data in a `Response` object, and it would be rendered i ...@@ -37,7 +37,7 @@ We could now return that data in a `Response` object, and it would be rendered i
## Paginating QuerySets ## Paginating QuerySets
Our first example worked because we were using primative objects. If we wanted to paginate a queryset or other complex data, we'd need to specify a serializer to use to serialize the result set itself with. Our first example worked because we were using primitive objects. If we wanted to paginate a queryset or other complex data, we'd need to specify a serializer to use to serialize the result set itself.
We can do this using the `object_serializer_class` attribute on the inner `Meta` class of the pagination serializer. For example. We can do this using the `object_serializer_class` attribute on the inner `Meta` class of the pagination serializer. For example.
...@@ -114,8 +114,8 @@ You can also override the name used for the object list field, by setting the `r ...@@ -114,8 +114,8 @@ You can also override the name used for the object list field, by setting the `r
For example, to nest a pair of links labelled 'prev' and 'next', and set the name for the results field to 'objects', you might use something like this. For example, to nest a pair of links labelled 'prev' and 'next', and set the name for the results field to 'objects', you might use something like this.
class LinksSerializer(serializers.Serializer): class LinksSerializer(serializers.Serializer):
next = pagination.NextURLField(source='*') next = pagination.NextPageField(source='*')
prev = pagination.PreviousURLField(source='*') prev = pagination.PreviousPageField(source='*')
class CustomPaginationSerializer(pagination.BasePaginationSerializer): class CustomPaginationSerializer(pagination.BasePaginationSerializer):
links = LinksSerializer(source='*') # Takes the page object as the source links = LinksSerializer(source='*') # Takes the page object as the source
......
docs/api-guide/parsers.md
...@@ -14,6 +14,16 @@ REST framework includes a number of built in Parser classes, that allow you to a ...@@ -14,6 +14,16 @@ REST framework includes a number of built in Parser classes, that allow you to a
The set of valid parsers for a view is always defined as a list of classes. When either `request.DATA` or `request.FILES` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content. The set of valid parsers for a view is always defined as a list of classes. When either `request.DATA` or `request.FILES` is accessed, REST framework will examine the `Content-Type` header on the incoming request, and determine which parser to use to parse the request content.
---
**Note**: When developing client applications always remember to make sure you're setting the `Content-Type` header when sending data in an HTTP request.
If you don't set the content type, most clients will default to using `'application/x-www-form-urlencoded'`, which may not be what you wanted.
As an example, if you are sending `json` encoded data using jQuery with the [.ajax() method][jquery-ajax], you should make sure to include the `contentType: 'application/json'` setting.
---
## Setting the parsers ## Setting the parsers
The default set of parsers may be set globally, using the `DEFAULT_PARSER_CLASSES` setting. For example, the following settings would allow requests with `YAML` content. The default set of parsers may be set globally, using the `DEFAULT_PARSER_CLASSES` setting. For example, the following settings would allow requests with `YAML` content.
...@@ -59,6 +69,8 @@ Parses `JSON` request content. ...@@ -59,6 +69,8 @@ Parses `JSON` request content.
Parses `YAML` request content. Parses `YAML` request content.
Requires the `pyyaml` package to be installed.
**.media_type**: `application/yaml` **.media_type**: `application/yaml`
## XMLParser ## XMLParser
...@@ -69,6 +81,8 @@ Note that the `XML` markup language is typically used as the base language for m ...@@ -69,6 +81,8 @@ Note that the `XML` markup language is typically used as the base language for m
If you are considering using `XML` for your API, you may want to consider implementing a custom renderer and parser for your specific requirements, and using an existing domain-specific media-type, or creating your own custom XML-based media-type. If you are considering using `XML` for your API, you may want to consider implementing a custom renderer and parser for your specific requirements, and using an existing domain-specific media-type, or creating your own custom XML-based media-type.
Requires the `defusedxml` package to be installed.
**.media_type**: `application/xml` **.media_type**: `application/xml`
## FormParser ## FormParser
...@@ -169,6 +183,7 @@ The following third party packages are also available. ...@@ -169,6 +183,7 @@ The following third party packages are also available.
[MessagePack][messagepack] is a fast, efficient binary serialization format. [Juan Riaza][juanriaza] maintains the [djangorestframework-msgpack][djangorestframework-msgpack] package which provides MessagePack renderer and parser support for REST framework. [MessagePack][messagepack] is a fast, efficient binary serialization format. [Juan Riaza][juanriaza] maintains the [djangorestframework-msgpack][djangorestframework-msgpack] package which provides MessagePack renderer and parser support for REST framework.
[jquery-ajax]: http://api.jquery.com/jQuery.ajax/
[cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion [cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion
[messagepack]: https://github.com/juanriaza/django-rest-framework-msgpack [messagepack]: https://github.com/juanriaza/django-rest-framework-msgpack
[juanriaza]: https://github.com/juanriaza [juanriaza]: https://github.com/juanriaza
......
docs/api-guide/permissions.md
...@@ -90,29 +90,105 @@ This permission is suitable if you want to your API to allow read permissions to ...@@ -90,29 +90,105 @@ This permission is suitable if you want to your API to allow read permissions to
## DjangoModelPermissions ## DjangoModelPermissions
This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user has the relevant model permissions assigned. This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
* `POST` requests require the user to have the `add` permission on the model. * `POST` requests require the user to have the `add` permission on the model.
* `PUT` and `PATCH` requests require the user to have the `change` permission on the model. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model.
* `DELETE` requests require the user to have the `delete` permission on the model. * `DELETE` requests require the user to have the `delete` permission on the model.
If you want to use `DjangoModelPermissions` but also allow unauthenticated users to have read permission, override the class and set the `authenticated_users_only` property to `False`. For example:
class HasModelPermissionsOrReadOnly(DjangoModelPermissions):
authenticated_users_only = False
The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests. The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests.
To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details.
The `DjangoModelPermissions` class also supports object-level permissions. Third-party authorization backends such as [django-guardian][guardian] that provide object-level permissions should work just fine with `DjangoModelPermissions` without any custom configuration required. ## TokenHasReadWriteScope
This permission class is intended for use with either of the `OAuthAuthentication` and `OAuth2Authentication` classes, and ties into the scoping that their backends provide.
Requests with a safe methods of `GET`, `OPTIONS` or `HEAD` will be allowed if the authenticated token has read permission.
Requests for `POST`, `PUT`, `PATCH` and `DELETE` will be allowed if the authenticated token has write permission.
This permission class relies on the implementations of the [django-oauth-plus][django-oauth-plus] and [django-oauth2-provider][django-oauth2-provider] libraries, which both provide limited support for controlling the scope of access tokens:
* `django-oauth-plus`: Tokens are associated with a `Resource` class which has a `name`, `url` and `is_readonly` properties.
* `django-oauth2-provider`: Tokens are associated with a bitwise `scope` attribute, that defaults to providing bitwise values for `read` and/or `write`.
If you require more advanced scoping for your API, such as restricting tokens to accessing a subset of functionality of your API then you will need to provide a custom permission class. See the source of the `django-oauth-plus` or `django-oauth2-provider` package for more details on scoping token access.
--- ---
# Custom permissions # Custom permissions
To implement a custom permission, override `BasePermission` and implement the `.has_permission(self, request, view, obj=None)` method. To implement a custom permission, override `BasePermission` and implement either, or both, of the following methods:
* `.has_permission(self, request, view)`
* `.has_object_permission(self, request, view, obj)`
The methods should return `True` if the request should be granted access, and `False` otherwise.
If you need to test if a request is a read operation or a write operation, you should check the request method against the constant `SAFE_METHODS`, which is a tuple containing `'GET'`, `'OPTIONS'` and `'HEAD'`. For example:
if request.method in permissions.SAFE_METHODS:
# Check permissions for read-only request
else:
# Check permissions for write request
---
**Note**: In versions 2.0 and 2.1, the signature for the permission checks always included an optional `obj` parameter, like so: `.has_permission(self, request, view, obj=None)`. The method would be called twice, first for the global permission checks, with no object supplied, and second for the object-level check when required.
As of version 2.2 this signature has now been replaced with two seperate method calls, which is more explict and obvious. The old style signature continues to work, but it's use will result in a `PendingDeprecationWarning`, which is silent by default. In 2.3 this will be escalated to a `DeprecationWarning`, and in 2.4 the old-style signature will be removed.
For more details see the [2.2 release announcement][2.2-announcement].
---
## Examples
The following is an example of a permission class that checks the incoming request's IP address against a blacklist, and denies the request if the IP has been blacklisted.
class BlacklistPermission(permissions.BasePermission):
"""
Global permission check for blacklisted IPs.
"""
def has_permission(self, request, view):
ip_addr = request.META['REMOTE_ADDR']
blacklisted = Blacklist.objects.filter(ip_addr=ip_addr).exists()
return not blacklisted
As well as global permissions, that are run against all incoming requests, you can also create object-level permissions, that are only run against operations that affect a particular object instance. For example:
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `owner` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `owner`.
return obj.owner == request.user
The method should return `True` if the request should be granted access, and `False` otherwise. Note that the generic views will check the appropriate object level permissions, but if you're writing your own custom views, you'll need to make sure you check the object level permission checks yourself. You can do so by calling `self.check_object_permissions(request, obj)` from the view once you have the object instance. This call will raise an appropriate `APIException` if any object-level permission checks fail, and will otherwise simply return.
Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance. If you require object-level filtering of list views, you'll need to filter the queryset separately. See the [filtering documentation][filtering] for more details.
[cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html [cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html
[authentication]: authentication.md [authentication]: authentication.md
[throttling]: throttling.md [throttling]: throttling.md
[contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions [contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions
[guardian]: https://github.com/lukaszb/django-guardian [guardian]: https://github.com/lukaszb/django-guardian
[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus
[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
[2.2-announcement]: ../topics/2.2-announcement.md
[filtering]: filtering.md
docs/api-guide/renderers.md
...@@ -80,7 +80,7 @@ Renders the request data into `JSONP`. The `JSONP` media type provides a mechan ...@@ -80,7 +80,7 @@ Renders the request data into `JSONP`. The `JSONP` media type provides a mechan
The javascript callback function must be set by the client including a `callback` URL query parameter. For example `http://example.com/api/users?callback=jsonpCallback`. If the callback function is not explicitly set by the client it will default to `'callback'`. The javascript callback function must be set by the client including a `callback` URL query parameter. For example `http://example.com/api/users?callback=jsonpCallback`. If the callback function is not explicitly set by the client it will default to `'callback'`.
**Note**: If you require cross-domain AJAX requests, you may also want to consider using [CORS] as an alternative to `JSONP`. **Note**: If you require cross-domain AJAX requests, you may want to consider using the more modern approach of [CORS][cors] as an alternative to `JSONP`. See the [CORS documentation][cors-docs] for more details.
**.media_type**: `application/javascript` **.media_type**: `application/javascript`
...@@ -90,6 +90,8 @@ The javascript callback function must be set by the client including a `callback ...@@ -90,6 +90,8 @@ The javascript callback function must be set by the client including a `callback
Renders the request data into `YAML`. Renders the request data into `YAML`.
Requires the `pyyaml` package to be installed.
**.media_type**: `application/yaml` **.media_type**: `application/yaml`
**.format**: `'.yaml'` **.format**: `'.yaml'`
...@@ -115,13 +117,13 @@ The TemplateHTMLRenderer will create a `RequestContext`, using the `response.dat ...@@ -115,13 +117,13 @@ The TemplateHTMLRenderer will create a `RequestContext`, using the `response.dat
The template name is determined by (in order of preference): The template name is determined by (in order of preference):
1. An explicit `.template_name` attribute set on the response. 1. An explicit `template_name` argument passed to the response.
2. An explicit `.template_name` attribute set on this class. 2. An explicit `.template_name` attribute set on this class.
3. The return result of calling `view.get_template_names()`. 3. The return result of calling `view.get_template_names()`.
An example of a view that uses `TemplateHTMLRenderer`: An example of a view that uses `TemplateHTMLRenderer`:
class UserInstance(generics.RetrieveUserAPIView): class UserDetail(generics.RetrieveUserAPIView):
""" """
A view that returns a templated HTML representations of a given user. A view that returns a templated HTML representations of a given user.
""" """
...@@ -288,7 +290,8 @@ Comma-separated values are a plain-text tabular data format, that can be easily ...@@ -288,7 +290,8 @@ Comma-separated values are a plain-text tabular data format, that can be easily
[cite]: https://docs.djangoproject.com/en/dev/ref/template-response/#the-rendering-process [cite]: https://docs.djangoproject.com/en/dev/ref/template-response/#the-rendering-process
[conneg]: content-negotiation.md [conneg]: content-negotiation.md
[browser-accept-headers]: http://www.gethifi.com/blog/browser-rest-http-accept-headers [browser-accept-headers]: http://www.gethifi.com/blog/browser-rest-http-accept-headers
[CORS]: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing [cors]: http://www.w3.org/TR/cors/
[cors-docs]: ../topics/ajax-csrf-cors.md
[HATEOAS]: http://timelessrepo.com/haters-gonna-hateoas [HATEOAS]: http://timelessrepo.com/haters-gonna-hateoas
[quote]: http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven [quote]: http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
[application/vnd.github+json]: http://developer.github.com/v3/media/ [application/vnd.github+json]: http://developer.github.com/v3/media/
...@@ -298,4 +301,4 @@ Comma-separated values are a plain-text tabular data format, that can be easily ...@@ -298,4 +301,4 @@ Comma-separated values are a plain-text tabular data format, that can be easily
[juanriaza]: https://github.com/juanriaza [juanriaza]: https://github.com/juanriaza
[mjumbewu]: https://github.com/mjumbewu [mjumbewu]: https://github.com/mjumbewu
[djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack [djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack
[djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv [djangorestframework-csv]: https://github.com/mjumbewu/django-rest-framework-csv
\ No newline at end of file
docs/api-guide/requests.md
...@@ -83,13 +83,13 @@ You won't typically need to access this property. ...@@ -83,13 +83,13 @@ You won't typically need to access this property.
# Browser enhancements # Browser enhancements
REST framework supports a few browser enhancements such as browser-based `PUT` and `DELETE` forms. REST framework supports a few browser enhancements such as browser-based `PUT`, `PATCH` and `DELETE` forms.
## .method ## .method
`request.method` returns the **uppercased** string representation of the request's HTTP method. `request.method` returns the **uppercased** string representation of the request's HTTP method.
Browser-based `PUT` and `DELETE` forms are transparently supported. Browser-based `PUT`, `PATCH` and `DELETE` forms are transparently supported.
For more information see the [browser enhancements documentation]. For more information see the [browser enhancements documentation].
......
docs/api-guide/serializers.md
...@@ -25,6 +25,7 @@ Let's start by creating a simple object we can use for example purposes: ...@@ -25,6 +25,7 @@ Let's start by creating a simple object we can use for example purposes:
comment = Comment(email='leila@example.com', content='foo bar') comment = Comment(email='leila@example.com', content='foo bar')
We'll declare a serializer that we can use to serialize and deserialize `Comment` objects. We'll declare a serializer that we can use to serialize and deserialize `Comment` objects.
Declaring a serializer looks very similar to declaring a form: Declaring a serializer looks very similar to declaring a form:
class CommentSerializer(serializers.Serializer): class CommentSerializer(serializers.Serializer):
...@@ -33,10 +34,17 @@ Declaring a serializer looks very similar to declaring a form: ...@@ -33,10 +34,17 @@ Declaring a serializer looks very similar to declaring a form:
created = serializers.DateTimeField() created = serializers.DateTimeField()
def restore_object(self, attrs, instance=None): def restore_object(self, attrs, instance=None):
"""
Given a dictionary of deserialized field values, either update
an existing model instance, or create a new model instance.
Note that if we don't define this method, then deserializing
data will simply return a dictionary of items.
"""
if instance is not None: if instance is not None:
instance.title = attrs['title'] instance.title = attrs.get('title', instance.title)
instance.content = attrs['content'] instance.content = attrs.get('content', instance.content)
instance.created = attrs['created'] instance.created = attrs.get('created', instance.created)
return instance return instance
return Comment(**attrs) return Comment(**attrs)
...@@ -80,9 +88,21 @@ By default, serializers must be passed values for all required fields or they wi ...@@ -80,9 +88,21 @@ By default, serializers must be passed values for all required fields or they wi
serializer = CommentSerializer(comment, data={'content': u'foo bar'}, partial=True) # Update `instance` with partial data serializer = CommentSerializer(comment, data={'content': u'foo bar'}, partial=True) # Update `instance` with partial data
## Serializing querysets
To serialize a queryset instead of an object instance, you should pass the `many=True` flag when instantiating the serializer.
queryset = Comment.objects.all()
serializer = CommentSerializer(queryset, many=True)
serializer.data
# [{'email': u'leila@example.com', 'content': u'foo bar', 'created': datetime.datetime(2012, 8, 22, 16, 20, 9, 822774)}, {'email': u'jamie@example.com', 'content': u'baz', 'created': datetime.datetime(2013, 1, 12, 16, 12, 45, 104445)}]
## Validation ## Validation
When deserializing data, you always need to call `is_valid()` before attempting to access the deserialized object. If any validation errors occur, the `.errors` and `.non_field_errors` properties will contain the resulting error messages. When deserializing data, you always need to call `is_valid()` before attempting to access the deserialized object. If any validation errors occur, the `.errors` property will contain a dictionary representing the resulting error messages.
Each key in the dictionary will be the field name, and the values will be lists of strings of any error messages corresponding to that field. The `non_field_errors` key may also be present, and will list any general validation errors.
When deserializing a list of items, errors will be returned as a list of dictionaries representing each of the deserialized items.
### Field-level validation ### Field-level validation
...@@ -114,7 +134,7 @@ To do any other validation that requires access to multiple fields, add a method ...@@ -114,7 +134,7 @@ To do any other validation that requires access to multiple fields, add a method
from rest_framework import serializers from rest_framework import serializers
class EventSerializer(serializers.Serializer): class EventSerializer(serializers.Serializer):
description = serializers.CahrField(max_length=100) description = serializers.CharField(max_length=100)
start = serializers.DateTimeField() start = serializers.DateTimeField()
finish = serializers.DateTimeField() finish = serializers.DateTimeField()
...@@ -155,6 +175,17 @@ The `Serializer` class is itself a type of `Field`, and can be used to represent ...@@ -155,6 +175,17 @@ The `Serializer` class is itself a type of `Field`, and can be used to represent
--- ---
## Including extra context
There are some cases where you need to provide extra context to the serializer in addition to the object being serialized. One common case is if you're using a serializer that includes hyperlinked relations, which requires the serializer to have access to the current request so that it can properly generate fully qualified URLs.
You can provide arbitrary additional context by passing a `context` argument when instantiating the serializer. For example:
serializer = AccountSerializer(account, context={'request': request})
serializer.data
# {'id': 6, 'owner': u'denvercoder9', 'created': datetime.datetime(2013, 2, 12, 09, 44, 56, 678870), 'details': 'http://example.com/accounts/6/details'}
The context dictionary can be used within any serializer field logic, such as a custom `.to_native()` method, by accessing the `self.context` attribute.
## Creating custom fields ## Creating custom fields
...@@ -190,18 +221,12 @@ By default field values are treated as mapping to an attribute on the object. I ...@@ -190,18 +221,12 @@ By default field values are treated as mapping to an attribute on the object. I
As an example, let's create a field that can be used represent the class name of the object being serialized: As an example, let's create a field that can be used represent the class name of the object being serialized:
class ClassNameField(serializers.WritableField): class ClassNameField(serializers.Field):
def field_to_native(self, obj, field_name): def field_to_native(self, obj, field_name):
""" """
Serialize the object's class name, not an attribute of the object. Serialize the object's class name.
"""
return obj.__class__.__name__
def field_from_native(self, data, field_name, into):
"""
We don't want to set anything when we revert this field.
""" """
pass return obj.__class__
--- ---
...@@ -214,15 +239,17 @@ The `ModelSerializer` class lets you automatically create a Serializer class wit ...@@ -214,15 +239,17 @@ The `ModelSerializer` class lets you automatically create a Serializer class wit
class Meta: class Meta:
model = Account model = Account
**[TODO: Explain model field to serializer field mapping in more detail]** By default, all the model fields on the class will be mapped to corresponding serializer fields.
Any foreign keys on the model will be mapped to `PrimaryKeyRelatedField` if you're using a `ModelSerializer`, or `HyperlinkedRelatedField` if you're using a `HyperlinkedModelSerializer`.
## Specifying fields explicitly ## Specifying fields explicitly
You can add extra fields to a `ModelSerializer` or override the default fields by declaring fields on the class, just as you would for a `Serializer` class. You can add extra fields to a `ModelSerializer` or override the default fields by declaring fields on the class, just as you would for a `Serializer` class.
class AccountSerializer(serializers.ModelSerializer): class AccountSerializer(serializers.ModelSerializer):
url = CharField(source='get_absolute_url', read_only=True) url = serializers.CharField(source='get_absolute_url', read_only=True)
group = NaturalKeyField() groups = serializers.PrimaryKeyRelatedField(many=True)
class Meta: class Meta:
model = Account model = Account
...@@ -231,17 +258,11 @@ Extra fields can correspond to any property or callable on the model. ...@@ -231,17 +258,11 @@ Extra fields can correspond to any property or callable on the model.
## Relational fields ## Relational fields
When serializing model instances, there are a number of different ways you might choose to represent relationships. The default representation is to use the primary keys of the related instances. When serializing model instances, there are a number of different ways you might choose to represent relationships. The default representation for `ModelSerializer` is to use the primary keys of the related instances.
Alternative representations include serializing using natural keys, serializing complete nested representations, or serializing using a custom representation, such as a URL that uniquely identifies the model instances.
The `PrimaryKeyRelatedField` and `HyperlinkedRelatedField` fields provide alternative flat representations.
The `ModelSerializer` class can itself be used as a field, in order to serialize relationships using nested representations.
The `RelatedField` class may be subclassed to create a custom representation of a relationship. The subclass should override `.to_native()`, and optionally `.from_native()` if deserialization is supported. Alternative representations include serializing using hyperlinks, serializing complete nested representations, or serializing with a custom representation.
All the relational fields may be used for any relationship or reverse relationship on a model. For full details see the [serializer relations][relations] documentation.
## Specifying which fields should be included ## Specifying which fields should be included
...@@ -316,3 +337,4 @@ The following custom model serializer could be used as a base class for model se ...@@ -316,3 +337,4 @@ The following custom model serializer could be used as a base class for model se
[cite]: https://groups.google.com/d/topic/django-users/sVFaOfQi4wY/discussion [cite]: https://groups.google.com/d/topic/django-users/sVFaOfQi4wY/discussion
[relations]: relations.md
docs/api-guide/settings.md
...@@ -34,7 +34,11 @@ The `api_settings` object will check for any user-defined settings, and otherwis ...@@ -34,7 +34,11 @@ The `api_settings` object will check for any user-defined settings, and otherwis
# API Reference # API Reference
## DEFAULT_RENDERER_CLASSES ## API policy settings
*The following settings control the basic API policies, and are applied to every `APIView` class based view, or `@api_view` function based view.*
#### DEFAULT_RENDERER_CLASSES
A list or tuple of renderer classes, that determines the default set of renderers that may be used when returning a `Response` object. A list or tuple of renderer classes, that determines the default set of renderers that may be used when returning a `Response` object.
...@@ -43,10 +47,9 @@ Default: ...@@ -43,10 +47,9 @@ Default:
( (
'rest_framework.renderers.JSONRenderer', 'rest_framework.renderers.JSONRenderer',
'rest_framework.renderers.BrowsableAPIRenderer', 'rest_framework.renderers.BrowsableAPIRenderer',
'rest_framework.renderers.TemplateHTMLRenderer'
) )
## DEFAULT_PARSER_CLASSES #### DEFAULT_PARSER_CLASSES
A list or tuple of parser classes, that determines the default set of parsers used when accessing the `request.DATA` property. A list or tuple of parser classes, that determines the default set of parsers used when accessing the `request.DATA` property.
...@@ -54,10 +57,11 @@ Default: ...@@ -54,10 +57,11 @@ Default:
( (
'rest_framework.parsers.JSONParser', 'rest_framework.parsers.JSONParser',
'rest_framework.parsers.FormParser' 'rest_framework.parsers.FormParser',
'rest_framework.parsers.MultiPartParser'
) )
## DEFAULT_AUTHENTICATION_CLASSES #### DEFAULT_AUTHENTICATION_CLASSES
A list or tuple of authentication classes, that determines the default set of authenticators used when accessing the `request.user` or `request.auth` properties. A list or tuple of authentication classes, that determines the default set of authenticators used when accessing the `request.user` or `request.auth` properties.
...@@ -68,7 +72,7 @@ Default: ...@@ -68,7 +72,7 @@ Default:
'rest_framework.authentication.BasicAuthentication' 'rest_framework.authentication.BasicAuthentication'
) )
## DEFAULT_PERMISSION_CLASSES #### DEFAULT_PERMISSION_CLASSES
A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view. A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view.
...@@ -78,53 +82,77 @@ Default: ...@@ -78,53 +82,77 @@ Default:
'rest_framework.permissions.AllowAny', 'rest_framework.permissions.AllowAny',
) )
## DEFAULT_THROTTLE_CLASSES #### DEFAULT_THROTTLE_CLASSES
A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view. A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view.
Default: `()` Default: `()`
## DEFAULT_MODEL_SERIALIZER_CLASS #### DEFAULT_CONTENT_NEGOTIATION_CLASS
A content negotiation class, that determines how a renderer is selected for the response, given an incoming request.
Default: `'rest_framework.negotiation.DefaultContentNegotiation'`
---
**TODO** ## Generic view settings
Default: `rest_framework.serializers.ModelSerializer` *The following settings control the behavior of the generic class based views.*
## DEFAULT_PAGINATION_SERIALIZER_CLASS #### DEFAULT_MODEL_SERIALIZER_CLASS
**TODO** A class that determines the default type of model serializer that should be used by a generic view if `model` is specified, but `serializer_class` is not provided.
Default: `'rest_framework.serializers.ModelSerializer'`
#### DEFAULT_PAGINATION_SERIALIZER_CLASS
A class the determines the default serialization style for paginated responses.
Default: `rest_framework.pagination.PaginationSerializer` Default: `rest_framework.pagination.PaginationSerializer`
## FILTER_BACKEND #### FILTER_BACKEND
The filter backend class that should be used for generic filtering. If set to `None` then generic filtering is disabled. The filter backend class that should be used for generic filtering. If set to `None` then generic filtering is disabled.
## PAGINATE_BY #### PAGINATE_BY
The default page size to use for pagination. If set to `None`, pagination is disabled by default. The default page size to use for pagination. If set to `None`, pagination is disabled by default.
Default: `None` Default: `None`
## PAGINATE_BY_PARAM #### PAGINATE_BY_PARAM
The name of a query parameter, which can be used by the client to overide the default page size to use for pagination. If set to `None`, clients may not override the default page size. The name of a query parameter, which can be used by the client to overide the default page size to use for pagination. If set to `None`, clients may not override the default page size.
Default: `None` Default: `None`
## UNAUTHENTICATED_USER ---
## Authentication settings
*The following settings control the behavior of unauthenticated requests.*
#### UNAUTHENTICATED_USER
The class that should be used to initialize `request.user` for unauthenticated requests. The class that should be used to initialize `request.user` for unauthenticated requests.
Default: `django.contrib.auth.models.AnonymousUser` Default: `django.contrib.auth.models.AnonymousUser`
## UNAUTHENTICATED_TOKEN #### UNAUTHENTICATED_TOKEN
The class that should be used to initialize `request.auth` for unauthenticated requests. The class that should be used to initialize `request.auth` for unauthenticated requests.
Default: `None` Default: `None`
## FORM_METHOD_OVERRIDE ---
## Browser overrides
*The following settings provide URL or form-based overrides of the default browser behavior.*
#### FORM_METHOD_OVERRIDE
The name of a form field that may be used to override the HTTP method of the form. The name of a form field that may be used to override the HTTP method of the form.
...@@ -132,7 +160,7 @@ If the value of this setting is `None` then form method overloading will be disa ...@@ -132,7 +160,7 @@ If the value of this setting is `None` then form method overloading will be disa
Default: `'_method'` Default: `'_method'`
## FORM_CONTENT_OVERRIDE #### FORM_CONTENT_OVERRIDE
The name of a form field that may be used to override the content of the form payload. Must be used together with `FORM_CONTENTTYPE_OVERRIDE`. The name of a form field that may be used to override the content of the form payload. Must be used together with `FORM_CONTENTTYPE_OVERRIDE`.
...@@ -140,7 +168,7 @@ If either setting is `None` then form content overloading will be disabled. ...@@ -140,7 +168,7 @@ If either setting is `None` then form content overloading will be disabled.
Default: `'_content'` Default: `'_content'`
## FORM_CONTENTTYPE_OVERRIDE #### FORM_CONTENTTYPE_OVERRIDE
The name of a form field that may be used to override the content type of the form payload. Must be used together with `FORM_CONTENT_OVERRIDE`. The name of a form field that may be used to override the content type of the form payload. Must be used together with `FORM_CONTENT_OVERRIDE`.
...@@ -148,7 +176,7 @@ If either setting is `None` then form content overloading will be disabled. ...@@ -148,7 +176,7 @@ If either setting is `None` then form content overloading will be disabled.
Default: `'_content_type'` Default: `'_content_type'`
## URL_ACCEPT_OVERRIDE #### URL_ACCEPT_OVERRIDE
The name of a URL parameter that may be used to override the HTTP `Accept` header. The name of a URL parameter that may be used to override the HTTP `Accept` header.
...@@ -156,13 +184,61 @@ If the value of this setting is `None` then URL accept overloading will be disab ...@@ -156,13 +184,61 @@ If the value of this setting is `None` then URL accept overloading will be disab
Default: `'accept'` Default: `'accept'`
## URL_FORMAT_OVERRIDE #### URL_FORMAT_OVERRIDE
The name of a URL parameter that may be used to override the default `Accept` header based content negotiation.
Default: `'format'` Default: `'format'`
## FORMAT_SUFFIX_KWARG ---
## Date/Time formatting
*The following settings are used to control how date and time representations may be parsed and rendered.*
#### DATETIME_FORMAT
A format string that should be used by default for rendering the output of `DateTimeField` serializer fields.
Default: `'iso-8601'`
#### DATETIME_INPUT_FORMATS
A list of format strings that should be used by default for parsing inputs to `DateTimeField` serializer fields.
Default: `['iso-8601']`
#### DATE_FORMAT
A format string that should be used by default for rendering the output of `DateField` serializer fields.
Default: `'iso-8601'`
#### DATE_INPUT_FORMATS
A list of format strings that should be used by default for parsing inputs to `DateField` serializer fields.
Default: `['iso-8601']`
#### TIME_FORMAT
A format string that should be used by default for rendering the output of `TimeField` serializer fields.
Default: `'iso-8601'`
#### TIME_INPUT_FORMATS
A list of format strings that should be used by default for parsing inputs to `TimeField` serializer fields.
Default: `['iso-8601']`
---
## Miscellaneous settings
#### FORMAT_SUFFIX_KWARG
**TODO** The name of a parameter in the URL conf that may be used to provide a format suffix.
Default: `'format'` Default: `'format'`
......
docs/api-guide/throttling.md
...@@ -6,8 +6,6 @@ ...@@ -6,8 +6,6 @@
> >
> [Twitter API rate limiting response][cite] > [Twitter API rate limiting response][cite]
[cite]: https://dev.twitter.com/docs/error-codes-responses
Throttling is similar to [permissions], in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API. Throttling is similar to [permissions], in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API.
As with permissions, multiple throttles may be used. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests. As with permissions, multiple throttles may be used. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests.
...@@ -63,6 +61,10 @@ Or, if you're using the `@api_view` decorator with function based views. ...@@ -63,6 +61,10 @@ Or, if you're using the `@api_view` decorator with function based views.
} }
return Response(content) return Response(content)
## Setting up the cache
The throttle classes provided by REST framework use Django's cache backend. You should make sure that you've set appropriate [cache settings][cache-setting]. The default value of `LocMemCache` backend should be okay for simple setups. See Django's [cache documentation][cache-docs] for more details.
--- ---
# API Reference # API Reference
...@@ -150,8 +152,19 @@ User requests to either `ContactListView` or `ContactDetailView` would be restri ...@@ -150,8 +152,19 @@ User requests to either `ContactListView` or `ContactDetailView` would be restri
# Custom throttles # Custom throttles
To create a custom throttle, override `BaseThrottle` and implement `.allow_request(request, view)`. The method should return `True` if the request should be allowed, and `False` otherwise. To create a custom throttle, override `BaseThrottle` and implement `.allow_request(self, request, view)`. The method should return `True` if the request should be allowed, and `False` otherwise.
Optionally you may also override the `.wait()` method. If implemented, `.wait()` should return a recommended number of seconds to wait before attempting the next request, or `None`. The `.wait()` method will only be called if `.allow_request()` has previously returned `False`. Optionally you may also override the `.wait()` method. If implemented, `.wait()` should return a recommended number of seconds to wait before attempting the next request, or `None`. The `.wait()` method will only be called if `.allow_request()` has previously returned `False`.
## Example
The following is an example of a rate throttle, that will randomly throttle 1 in every 10 requests.
class RandomRateThrottle(throttles.BaseThrottle):
def allow_request(self, request, view):
return random.randint(1, 10) == 1
[cite]: https://dev.twitter.com/docs/error-codes-responses
[permissions]: permissions.md [permissions]: permissions.md
[cache-setting]: https://docs.djangoproject.com/en/dev/ref/settings/#caches
[cache-docs]: https://docs.djangoproject.com/en/dev/topics/cache/#setting-up-the-cache
\ No newline at end of file
docs/api-guide/views.md
...@@ -76,16 +76,16 @@ The following methods are used by REST framework to instantiate the various plug ...@@ -76,16 +76,16 @@ The following methods are used by REST framework to instantiate the various plug
The following methods are called before dispatching to the handler method. The following methods are called before dispatching to the handler method.
### .check_permissions(...) ### .check_permissions(self, request)
### .check_throttles(...) ### .check_throttles(self, request)
### .perform_content_negotiation(...) ### .perform_content_negotiation(self, request, force=False)
## Dispatch methods ## Dispatch methods
The following methods are called directly by the view's `.dispatch()` method. The following methods are called directly by the view's `.dispatch()` method.
These perform any actions that need to occur before or after calling the handler methods such as `.get()`, `.post()`, `put()` and `.delete()`. These perform any actions that need to occur before or after calling the handler methods such as `.get()`, `.post()`, `put()`, `patch()` and `.delete()`.
### .initial(self, request, \*args, **kwargs) ### .initial(self, request, \*args, **kwargs)
......
docs/css/default.css
...@@ -25,18 +25,29 @@ pre { ...@@ -25,18 +25,29 @@ pre {
margin-top: 9px; margin-top: 9px;
} }
body.index-page #main-content p.badges {
padding-bottom: 1px;
}
/* GitHub 'Star' badge */ /* GitHub 'Star' badge */
body.index-page #main-content iframe { body.index-page #main-content iframe.github-star-button {
float: right; float: right;
margin-top: -12px; margin-top: -12px;
margin-right: -15px; margin-right: -15px;
} }
/* Tweet button */
body.index-page #main-content iframe.twitter-share-button {
float: right;
margin-top: -12px;
margin-right: 8px;
}
/* Travis CI badge */ /* Travis CI badge */
body.index-page #main-content p:first-of-type { body.index-page #main-content img.travis-build-image {
float: right; float: right;
margin-right: 8px; margin-right: 8px;
margin-top: -14px; margin-top: -11px;
margin-bottom: 0px; margin-bottom: 0px;
} }
......
docs/index.md
<iframe src="http://ghbtns.com/github-btn.html?user=tomchristie&amp;repo=django-rest-framework&amp;type=watch&amp;count=true" allowtransparency="true" frameborder="0" scrolling="0" width="110px" height="20px"></iframe> <p class="badges">
[![Travis build image][travis-build-image]][travis] <iframe src="http://ghbtns.com/github-btn.html?user=tomchristie&amp;repo=django-rest-framework&amp;type=watch&amp;count=true" class="github-star-button" allowtransparency="true" frameborder="0" scrolling="0" width="110px" height="20px"></iframe>
# Django REST framework <a href="https://twitter.com/share" class="twitter-share-button" data-url="django-rest-framework.org" data-text="Checking out the totally awesome Django REST framework! http://django-rest-framework.org" data-count="none">Tweet</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="http://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
**A toolkit for building well-connected, self-describing Web APIs.**
--- <img alt="Travis build image" src="https://secure.travis-ci.org/tomchristie/django-rest-framework.png?branch=master" class="travis-build-image">
</p>
**Note**: This documentation is for the 2.0 version of REST framework. If you are looking for earlier versions please see the [0.4.x branch][0.4] on GitHub. # Django REST framework
--- **Web APIs for Django, made easy.**
Django REST framework is a lightweight library that makes it easy to build Web APIs. It is designed as a modular and easy to customize architecture, based on Django's class based views. Django REST framework is a flexible, powerful library that makes it incredibly easy to build Web APIs. It is designed as a modular and easy to customize architecture, based on Django's class based views.
Web APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers. It also supports a wide range of media types, authentication and permission policies out of the box. APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers. It also supports a wide range of media types, authentication and permission policies out of the box.
If you are considering using REST framework for your API, we recommend reading the [REST framework 2 announcement][rest-framework-2-announcement] which gives a good overview of the framework and it's capabilities. If you are considering using REST framework for your API, we recommend reading the [REST framework 2 announcement][rest-framework-2-announcement] which gives a good overview of the framework and it's capabilities.
...@@ -27,14 +27,19 @@ There is also a sandbox API you can use for testing purposes, [available here][s ...@@ -27,14 +27,19 @@ There is also a sandbox API you can use for testing purposes, [available here][s
REST framework requires the following: REST framework requires the following:
* Python (2.6, 2.7) * Python (2.6.5+, 2.7, 3.2, 3.3)
* Django (1.3, 1.4, 1.5) * Django (1.3, 1.4, 1.5)
The following packages are optional: The following packages are optional:
* [Markdown][markdown] (2.1.0+) - Markdown support for the browseable API. * [Markdown][markdown] (2.1.0+) - Markdown support for the browseable API.
* [PyYAML][yaml] (3.10+) - YAML content-type support. * [PyYAML][yaml] (3.10+) - YAML content-type support.
* [defusedxml][defusedxml] (0.3+) - XML content-type support.
* [django-filter][django-filter] (0.5.4+) - Filtering support. * [django-filter][django-filter] (0.5.4+) - Filtering support.
* [django-oauth-plus][django-oauth-plus] (2.0+) and [oauth2][oauth2] (1.5.211+) - OAuth 1.0a support.
* [django-oauth2-provider][django-oauth2-provider] (0.2.3+) - OAuth 2.0 support.
**Note**: The `oauth2` python package is badly misnamed, and actually provides OAuth 1.0a support. Also note that packages required for both OAuth 1.0a, and OAuth 2.0 are not yet Python 3 compatible.
## Installation ## Installation
...@@ -70,7 +75,7 @@ Note that the URL path can be whatever you want, but you must include `'rest_fra ...@@ -70,7 +75,7 @@ Note that the URL path can be whatever you want, but you must include `'rest_fra
## Quickstart ## Quickstart
Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running with REST framework. Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running, and building APIs with REST framework.
## Tutorial ## Tutorial
...@@ -111,10 +116,12 @@ The API guide is your complete reference manual to all the functionality provide ...@@ -111,10 +116,12 @@ The API guide is your complete reference manual to all the functionality provide
General guides to using REST framework. General guides to using REST framework.
* [AJAX, CSRF & CORS][ajax-csrf-cors]
* [Browser enhancements][browser-enhancements] * [Browser enhancements][browser-enhancements]
* [The Browsable API][browsableapi] * [The Browsable API][browsableapi]
* [REST, Hypermedia & HATEOAS][rest-hypermedia-hateoas] * [REST, Hypermedia & HATEOAS][rest-hypermedia-hateoas]
* [2.0 Announcement][rest-framework-2-announcement] * [2.0 Announcement][rest-framework-2-announcement]
* [2.2 Announcement][2.2-announcement]
* [Release Notes][release-notes] * [Release Notes][release-notes]
* [Credits][credits] * [Credits][credits]
...@@ -130,12 +137,21 @@ Run the tests: ...@@ -130,12 +137,21 @@ Run the tests:
./rest_framework/runtests/runtests.py ./rest_framework/runtests/runtests.py
To run the tests against all supported configurations, first install [the tox testing tool][tox] globally, using `pip install tox`, then simply run `tox`:
tox
## Support ## Support
For support please see the [REST framework discussion group][group], or try the `#restframework` channel on `irc.freenode.net`. For support please see the [REST framework discussion group][group], try the `#restframework` channel on `irc.freenode.net`, or raise a question on [Stack Overflow][stack-overflow], making sure to include the ['django-rest-framework'][django-rest-framework-tag] tag.
Paid support is also available from [DabApps], and can include work on REST framework core, or support with building your REST framework API. Please contact [Tom Christie][email] if you'd like to discuss commercial support options. [Paid support is available][paid-support] from [DabApps][dabapps], and can include work on REST framework core, or support with building your REST framework API. Please [contact DabApps][contact-dabapps] if you'd like to discuss commercial support options.
For updates on REST framework development, you may also want to follow [the author][twitter] on Twitter.
<a style="padding-top: 10px" href="https://twitter.com/_tomchristie" class="twitter-follow-button" data-show-count="false">Follow @_tomchristie</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
## License ## License
Copyright (c) 2011-2013, Tom Christie Copyright (c) 2011-2013, Tom Christie
...@@ -166,7 +182,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ...@@ -166,7 +182,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[urlobject]: https://github.com/zacharyvoase/urlobject [urlobject]: https://github.com/zacharyvoase/urlobject
[markdown]: http://pypi.python.org/pypi/Markdown/ [markdown]: http://pypi.python.org/pypi/Markdown/
[yaml]: http://pypi.python.org/pypi/PyYAML [yaml]: http://pypi.python.org/pypi/PyYAML
[defusedxml]: https://pypi.python.org/pypi/defusedxml
[django-filter]: http://pypi.python.org/pypi/django-filter [django-filter]: http://pypi.python.org/pypi/django-filter
[oauth2]: https://github.com/simplegeo/python-oauth2
[django-oauth-plus]: https://bitbucket.org/david/django-oauth-plus/wiki/Home
[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
[0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X [0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X
[image]: img/quickstart.png [image]: img/quickstart.png
[sandbox]: http://restframework.herokuapp.com/ [sandbox]: http://restframework.herokuapp.com/
...@@ -199,15 +219,23 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ...@@ -199,15 +219,23 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[status]: api-guide/status-codes.md [status]: api-guide/status-codes.md
[settings]: api-guide/settings.md [settings]: api-guide/settings.md
[csrf]: topics/csrf.md [ajax-csrf-cors]: topics/ajax-csrf-cors.md
[browser-enhancements]: topics/browser-enhancements.md [browser-enhancements]: topics/browser-enhancements.md
[browsableapi]: topics/browsable-api.md [browsableapi]: topics/browsable-api.md
[rest-hypermedia-hateoas]: topics/rest-hypermedia-hateoas.md [rest-hypermedia-hateoas]: topics/rest-hypermedia-hateoas.md
[contributing]: topics/contributing.md [contributing]: topics/contributing.md
[rest-framework-2-announcement]: topics/rest-framework-2-announcement.md [rest-framework-2-announcement]: topics/rest-framework-2-announcement.md
[2.2-announcement]: topics/2.2-announcement.md
[release-notes]: topics/release-notes.md [release-notes]: topics/release-notes.md
[credits]: topics/credits.md [credits]: topics/credits.md
[tox]: http://testrun.org/tox/latest/
[group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
[DabApps]: http://dabapps.com [stack-overflow]: http://stackoverflow.com/
[email]: mailto:tom@tomchristie.com [django-rest-framework-tag]: http://stackoverflow.com/questions/tagged/django-rest-framework
[django-tag]: http://stackoverflow.com/questions/tagged/django
[paid-support]: http://dabapps.com/services/build/api-development/
[dabapps]: http://dabapps.com
[contact-dabapps]: http://dabapps.com/contact/
[twitter]: https://twitter.com/_tomchristie
docs/template.html
...@@ -2,11 +2,11 @@ ...@@ -2,11 +2,11 @@
<html lang="en"> <html lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8"> <meta charset="utf-8">
<title>Django REST framework</title> <title>{{ title }}</title>
<link href="{{ base_url }}/img/favicon.ico" rel="icon" type="image/x-icon"> <link href="{{ base_url }}/img/favicon.ico" rel="icon" type="image/x-icon">
<meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content=""> <meta name="description" content="{{ description }}">
<meta name="author" content=""> <meta name="author" content="Tom Christie">
<!-- Le styles --> <!-- Le styles -->
<link href="{{ base_url }}/css/prettify.css" rel="stylesheet"> <link href="{{ base_url }}/css/prettify.css" rel="stylesheet">
...@@ -89,10 +89,12 @@ ...@@ -89,10 +89,12 @@
<li class="dropdown"> <li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a>
<ul class="dropdown-menu"> <ul class="dropdown-menu">
<li><a href="{{ base_url }}/topics/ajax-csrf-cors{{ suffix }}">AJAX, CSRF & CORS</a></li>
<li><a href="{{ base_url }}/topics/browser-enhancements{{ suffix }}">Browser enhancements</a></li> <li><a href="{{ base_url }}/topics/browser-enhancements{{ suffix }}">Browser enhancements</a></li>
<li><a href="{{ base_url }}/topics/browsable-api{{ suffix }}">The Browsable API</a></li> <li><a href="{{ base_url }}/topics/browsable-api{{ suffix }}">The Browsable API</a></li>
<li><a href="{{ base_url }}/topics/rest-hypermedia-hateoas{{ suffix }}">REST, Hypermedia & HATEOAS</a></li> <li><a href="{{ base_url }}/topics/rest-hypermedia-hateoas{{ suffix }}">REST, Hypermedia & HATEOAS</a></li>
<li><a href="{{ base_url }}/topics/rest-framework-2-announcement{{ suffix }}">2.0 Announcement</a></li> <li><a href="{{ base_url }}/topics/rest-framework-2-announcement{{ suffix }}">2.0 Announcement</a></li>
<li><a href="{{ base_url }}/topics/2.2-announcement{{ suffix }}">2.2 Announcement</a></li>
<li><a href="{{ base_url }}/topics/release-notes{{ suffix }}">Release Notes</a></li> <li><a href="{{ base_url }}/topics/release-notes{{ suffix }}">Release Notes</a></li>
<li><a href="{{ base_url }}/topics/credits{{ suffix }}">Credits</a></li> <li><a href="{{ base_url }}/topics/credits{{ suffix }}">Credits</a></li>
</ul> </ul>
......
docs/topics/ajax-csrf-cors.md 0 → 100644
# Working with AJAX, CSRF & CORS
> "Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability &mdash; very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one."
>
> &mdash; [Jeff Atwood][cite]
## Javascript clients
If your building a javascript client to interface with your Web API, you'll need to consider if the client can use the same authentication policy that is used by the rest of the website, and also determine if you need to use CSRF tokens or CORS headers.
AJAX requests that are made within the same context as the API they are interacting with will typically use `SessionAuthentication`. This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website.
AJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as `TokenAuthentication`.
## CSRF protection
[Cross Site Request Forgery][csrf] protection is a mechanism of guarding against a particular type of attack, which can occur when a user has not logged out of a web site, and continues to have a valid session. In this circumstance a malicious site may be able to perform actions against the target site, within the context of the logged-in session.
To guard against these type of attacks, you need to do two things:
1. Ensure that the 'safe' HTTP operations, such as `GET`, `HEAD` and `OPTIONS` cannot be used to alter any server-side state.
2. Ensure that any 'unsafe' HTTP operations, such as `POST`, `PUT`, `PATCH` and `DELETE`, always require a valid CSRF token.
If you're using `SessionAuthentication` you'll need to include valid CSRF tokens for any `POST`, `PUT`, `PATCH` or `DELETE` operations.
The Django documentation describes how to [include CSRF tokens in AJAX requests][csrf-ajax].
## CORS
[Cross-Origin Resource Sharing][cors] is a mechanism for allowing clients to interact with APIs that are hosted on a different domain. CORS works by requiring the server to include a specific set of headers that allow a browser to determine if and when cross-domain requests should be allowed.
The best way to deal with CORS in REST framework is to add the required response headers in middleware. This ensures that CORS is supported transparently, without having to change any behavior in your views.
[Otto Yiu][ottoyiu] maintains the [django-cors-headers] package, which is known to work correctly with REST framework APIs.
[cite]: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
[csrf]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[csrf-ajax]: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
[cors]: http://www.w3.org/TR/cors/
[ottoyiu]: https://github.com/ottoyiu/
[django-cors-headers]: https://github.com/ottoyiu/django-cors-headers/
docs/topics/browsable-api.md
...@@ -35,23 +35,20 @@ A suitable replacement theme can be generated using Bootstrap's [Customize Tool] ...@@ -35,23 +35,20 @@ A suitable replacement theme can be generated using Bootstrap's [Customize Tool]
You can also change the navbar variant, which by default is `navbar-inverse`, using the `bootstrap_navbar_variant` block. The empty `{% block bootstrap_navbar_variant %}{% endblock %}` will use the original Bootstrap navbar style. You can also change the navbar variant, which by default is `navbar-inverse`, using the `bootstrap_navbar_variant` block. The empty `{% block bootstrap_navbar_variant %}{% endblock %}` will use the original Bootstrap navbar style.
For more specific CSS tweaks, use the `extra_style` block instead. For more specific CSS tweaks, use the `style` block instead.
### Blocks ### Blocks
All of the blocks available in the browsable API base template that can be used in your `api.html`. All of the blocks available in the browsable API base template that can be used in your `api.html`.
* `blockbots` - `<meta>` tag that blocks crawlers
* `bodyclass` - (empty) class attribute for the `<body>` * `bodyclass` - (empty) class attribute for the `<body>`
* `bootstrap_theme` - CSS for the Bootstrap theme * `bootstrap_theme` - CSS for the Bootstrap theme
* `bootstrap_navbar_variant` - CSS class for the navbar * `bootstrap_navbar_variant` - CSS class for the navbar
* `branding` - section of the navbar, see [Bootstrap components][bcomponentsnav] * `branding` - section of the navbar, see [Bootstrap components][bcomponentsnav]
* `breadcrumbs` - Links showing resource nesting, allowing the user to go back up the resources. It's recommended to preserve these, but they can be overridden using the breadcrumbs block. * `breadcrumbs` - Links showing resource nesting, allowing the user to go back up the resources. It's recommended to preserve these, but they can be overridden using the breadcrumbs block.
* `extrastyle` - (empty) extra CSS for the page
* `extrahead` - (empty) extra markup for the page `<head>`
* `footer` - Any copyright notices or similar footer materials can go here (by default right-aligned) * `footer` - Any copyright notices or similar footer materials can go here (by default right-aligned)
* `global_heading` - (empty) Use to insert content below the header but before the breadcrumbs. * `style` - CSS stylesheets for the page
* `title` - title of the page * `title` - title of the page
* `userlinks` - This is a list of links on the right of the header, by default containing login/logout links. To add links instead of replace, use {{ block.super }} to preserve the authentication links. * `userlinks` - This is a list of links on the right of the header, by default containing login/logout links. To add links instead of replace, use {{ block.super }} to preserve the authentication links.
......
docs/topics/browser-enhancements.md
...@@ -19,6 +19,21 @@ For example, given the following form: ...@@ -19,6 +19,21 @@ For example, given the following form:
`request.method` would return `"DELETE"`. `request.method` would return `"DELETE"`.
## HTTP header based method overriding
REST framework also supports method overriding via the semi-standard `X-HTTP-Method-Override` header. This can be useful if you are working with non-form content such as JSON and are working with an older web server and/or hosting provider that doesn't recognise particular HTTP methods such as `PATCH`. For example [Amazon Web Services ELB][aws_elb].
To use it, make a `POST` request, setting the `X-HTTP-Method-Override` header.
For example, making a `PATCH` request via `POST` in jQuery:
$.ajax({
url: '/myresource/',
method: 'POST',
headers: {'X-HTTP-Method-Override': 'PATCH'},
...
});
## Browser based submission of non-form content ## Browser based submission of non-form content
Browser-based submission of content types other than form are supported by Browser-based submission of content types other than form are supported by
...@@ -62,3 +77,4 @@ as well as how to support content types other than form-encoded data. ...@@ -62,3 +77,4 @@ as well as how to support content types other than form-encoded data.
[rails]: http://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-put-or-delete-methods-work [rails]: http://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-put-or-delete-methods-work
[html5]: http://www.w3.org/TR/html5-diff/#changes-2010-06-24 [html5]: http://www.w3.org/TR/html5-diff/#changes-2010-06-24
[put_delete]: http://amundsen.com/examples/put-delete-forms/ [put_delete]: http://amundsen.com/examples/put-delete-forms/
[aws_elb]: https://forums.aws.amazon.com/thread.jspa?messageID=400724
docs/topics/credits.md
...@@ -4,7 +4,7 @@ The following people have helped make REST framework great. ...@@ -4,7 +4,7 @@ The following people have helped make REST framework great.
* Tom Christie - [tomchristie] * Tom Christie - [tomchristie]
* Marko Tibold - [markotibold] * Marko Tibold - [markotibold]
* Paul Bagwell - [pbgwl] * Paul Miller - [paulmillr]
* Sébastien Piquemal - [sebpiq] * Sébastien Piquemal - [sebpiq]
* Carmen Wick - [cwick] * Carmen Wick - [cwick]
* Alex Ehlke - [aehlke] * Alex Ehlke - [aehlke]
...@@ -19,7 +19,7 @@ The following people have helped make REST framework great. ...@@ -19,7 +19,7 @@ The following people have helped make REST framework great.
* Craig Blaszczyk - [jakul] * Craig Blaszczyk - [jakul]
* Garcia Solero - [garciasolero] * Garcia Solero - [garciasolero]
* Tom Drummond - [devioustree] * Tom Drummond - [devioustree]
* Danilo Bargen - [gwrtheyrn] * Danilo Bargen - [dbrgn]
* Andrew McCloud - [amccloud] * Andrew McCloud - [amccloud]
* Thomas Steinacher - [thomasst] * Thomas Steinacher - [thomasst]
* Meurig Freeman - [meurig] * Meurig Freeman - [meurig]
...@@ -91,6 +91,27 @@ The following people have helped make REST framework great. ...@@ -91,6 +91,27 @@ The following people have helped make REST framework great.
* Richard Wackerbarth - [wackerbarth] * Richard Wackerbarth - [wackerbarth]
* Johannes Spielmann - [shezi] * Johannes Spielmann - [shezi]
* James Cleveland - [radiosilence] * James Cleveland - [radiosilence]
* Steve Gregory - [steve-gregory]
* Federico Capoano - [nemesisdesign]
* Bruno Renié - [brutasse]
* Kevin Stone - [kevinastone]
* Guglielmo Celata - [guglielmo]
* Mike Tums - [mktums]
* Michael Elovskikh - [wronglink]
* Michał Jaworski - [swistakm]
* Andrea de Marco - [z4r]
* Fernando Rocha - [fernandogrd]
* Xavier Ordoquy - [xordoquy]
* Adam Wentz - [floppya]
* Andreas Pelme - [pelme]
* Ryan Detzel - [ryanrdetzel]
* Omer Katz - [thedrow]
* Wiliam Souza - [waa]
* Jonas Braun - [iekadou]
* Ian Dash - [bitmonkey]
* Bouke Haarsma - [bouke]
* Pierre Dulac - [dulaccc]
* Dave Kuhn - [kuhnza]
Many thanks to everyone who's contributed to the project. Many thanks to everyone who's contributed to the project.
...@@ -114,7 +135,6 @@ For usage questions please see the [REST framework discussion group][group]. ...@@ -114,7 +135,6 @@ For usage questions please see the [REST framework discussion group][group].
You can also contact [@_tomchristie][twitter] directly on twitter. You can also contact [@_tomchristie][twitter] directly on twitter.
[email]: mailto:tom@tomchristie.com
[twitter]: http://twitter.com/_tomchristie [twitter]: http://twitter.com/_tomchristie
[bootstrap]: http://twitter.github.com/bootstrap/ [bootstrap]: http://twitter.github.com/bootstrap/
[markdown]: http://daringfireball.net/projects/markdown/ [markdown]: http://daringfireball.net/projects/markdown/
...@@ -130,7 +150,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter. ...@@ -130,7 +150,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[tomchristie]: https://github.com/tomchristie [tomchristie]: https://github.com/tomchristie
[markotibold]: https://github.com/markotibold [markotibold]: https://github.com/markotibold
[pbgwl]: https://github.com/pbgwl [paulmillr]: https://github.com/paulmillr
[sebpiq]: https://github.com/sebpiq [sebpiq]: https://github.com/sebpiq
[cwick]: https://github.com/cwick [cwick]: https://github.com/cwick
[aehlke]: https://github.com/aehlke [aehlke]: https://github.com/aehlke
...@@ -145,7 +165,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter. ...@@ -145,7 +165,7 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[jakul]: https://github.com/jakul [jakul]: https://github.com/jakul
[garciasolero]: https://github.com/garciasolero [garciasolero]: https://github.com/garciasolero
[devioustree]: https://github.com/devioustree [devioustree]: https://github.com/devioustree
[gwrtheyrn]: https://github.com/gwrtheyrn [dbrgn]: https://github.com/dbrgn
[amccloud]: https://github.com/amccloud [amccloud]: https://github.com/amccloud
[thomasst]: https://github.com/thomasst [thomasst]: https://github.com/thomasst
[meurig]: https://github.com/meurig [meurig]: https://github.com/meurig
...@@ -217,3 +237,24 @@ You can also contact [@_tomchristie][twitter] directly on twitter. ...@@ -217,3 +237,24 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[wackerbarth]: https://github.com/wackerbarth [wackerbarth]: https://github.com/wackerbarth
[shezi]: https://github.com/shezi [shezi]: https://github.com/shezi
[radiosilence]: https://github.com/radiosilence [radiosilence]: https://github.com/radiosilence
[steve-gregory]: https://github.com/steve-gregory
[nemesisdesign]: https://github.com/nemesisdesign
[brutasse]: https://github.com/brutasse
[kevinastone]: https://github.com/kevinastone
[guglielmo]: https://github.com/guglielmo
[mktums]: https://github.com/mktums
[wronglink]: https://github.com/wronglink
[swistakm]: https://github.com/swistakm
[z4r]: https://github.com/z4r
[fernandogrd]: https://github.com/fernandogrd
[xordoquy]: https://github.com/xordoquy
[floppya]: https://github.com/floppya
[pelme]: https://github.com/pelme
[ryanrdetzel]: https://github.com/ryanrdetzel
[thedrow]: https://github.com/thedrow
[waa]: https://github.com/wiliamsouza
[iekadou]: https://github.com/iekadou
[bitmonkey]: https://github.com/bitmonkey
[bouke]: https://github.com/bouke
[dulaccc]: https://github.com/dulaccc
[kuhnza]: https://github.com/kuhnza
docs/topics/csrf.md deleted 100644 → 0
# Working with AJAX and CSRF
> "Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability -- very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one."
>
> &mdash; [Jeff Atwood][cite]
* Explain need to add CSRF token to AJAX requests.
* Explain deferred CSRF style used by REST framework
* Why you should use Django's standard login/logout views, and not REST framework view
[cite]: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
docs/topics/release-notes.md
...@@ -8,29 +8,140 @@ ...@@ -8,29 +8,140 @@
Minor version numbers (0.0.x) are used for changes that are API compatible. You should be able to upgrade between minor point releases without any other code changes. Minor version numbers (0.0.x) are used for changes that are API compatible. You should be able to upgrade between minor point releases without any other code changes.
Medium version numbers (0.x.0) may include minor API changes. You should read the release notes carefully before upgrading between medium point releases. Medium version numbers (0.x.0) may include API changes, in line with the [deprecation policy][deprecation-policy]. You should read the release notes carefully before upgrading between medium point releases.
Major version numbers (x.0.0) are reserved for project milestones. No major point releases are currently planned. Major version numbers (x.0.0) are reserved for substantial project milestones. No major point releases are currently planned.
## Deprecation policy
REST framework releases follow a formal deprecation policy, which is in line with [Django's deprecation policy][django-deprecation-policy].
The timeline for deprecation of a feature present in version 1.0 would work as follows:
* Version 1.1 would remain **fully backwards compatible** with 1.0, but would raise `PendingDeprecationWarning` warnings if you use the feature that are due to be deprecated. These warnings are **silent by default**, but can be explicitly enabled when you're ready to start migrating any required changes. For example if you start running your tests using `python -Wd manage.py test`, you'll be warned of any API changes you need to make.
* Version 1.2 would escalate these warnings to `DeprecationWarning`, which is loud by default.
* Version 1.3 would remove the deprecated bits of API entirely.
Note that in line with Django's policy, any parts of the framework not mentioned in the documentation should generally be considered private API, and may be subject to change.
## Upgrading
To upgrade Django REST framework to the latest version, use pip:
pip install -U djangorestframework
You can determine your currently installed version using `pip freeze`:
pip freeze | grep djangorestframework
--- ---
## 2.1.x series ## 2.2.x series
### Master ### Master
* `Serializer.save()` now supports arbitrary keyword args which are passed through to the object `.save()` method. Mixins use `force_insert` and `force_update` where appropriate, resulting in one less database query.
### 2.2.4
**Date**: 13th March 2013
* OAuth 2 support.
* OAuth 1.0a support.
* Support X-HTTP-Method-Override header.
* Filtering backends are now applied to the querysets for object lookups as well as lists. (Eg you can use a filtering backend to control which objects should 404)
* Deal with error data nicely when deserializing lists of objects.
* Extra override hook to configure `DjangoModelPermissions` for unauthenticated users.
* Bugfix: Fix regression which caused extra database query on paginated list views.
* Bugfix: Fix pk relationship bug for some types of 1-to-1 relations.
* Bugfix: Workaround for Django bug causing case where `Authtoken` could be registered for cascade delete from `User` even if not installed.
### 2.2.3
**Date**: 7th March 2013
* Bugfix: Fix None values for for `DateField`, `DateTimeField` and `TimeField`.
### 2.2.2
**Date**: 6th March 2013
* Support for custom input and output formats for `DateField`, `DateTimeField` and `TimeField`.
* Cleanup: Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior. Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view.
* Bugfix for serializer data being uncacheable with pickle protocol 0.
* Bugfixes for model field validation edge-cases.
* Bugfix for authtoken migration while using a custom user model and south.
### 2.2.1
**Date**: 22nd Feb 2013
* Security fix: Use `defusedxml` package to address XML parsing vulnerabilities.
* Raw data tab added to browseable API. (Eg. Allow for JSON input.)
* Added TimeField.
* Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults.
* Unicode support for view names/descriptions in browseable API.
* Bugfix: request.DATA should return an empty `QueryDict` with no data, not `None`.
* Bugfix: Remove unneeded field validation, which caused extra queries.
**Security note**: Following the [disclosure of security vulnerabilities][defusedxml-announce] in Python's XML parsing libraries, use of the `XMLParser` class now requires the `defusedxml` package to be installed.
The security vulnerabilities only affect APIs which use the `XMLParser` class, by enabling it in any views, or by having it set in the `DEFAULT_PARSER_CLASSES` setting. Note that the `XMLParser` class is not enabled by default, so this change should affect a minority of users.
### 2.2.0
**Date**: 13th Feb 2013
* Python 3 support.
* Added a `post_save()` hook to the generic views.
* Allow serializers to handle dicts as well as objects.
* Deprecate `ManyRelatedField()` syntax in favor of `RelatedField(many=True)`
* Deprecate `null=True` on relations in favor of `required=False`.
* Deprecate `blank=True` on CharFields, just use `required=False`.
* Deprecate optional `obj` argument in permissions checks in favor of `has_object_permission`.
* Deprecate implicit hyperlinked relations behavior.
* Bugfix: Fix broken DjangoModelPermissions.
* Bugfix: Allow serializer output to be cached.
* Bugfix: Fix styling on browsable API login.
* Bugfix: Fix issue with deserializing empty to-many relations.
* Bugfix: Ensure model field validation is still applied for ModelSerializer subclasses with an custom `.restore_object()` method.
**Note**: See the [2.2 announcement][2.2-announcement] for full details.
---
## 2.1.x series
### 2.1.17
**Date**: 26th Jan 2013
* Support proper 401 Unauthorized responses where appropriate, instead of always using 403 Forbidden.
* Support json encoding of timedelta objects. * Support json encoding of timedelta objects.
* `format_suffix_patterns()` now supports `include` style URL patterns.
* Bugfix: Fix issues with custom pagination serializers.
* Bugfix: Nested serializers now accept `source='*'` argument.
* Bugfix: Return proper validation errors when incorrect types supplied for relational fields.
* Bugfix: Support nullable FKs with `SlugRelatedField`.
* Bugfix: Don't call custom validation methods if the field has an error.
**Note**: If the primary authentication class is `TokenAuthentication` or `BasicAuthentication`, a view will now correctly return 401 responses to unauthenticated access, with an appropriate `WWW-Authenticate` header, instead of 403 responses.
### 2.1.16 ### 2.1.16
**Date**: 14th Jan 2013 **Date**: 14th Jan 2013
* Deprecate django.utils.simplejson in favor of Python 2.6's built-in json module. * Deprecate `django.utils.simplejson` in favor of Python 2.6's built-in json module.
* Bugfix: `auto_now`, `auto_now_add` and other `editable=False` fields now default to read-only. * Bugfix: `auto_now`, `auto_now_add` and other `editable=False` fields now default to read-only.
* Bugfix: PK fields now only default to read-only if they are an AutoField or if `editable=False`. * Bugfix: PK fields now only default to read-only if they are an AutoField or if `editable=False`.
* Bugfix: Validation errors instead of exceptions when serializers receive incorrect types. * Bugfix: Validation errors instead of exceptions when serializers receive incorrect types.
* Bugfix: Validation errors instead of exceptions when related fields receive incorrect types. * Bugfix: Validation errors instead of exceptions when related fields receive incorrect types.
* Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one * Bugfix: Handle ObjectDoesNotExist exception when serializing null reverse one-to-one
**Note**: Prior to 2.1.16, The Decimals would render in JSON using floating point if `simplejson` was installed, but otherwise render using string notation. Now that use of `simplejson` has been deprecated, Decimals will consistently render using string notation. See [#582] for more details.
### 2.1.15 ### 2.1.15
**Date**: 3rd Jan 2013 **Date**: 3rd Jan 2013
...@@ -319,7 +430,12 @@ This change will not affect user code, so long as it's following the recommended ...@@ -319,7 +430,12 @@ This change will not affect user code, so long as it's following the recommended
* Initial release. * Initial release.
[cite]: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html [cite]: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html
[deprecation-policy]: #deprecation-policy
[django-deprecation-policy]: https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy
[defusedxml-announce]: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
[2.2-announcement]: 2.2-announcement.md
[staticfiles14]: https://docs.djangoproject.com/en/1.4/howto/static-files/#with-a-template-tag [staticfiles14]: https://docs.djangoproject.com/en/1.4/howto/static-files/#with-a-template-tag
[staticfiles13]: https://docs.djangoproject.com/en/1.3/howto/static-files/#with-a-template-tag [staticfiles13]: https://docs.djangoproject.com/en/1.3/howto/static-files/#with-a-template-tag
[2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion
[announcement]: rest-framework-2-announcement.md [announcement]: rest-framework-2-announcement.md
[#582]: https://github.com/tomchristie/django-rest-framework/issues/582
docs/tutorial/1-serialization.md
...@@ -4,11 +4,11 @@ ...@@ -4,11 +4,11 @@
This tutorial will cover creating a simple pastebin code highlighting Web API. Along the way it will introduce the various components that make up REST framework, and give you a comprehensive understanding of how everything fits together. This tutorial will cover creating a simple pastebin code highlighting Web API. Along the way it will introduce the various components that make up REST framework, and give you a comprehensive understanding of how everything fits together.
The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started.<!-- If you just want a quick overview, you should head over to the [quickstart] documentation instead. --> The tutorial is fairly in-depth, so you should probably get a cookie and a cup of your favorite brew before getting started. If you just want a quick overview, you should head over to the [quickstart] documentation instead.
--- ---
**Note**: The code for this tutorial is available in the [tomchristie/rest-framework-tutorial][repo] repository on GitHub. As pieces of code are introduced, they are committed to this repository. The completed implementation is also online as a sandbox version for testing, [available here][sandbox]. **Note**: The code for this tutorial is available in the [tomchristie/rest-framework-tutorial][repo] repository on GitHub. The completed implementation is also online as a sandbox version for testing, [available here][sandbox].
--- ---
...@@ -86,7 +86,7 @@ For the purposes of this tutorial we're going to start by creating a simple `Sni ...@@ -86,7 +86,7 @@ For the purposes of this tutorial we're going to start by creating a simple `Sni
class Snippet(models.Model): class Snippet(models.Model):
created = models.DateTimeField(auto_now_add=True) created = models.DateTimeField(auto_now_add=True)
title = models.CharField(max_length=100, default='') title = models.CharField(max_length=100, blank=True, default='')
code = models.TextField() code = models.TextField()
linenos = models.BooleanField(default=False) linenos = models.BooleanField(default=False)
language = models.CharField(choices=LANGUAGE_CHOICES, language = models.CharField(choices=LANGUAGE_CHOICES,
...@@ -109,7 +109,7 @@ The first thing we need to get started on our Web API is provide a way of serial ...@@ -109,7 +109,7 @@ The first thing we need to get started on our Web API is provide a way of serial
from django.forms import widgets from django.forms import widgets
from rest_framework import serializers from rest_framework import serializers
from snippets import models from snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES
class SnippetSerializer(serializers.Serializer): class SnippetSerializer(serializers.Serializer):
...@@ -119,26 +119,30 @@ The first thing we need to get started on our Web API is provide a way of serial ...@@ -119,26 +119,30 @@ The first thing we need to get started on our Web API is provide a way of serial
code = serializers.CharField(widget=widgets.Textarea, code = serializers.CharField(widget=widgets.Textarea,
max_length=100000) max_length=100000)
linenos = serializers.BooleanField(required=False) linenos = serializers.BooleanField(required=False)
language = serializers.ChoiceField(choices=models.LANGUAGE_CHOICES, language = serializers.ChoiceField(choices=LANGUAGE_CHOICES,
default='python') default='python')
style = serializers.ChoiceField(choices=models.STYLE_CHOICES, style = serializers.ChoiceField(choices=STYLE_CHOICES,
default='friendly') default='friendly')
def restore_object(self, attrs, instance=None): def restore_object(self, attrs, instance=None):
""" """
Create or update a new snippet instance. Create or update a new snippet instance, given a dictionary
of deserialized field values.
Note that if we don't define this method, then deserializing
data will simply return a dictionary of items.
""" """
if instance: if instance:
# Update existing instance # Update existing instance
instance.title = attrs['title'] instance.title = attrs.get('title', instance.title)
instance.code = attrs['code'] instance.code = attrs.get('code', instance.code)
instance.linenos = attrs['linenos'] instance.linenos = attrs.get('linenos', instance.linenos)
instance.language = attrs['language'] instance.language = attrs.get('language', instance.language)
instance.style = attrs['style'] instance.style = attrs.get('style', instance.style)
return instance return instance
# Create new instance # Create new instance
return models.Snippet(**attrs) return Snippet(**attrs)
The first part of serializer class defines the fields that get serialized/deserialized. The `restore_object` method defines how fully fledged instances get created when deserializing data. The first part of serializer class defines the fields that get serialized/deserialized. The `restore_object` method defines how fully fledged instances get created when deserializing data.
...@@ -150,13 +154,16 @@ Before we go any further we'll familiarize ourselves with using our new Serializ ...@@ -150,13 +154,16 @@ Before we go any further we'll familiarize ourselves with using our new Serializ
python manage.py shell python manage.py shell
Okay, once we've got a few imports out of the way, let's create a code snippet to work with. Okay, once we've got a few imports out of the way, let's create a couple of code snippets to work with.
from snippets.models import Snippet from snippets.models import Snippet
from snippets.serializers import SnippetSerializer from snippets.serializers import SnippetSerializer
from rest_framework.renderers import JSONRenderer from rest_framework.renderers import JSONRenderer
from rest_framework.parsers import JSONParser from rest_framework.parsers import JSONParser
snippet = Snippet(code='foo = "bar"\n')
snippet.save()
snippet = Snippet(code='print "hello, world"\n') snippet = Snippet(code='print "hello, world"\n')
snippet.save() snippet.save()
...@@ -164,13 +171,13 @@ We've now got a few snippet instances to play with. Let's take a look at serial ...@@ -164,13 +171,13 @@ We've now got a few snippet instances to play with. Let's take a look at serial
serializer = SnippetSerializer(snippet) serializer = SnippetSerializer(snippet)
serializer.data serializer.data
# {'pk': 1, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'} # {'pk': 2, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'}
At this point we've translated the model instance into python native datatypes. To finalize the serialization process we render the data into `json`. At this point we've translated the model instance into python native datatypes. To finalize the serialization process we render the data into `json`.
content = JSONRenderer().render(serializer.data) content = JSONRenderer().render(serializer.data)
content content
# '{"pk": 1, "title": "", "code": "print \\"hello, world\\"\\n", "linenos": false, "language": "python", "style": "friendly"}' # '{"pk": 2, "title": "", "code": "print \\"hello, world\\"\\n", "linenos": false, "language": "python", "style": "friendly"}'
Deserialization is similar. First we parse a stream into python native datatypes... Deserialization is similar. First we parse a stream into python native datatypes...
...@@ -189,6 +196,12 @@ Deserialization is similar. First we parse a stream into python native datatype ...@@ -189,6 +196,12 @@ Deserialization is similar. First we parse a stream into python native datatype
Notice how similar the API is to working with forms. The similarity should become even more apparent when we start writing views that use our serializer. Notice how similar the API is to working with forms. The similarity should become even more apparent when we start writing views that use our serializer.
We can also serialize querysets instead of model instances. To do so we simply add a `many=True` flag to the serializer arguments.
serializer = SnippetSerializer(Snippet.objects.all(), many=True)
serializer.data
# [{'pk': 1, 'title': u'', 'code': u'foo = "bar"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'}, {'pk': 2, 'title': u'', 'code': u'print "hello, world"\n', 'linenos': False, 'language': u'python', 'style': u'friendly'}]
## Using ModelSerializers ## Using ModelSerializers
Our `SnippetSerializer` class is replicating a lot of information that's also contained in the `Snippet` model. It would be nice if we could keep out code a bit more concise. Our `SnippetSerializer` class is replicating a lot of information that's also contained in the `Snippet` model. It would be nice if we could keep out code a bit more concise.
...@@ -237,7 +250,7 @@ The root of our API is going to be a view that supports listing all the existing ...@@ -237,7 +250,7 @@ The root of our API is going to be a view that supports listing all the existing
""" """
if request.method == 'GET': if request.method == 'GET':
snippets = Snippet.objects.all() snippets = Snippet.objects.all()
serializer = SnippetSerializer(snippets) serializer = SnippetSerializer(snippets, many=True)
return JSONResponse(serializer.data) return JSONResponse(serializer.data)
elif request.method == 'POST': elif request.method == 'POST':
...@@ -295,11 +308,11 @@ It's worth noting that there are a couple of edge cases we're not dealing with p ...@@ -295,11 +308,11 @@ It's worth noting that there are a couple of edge cases we're not dealing with p
Now we can start up a sample server that serves our snippets. Now we can start up a sample server that serves our snippets.
Quit out of the shell Quit out of the shell...
quit() quit()
and start up Django's development server ...and start up Django's development server.
python manage.py runserver python manage.py runserver
...@@ -312,19 +325,19 @@ and start up Django's development server ...@@ -312,19 +325,19 @@ and start up Django's development server
In another terminal window, we can test the server. In another terminal window, we can test the server.
We can get a list of all of the snippets (we only have one at the moment) We can get a list of all of the snippets.
curl http://127.0.0.1:8000/snippets/ curl http://127.0.0.1:8000/snippets/
[{"id": 1, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}] [{"id": 1, "title": "", "code": "foo = \"bar\"\n", "linenos": false, "language": "python", "style": "friendly"}, {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}]
or we can get a particular snippet by referencing its id Or we can get a particular snippet by referencing its id.
curl http://127.0.0.1:8000/snippets/1/ curl http://127.0.0.1:8000/snippets/2/
{"id": 1, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"} {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}
Similarly, you can have the same json displayed by referencing these URLs from your favorite web browser. Similarly, you can have the same json displayed by visiting these URLs in a web browser.
## Where are we now ## Where are we now
......
docs/tutorial/2-requests-and-responses.md
...@@ -51,7 +51,7 @@ We don't need our `JSONResponse` class anymore, so go ahead and delete that. On ...@@ -51,7 +51,7 @@ We don't need our `JSONResponse` class anymore, so go ahead and delete that. On
""" """
if request.method == 'GET': if request.method == 'GET':
snippets = Snippet.objects.all() snippets = Snippet.objects.all()
serializer = SnippetSerializer(snippets) serializer = SnippetSerializer(snippets, many=True)
return Response(serializer.data) return Response(serializer.data)
elif request.method == 'POST': elif request.method == 'POST':
...@@ -75,11 +75,11 @@ Here is the view for an individual snippet. ...@@ -75,11 +75,11 @@ Here is the view for an individual snippet.
snippet = Snippet.objects.get(pk=pk) snippet = Snippet.objects.get(pk=pk)
except Snippet.DoesNotExist: except Snippet.DoesNotExist:
return Response(status=status.HTTP_404_NOT_FOUND) return Response(status=status.HTTP_404_NOT_FOUND)
if request.method == 'GET': if request.method == 'GET':
serializer = SnippetSerializer(snippet) serializer = SnippetSerializer(snippet)
return Response(serializer.data) return Response(serializer.data)
elif request.method == 'PUT': elif request.method == 'PUT':
serializer = SnippetSerializer(snippet, data=request.DATA) serializer = SnippetSerializer(snippet, data=request.DATA)
if serializer.is_valid(): if serializer.is_valid():
...@@ -126,13 +126,41 @@ We don't necessarily need to add these extra url patterns in, but it gives us a ...@@ -126,13 +126,41 @@ We don't necessarily need to add these extra url patterns in, but it gives us a
Go ahead and test the API from the command line, as we did in [tutorial part 1][tut-1]. Everything is working pretty similarly, although we've got some nicer error handling if we send invalid requests. Go ahead and test the API from the command line, as we did in [tutorial part 1][tut-1]. Everything is working pretty similarly, although we've got some nicer error handling if we send invalid requests.
**TODO: Describe using accept headers, content-type headers, and format suffixed URLs** We can get a list of all of the snippets, as before.
curl http://127.0.0.1:8000/snippets/
[{"id": 1, "title": "", "code": "foo = \"bar\"\n", "linenos": false, "language": "python", "style": "friendly"}, {"id": 2, "title": "", "code": "print \"hello, world\"\n", "linenos": false, "language": "python", "style": "friendly"}]
We can control the format of the response that we get back, either by using the `Accept` header:
curl http://127.0.0.1:8000/snippets/ -H 'Accept: application/json' # Request JSON
curl http://127.0.0.1:8000/snippets/ -H 'Accept: text/html' # Request HTML
Or by appending a format suffix:
curl http://127.0.0.1:8000/snippets/.json # JSON suffix
curl http://127.0.0.1:8000/snippets/.api # Browseable API suffix
Similarly, we can control the format of the request that we send, using the `Content-Type` header.
# POST using form data
curl -X POST http://127.0.0.1:8000/snippets/ -d "code=print 123"
{"id": 3, "title": "", "code": "123", "linenos": false, "language": "python", "style": "friendly"}
# POST using JSON
curl -X POST http://127.0.0.1:8000/snippets/ -d '{"code": "print 456"}' -H "Content-Type: application/json"
{"id": 4, "title": "", "code": "print 456", "linenos": true, "language": "python", "style": "friendly"}
Now go and open the API in a web browser, by visiting [http://127.0.0.1:8000/snippets/][devserver]. Now go and open the API in a web browser, by visiting [http://127.0.0.1:8000/snippets/][devserver].
### Browsability ### Browsability
Because the API chooses a return format based on what the client asks for, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a browser. This allows for the API to be easily browsable and usable by humans. Because the API chooses the content type of the response based on the client request, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a web browser. This allows for the API to return a fully web-browsable HTML representation.
Having a web-browseable API is a huge usability win, and makes developing and using your API much easier. It also dramatically lowers the barrier-to-entry for other developers wanting to inspect and work with your API.
See the [browsable api][browseable-api] topic for more information about the browsable API feature and how to customize it. See the [browsable api][browseable-api] topic for more information about the browsable API feature and how to customize it.
......
docs/tutorial/3-class-based-views.md
...@@ -20,7 +20,7 @@ We'll start by rewriting the root view as a class based view. All this involves ...@@ -20,7 +20,7 @@ We'll start by rewriting the root view as a class based view. All this involves
""" """
def get(self, request, format=None): def get(self, request, format=None):
snippets = Snippet.objects.all() snippets = Snippet.objects.all()
serializer = SnippetSerializer(snippets) serializer = SnippetSerializer(snippets, many=True)
return Response(serializer.data) return Response(serializer.data)
def post(self, request, format=None): def post(self, request, format=None):
......
docs/tutorial/4-authentication-and-permissions.md
...@@ -22,7 +22,7 @@ We'd also need to make sure that when the model is saved, that we populate the h ...@@ -22,7 +22,7 @@ We'd also need to make sure that when the model is saved, that we populate the h
We'll need some extra imports: We'll need some extra imports:
from pygments.lexers import get_lexer_by_name from pygments.lexers import get_lexer_by_name
from pygments.formatters import HtmlFormatter from pygments.formatters.html import HtmlFormatter
from pygments import highlight from pygments import highlight
And now we can add a `.save()` method to our model class: And now we can add a `.save()` method to our model class:
...@@ -54,8 +54,10 @@ You might also want to create a few different users, to use for testing the API. ...@@ -54,8 +54,10 @@ You might also want to create a few different users, to use for testing the API.
Now that we've got some users to work with, we'd better add representations of those users to our API. Creating a new serializer is easy: Now that we've got some users to work with, we'd better add representations of those users to our API. Creating a new serializer is easy:
from django.contrib.auth.models import User
class UserSerializer(serializers.ModelSerializer): class UserSerializer(serializers.ModelSerializer):
snippets = serializers.ManyPrimaryKeyRelatedField() snippets = serializers.PrimaryKeyRelatedField(many=True)
class Meta: class Meta:
model = User model = User
...@@ -70,14 +72,14 @@ We'll also add a couple of views. We'd like to just use read-only views for the ...@@ -70,14 +72,14 @@ We'll also add a couple of views. We'd like to just use read-only views for the
serializer_class = UserSerializer serializer_class = UserSerializer
class UserInstance(generics.RetrieveAPIView): class UserDetail(generics.RetrieveAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer
Finally we need to add those views into the API, by referencing them from the URL conf. Finally we need to add those views into the API, by referencing them from the URL conf.
url(r'^users/$', views.UserList.as_view()), url(r'^users/$', views.UserList.as_view()),
url(r'^users/(?P<pk>[0-9]+)/$', views.UserInstance.as_view()), url(r'^users/(?P<pk>[0-9]+)/$', views.UserDetail.as_view()),
## Associating Snippets with Users ## Associating Snippets with Users
...@@ -102,8 +104,6 @@ This field is doing something quite interesting. The `source` argument controls ...@@ -102,8 +104,6 @@ This field is doing something quite interesting. The `source` argument controls
The field we've added is the untyped `Field` class, in contrast to the other typed fields, such as `CharField`, `BooleanField` etc... The untyped `Field` is always read-only, and will be used for serialized representations, but will not be used for updating model instances when they are deserialized. The field we've added is the untyped `Field` class, in contrast to the other typed fields, such as `CharField`, `BooleanField` etc... The untyped `Field` is always read-only, and will be used for serialized representations, but will not be used for updating model instances when they are deserialized.
**TODO: Explain the SessionAuthentication and BasicAuthentication classes, and demonstrate using HTTP basic authentication with curl requests**
## Adding required permissions to views ## Adding required permissions to views
Now that code snippets are associated with users, we want to make sure that only authenticated users are able to create, update and delete code snippets. Now that code snippets are associated with users, we want to make sure that only authenticated users are able to create, update and delete code snippets.
...@@ -118,8 +118,6 @@ Then, add the following property to **both** the `SnippetList` and `SnippetDetai ...@@ -118,8 +118,6 @@ Then, add the following property to **both** the `SnippetList` and `SnippetDetai
permission_classes = (permissions.IsAuthenticatedOrReadOnly,) permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
**TODO: Now that the permissions are restricted, demonstrate using HTTP basic authentication with curl requests**
## Adding login to the Browseable API ## Adding login to the Browseable API
If you open a browser and navigate to the browseable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user. If you open a browser and navigate to the browseable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user.
...@@ -159,12 +157,9 @@ In the snippets app, create a new file, `permissions.py` ...@@ -159,12 +157,9 @@ In the snippets app, create a new file, `permissions.py`
Custom permission to only allow owners of an object to edit it. Custom permission to only allow owners of an object to edit it.
""" """
def has_permission(self, request, view, obj=None): def has_object_permission(self, request, view, obj):
# Skip the check unless this is an object-level test # Read permissions are allowed to any request,
if obj is None: # so we'll always allow GET, HEAD or OPTIONS requests.
return True
# Read permissions are allowed to any request
if request.method in permissions.SAFE_METHODS: if request.method in permissions.SAFE_METHODS:
return True return True
...@@ -182,10 +177,31 @@ Make sure to also import the `IsOwnerOrReadOnly` class. ...@@ -182,10 +177,31 @@ Make sure to also import the `IsOwnerOrReadOnly` class.
Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions only appear on a snippet instance endpoint if you're logged in as the same user that created the code snippet. Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions only appear on a snippet instance endpoint if you're logged in as the same user that created the code snippet.
## Authenticating with the API
Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets. We havn't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`.
When we interact with the API through the web browser, we can login, and the browser session will then provide the required authentication for the requests.
If we're interacting with the API programmatically we need to explicitly provide the authentication credentials on each request.
If we try to create a snippet without authenticating, we'll get an error:
curl -i -X POST http://127.0.0.1:8000/snippets/ -d "code=print 123"
{"detail": "Authentication credentials were not provided."}
We can make a successful request by including the username and password of one of the users we created earlier.
curl -X POST http://127.0.0.1:8000/snippets/ -d "code=print 789" -u tom:password
{"id": 5, "owner": "tom", "title": "foo", "code": "print 789", "linenos": false, "language": "python", "style": "friendly"}
## Summary ## Summary
We've now got a fairly fine-grained set of permissions on our Web API, and end points for users of the system and for the code snippets that they have created. We've now got a fairly fine-grained set of permissions on our Web API, and end points for users of the system and for the code snippets that they have created.
In [part 5][tut-5] of the tutorial we'll look at how we can tie everything together by creating an HTML endpoint for our hightlighted snippets, and improve the cohesion of our API by using hyperlinking for the relationships within the system. In [part 5][tut-5] of the tutorial we'll look at how we can tie everything together by creating an HTML endpoint for our highlighted snippets, and improve the cohesion of our API by using hyperlinking for the relationships within the system.
[tut-5]: 5-relationships-and-hyperlinked-apis.md [authentication]: ../api-guide/authentication.md
\ No newline at end of file [tut-5]: 5-relationships-and-hyperlinked-apis.md
docs/tutorial/5-relationships-and-hyperlinked-apis.md
...@@ -70,8 +70,8 @@ The `HyperlinkedModelSerializer` has the following differences from `ModelSerial ...@@ -70,8 +70,8 @@ The `HyperlinkedModelSerializer` has the following differences from `ModelSerial
* It does not include the `pk` field by default. * It does not include the `pk` field by default.
* It includes a `url` field, using `HyperlinkedIdentityField`. * It includes a `url` field, using `HyperlinkedIdentityField`.
* Relationships use `HyperlinkedRelatedField` and `ManyHyperlinkedRelatedField`, * Relationships use `HyperlinkedRelatedField`,
instead of `PrimaryKeyRelatedField` and `ManyPrimaryKeyRelatedField`. instead of `PrimaryKeyRelatedField`.
We can easily re-write our existing serializers to use hyperlinking. We can easily re-write our existing serializers to use hyperlinking.
...@@ -86,7 +86,7 @@ We can easily re-write our existing serializers to use hyperlinking. ...@@ -86,7 +86,7 @@ We can easily re-write our existing serializers to use hyperlinking.
class UserSerializer(serializers.HyperlinkedModelSerializer): class UserSerializer(serializers.HyperlinkedModelSerializer):
snippets = serializers.ManyHyperlinkedRelatedField(view_name='snippet-detail') snippets = serializers.HyperlinkedRelatedField(many=True, view_name='snippet-detail')
class Meta: class Meta:
model = User model = User
...@@ -123,7 +123,7 @@ After adding all those names into our URLconf, our final `'urls.py'` file should ...@@ -123,7 +123,7 @@ After adding all those names into our URLconf, our final `'urls.py'` file should
views.UserList.as_view(), views.UserList.as_view(),
name='user-list'), name='user-list'),
url(r'^users/(?P<pk>[0-9]+)/$', url(r'^users/(?P<pk>[0-9]+)/$',
views.UserInstance.as_view(), views.UserDetail.as_view(),
name='user-detail') name='user-detail')
)) ))
...@@ -165,7 +165,7 @@ We've reached the end of our tutorial. If you want to get more involved in the ...@@ -165,7 +165,7 @@ We've reached the end of our tutorial. If you want to get more involved in the
* Contribute on [GitHub][github] by reviewing and submitting issues, and making pull requests. * Contribute on [GitHub][github] by reviewing and submitting issues, and making pull requests.
* Join the [REST framework discussion group][group], and help build the community. * Join the [REST framework discussion group][group], and help build the community.
* [Follow the author on Twitter][twitter] and say hi. * Follow [the author][twitter] on Twitter and say hi.
**Now go build awesome things.** **Now go build awesome things.**
...@@ -173,4 +173,4 @@ We've reached the end of our tutorial. If you want to get more involved in the ...@@ -173,4 +173,4 @@ We've reached the end of our tutorial. If you want to get more involved in the
[sandbox]: http://restframework.herokuapp.com/ [sandbox]: http://restframework.herokuapp.com/
[github]: https://github.com/tomchristie/django-rest-framework [github]: https://github.com/tomchristie/django-rest-framework
[group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
[twitter]: https://twitter.com/_tomchristie [twitter]: https://twitter.com/_tomchristie
\ No newline at end of file
mkdocs.py
...@@ -57,24 +57,36 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir): ...@@ -57,24 +57,36 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir):
toc = '' toc = ''
text = open(path, 'r').read().decode('utf-8') text = open(path, 'r').read().decode('utf-8')
main_title = None
description = 'Django, API, REST'
for line in text.splitlines(): for line in text.splitlines():
if line.startswith('# '): if line.startswith('# '):
title = line[2:].strip() title = line[2:].strip()
template = main_header template = main_header
description = description + ', ' + title
elif line.startswith('## '): elif line.startswith('## '):
title = line[3:].strip() title = line[3:].strip()
template = sub_header template = sub_header
else: else:
continue continue
if not main_title:
main_title = title
anchor = title.lower().replace(' ', '-').replace(':-', '-').replace("'", '').replace('?', '').replace('.', '') anchor = title.lower().replace(' ', '-').replace(':-', '-').replace("'", '').replace('?', '').replace('.', '')
template = template.replace('{{ title }}', title) template = template.replace('{{ title }}', title)
template = template.replace('{{ anchor }}', anchor) template = template.replace('{{ anchor }}', anchor)
toc += template + '\n' toc += template + '\n'
if filename == 'index.md':
main_title = 'Django REST framework - APIs made easy'
else:
main_title = 'Django REST framework - ' + main_title
content = markdown.markdown(text, ['headerid']) content = markdown.markdown(text, ['headerid'])
output = page.replace('{{ content }}', content).replace('{{ toc }}', toc).replace('{{ base_url }}', base_url).replace('{{ suffix }}', suffix).replace('{{ index }}', index) output = page.replace('{{ content }}', content).replace('{{ toc }}', toc).replace('{{ base_url }}', base_url).replace('{{ suffix }}', suffix).replace('{{ index }}', index)
output = output.replace('{{ title }}', main_title)
output = output.replace('{{ description }}', description)
output = output.replace('{{ page_id }}', filename[:-3]) output = output.replace('{{ page_id }}', filename[:-3])
output = re.sub(r'a href="([^"]*)\.md"', r'a href="\1%s"' % suffix, output) output = re.sub(r'a href="([^"]*)\.md"', r'a href="\1%s"' % suffix, output)
output = re.sub(r'<pre><code>:::bash', r'<pre class="prettyprint lang-bsh">', output) output = re.sub(r'<pre><code>:::bash', r'<pre class="prettyprint lang-bsh">', output)
......
optionals.txt
markdown>=2.1.0 markdown>=2.1.0
PyYAML>=3.10 PyYAML>=3.10
defusedxml>=0.3
django-filter>=0.5.4 django-filter>=0.5.4
django-oauth-plus>=2.0
oauth2>=1.5.211
django-oauth2-provider>=0.2.3
rest_framework/__init__.py
__version__ = '2.1.16' __version__ = '2.2.4'
VERSION = __version__ # synonym VERSION = __version__ # synonym
# Header encoding (see RFC5987)
HTTP_HEADER_ENCODING = 'iso-8859-1'
# Default datetime input and output formats
ISO_8601 = 'iso-8601'
rest_framework/authtoken/migrations/0001_initial.py
...@@ -4,6 +4,8 @@ from south.db import db ...@@ -4,6 +4,8 @@ from south.db import db
from south.v2 import SchemaMigration from south.v2 import SchemaMigration
from django.db import models from django.db import models
from rest_framework.settings import api_settings
try: try:
from django.contrib.auth import get_user_model from django.contrib.auth import get_user_model
...@@ -45,20 +47,7 @@ class Migration(SchemaMigration): ...@@ -45,20 +47,7 @@ class Migration(SchemaMigration):
'name': ('django.db.models.fields.CharField', [], {'max_length': '50'}) 'name': ('django.db.models.fields.CharField', [], {'max_length': '50'})
}, },
"%s.%s" % (User._meta.app_label, User._meta.module_name): { "%s.%s" % (User._meta.app_label, User._meta.module_name): {
'Meta': {'object_name': 'User'}, 'Meta': {'object_name': User._meta.module_name},
'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}),
'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}),
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}),
'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}),
'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}),
'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'})
}, },
'authtoken.token': { 'authtoken.token': {
'Meta': {'object_name': 'Token'}, 'Meta': {'object_name': 'Token'},
......
rest_framework/authtoken/models.py
...@@ -2,6 +2,7 @@ import uuid ...@@ -2,6 +2,7 @@ import uuid
import hmac import hmac
from hashlib import sha1 from hashlib import sha1
from rest_framework.compat import User from rest_framework.compat import User
from django.conf import settings
from django.db import models from django.db import models
...@@ -13,14 +14,22 @@ class Token(models.Model): ...@@ -13,14 +14,22 @@ class Token(models.Model):
user = models.OneToOneField(User, related_name='auth_token') user = models.OneToOneField(User, related_name='auth_token')
created = models.DateTimeField(auto_now_add=True) created = models.DateTimeField(auto_now_add=True)
class Meta:
# Work around for a bug in Django:
# https://code.djangoproject.com/ticket/19422
#
# Also see corresponding ticket:
# https://github.com/tomchristie/django-rest-framework/issues/705
abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
def save(self, *args, **kwargs): def save(self, *args, **kwargs):
if not self.key: if not self.key:
self.key = self.generate_key() self.key = self.generate_key()
return super(Token, self).save(*args, **kwargs) return super(Token, self).save(*args, **kwargs)
def generate_key(self): def generate_key(self):
unique = str(uuid.uuid4()) unique = uuid.uuid4()
return hmac.new(unique, digestmod=sha1).hexdigest() return hmac.new(unique.bytes, digestmod=sha1).hexdigest()
def __unicode__(self): def __unicode__(self):
return self.key return self.key
rest_framework/compat.py
...@@ -3,26 +3,56 @@ The `compat` module provides support for backwards compatibility with older ...@@ -3,26 +3,56 @@ The `compat` module provides support for backwards compatibility with older
versions of django/python, and compatibility wrappers around optional packages. versions of django/python, and compatibility wrappers around optional packages.
""" """
# flake8: noqa # flake8: noqa
from __future__ import unicode_literals
import django import django
# Try to import six from Django, fallback to included `six`.
try:
from django.utils import six
except ImportError:
from rest_framework import six
# location of patterns, url, include changes in 1.4 onwards # location of patterns, url, include changes in 1.4 onwards
try: try:
from django.conf.urls import patterns, url, include from django.conf.urls import patterns, url, include
except: except ImportError:
from django.conf.urls.defaults import patterns, url, include from django.conf.urls.defaults import patterns, url, include
# Handle django.utils.encoding rename:
# smart_unicode -> smart_text
# force_unicode -> force_text
try:
from django.utils.encoding import smart_text
except ImportError:
from django.utils.encoding import smart_unicode as smart_text
try:
from django.utils.encoding import force_text
except ImportError:
from django.utils.encoding import force_unicode as force_text
# django-filter is optional # django-filter is optional
try: try:
import django_filters import django_filters
except: except ImportError:
django_filters = None django_filters = None
# cStringIO only if it's available, otherwise StringIO # cStringIO only if it's available, otherwise StringIO
try: try:
import cStringIO as StringIO import cStringIO.StringIO as StringIO
except ImportError:
StringIO = six.StringIO
BytesIO = six.BytesIO
# urlparse compat import (Required because it changed in python 3.x)
try:
from urllib import parse as urlparse
except ImportError: except ImportError:
import StringIO import urlparse
# Try to import PIL in either of the two ways it can end up installed. # Try to import PIL in either of the two ways it can end up installed.
...@@ -54,7 +84,7 @@ else: ...@@ -54,7 +84,7 @@ else:
try: try:
from django.contrib.auth.models import User from django.contrib.auth.models import User
except ImportError: except ImportError:
raise ImportError(u"User model is not to be found.") raise ImportError("User model is not to be found.")
# First implementation of Django class-based views did not include head method # First implementation of Django class-based views did not include head method
...@@ -75,11 +105,11 @@ else: ...@@ -75,11 +105,11 @@ else:
# sanitize keyword arguments # sanitize keyword arguments
for key in initkwargs: for key in initkwargs:
if key in cls.http_method_names: if key in cls.http_method_names:
raise TypeError(u"You tried to pass in the %s method name as a " raise TypeError("You tried to pass in the %s method name as a "
u"keyword argument to %s(). Don't do that." "keyword argument to %s(). Don't do that."
% (key, cls.__name__)) % (key, cls.__name__))
if not hasattr(cls, key): if not hasattr(cls, key):
raise TypeError(u"%s() received an invalid keyword %r" % ( raise TypeError("%s() received an invalid keyword %r" % (
cls.__name__, key)) cls.__name__, key))
def view(request, *args, **kwargs): def view(request, *args, **kwargs):
...@@ -110,7 +140,6 @@ else: ...@@ -110,7 +140,6 @@ else:
import re import re
import random import random
import logging import logging
import urlparse
from django.conf import settings from django.conf import settings
from django.core.urlresolvers import get_callable from django.core.urlresolvers import get_callable
...@@ -152,7 +181,8 @@ else: ...@@ -152,7 +181,8 @@ else:
randrange = random.SystemRandom().randrange randrange = random.SystemRandom().randrange
else: else:
randrange = random.randrange randrange = random.randrange
_MAX_CSRF_KEY = 18446744073709551616L # 2 << 63
_MAX_CSRF_KEY = 18446744073709551616 # 2 << 63
REASON_NO_REFERER = "Referer checking failed - no Referer." REASON_NO_REFERER = "Referer checking failed - no Referer."
REASON_BAD_REFERER = "Referer checking failed - %s does not match %s." REASON_BAD_REFERER = "Referer checking failed - %s does not match %s."
...@@ -319,7 +349,7 @@ except ImportError: ...@@ -319,7 +349,7 @@ except ImportError:
# dateparse is ALSO new in Django 1.4 # dateparse is ALSO new in Django 1.4
try: try:
from django.utils.dateparse import parse_date, parse_datetime from django.utils.dateparse import parse_date, parse_datetime, parse_time
except ImportError: except ImportError:
import datetime import datetime
import re import re
...@@ -391,8 +421,39 @@ except ImportError: ...@@ -391,8 +421,39 @@ except ImportError:
yaml = None yaml = None
# xml.etree.parse only throws ParseError for python >= 2.7 # XML is optional
try:
import defusedxml.ElementTree as etree
except ImportError:
etree = None
# OAuth is optional
try: try:
from xml.etree import ParseError as ETParseError # Note: The `oauth2` package actually provides oauth1.0a support. Urg.
except ImportError: # python < 2.7 import oauth2 as oauth
ETParseError = None except ImportError:
oauth = None
# OAuth is optional
try:
import oauth_provider
from oauth_provider.store import store as oauth_provider_store
except ImportError:
oauth_provider = None
oauth_provider_store = None
# OAuth 2 support is optional
try:
import provider.oauth2 as oauth2_provider
from provider.oauth2 import backends as oauth2_provider_backends
from provider.oauth2 import models as oauth2_provider_models
from provider.oauth2 import forms as oauth2_provider_forms
from provider import scope as oauth2_provider_scope
from provider import constants as oauth2_constants
except ImportError:
oauth2_provider = None
oauth2_provider_backends = None
oauth2_provider_models = None
oauth2_provider_forms = None
oauth2_provider_scope = None
oauth2_constants = None
rest_framework/decorators.py
from __future__ import unicode_literals
from rest_framework.compat import six
from rest_framework.views import APIView from rest_framework.views import APIView
import types
def api_view(http_method_names): def api_view(http_method_names):
...@@ -11,7 +14,7 @@ def api_view(http_method_names): ...@@ -11,7 +14,7 @@ def api_view(http_method_names):
def decorator(func): def decorator(func):
WrappedAPIView = type( WrappedAPIView = type(
'WrappedAPIView', six.PY3 and 'WrappedAPIView' or b'WrappedAPIView',
(APIView,), (APIView,),
{'__doc__': func.__doc__} {'__doc__': func.__doc__}
) )
...@@ -23,6 +26,14 @@ def api_view(http_method_names): ...@@ -23,6 +26,14 @@ def api_view(http_method_names):
# pass # pass
# WrappedAPIView.__doc__ = func.doc <--- Not possible to do this # WrappedAPIView.__doc__ = func.doc <--- Not possible to do this
# api_view applied without (method_names)
assert not(isinstance(http_method_names, types.FunctionType)), \
'@api_view missing list of allowed HTTP methods'
# api_view applied with eg. string instead of list of strings
assert isinstance(http_method_names, (list, tuple)), \
'@api_view expected a list of strings, recieved %s' % type(http_method_names).__name__
allowed_methods = set(http_method_names) | set(('options',)) allowed_methods = set(http_method_names) | set(('options',))
WrappedAPIView.http_method_names = [method.lower() for method in allowed_methods] WrappedAPIView.http_method_names = [method.lower() for method in allowed_methods]
......
rest_framework/exceptions.py
...@@ -4,6 +4,7 @@ Handled exceptions raised by REST framework. ...@@ -4,6 +4,7 @@ Handled exceptions raised by REST framework.
In addition Django's built in 403 and 404 exceptions are handled. In addition Django's built in 403 and 404 exceptions are handled.
(`django.http.Http404` and `django.core.exceptions.PermissionDenied`) (`django.http.Http404` and `django.core.exceptions.PermissionDenied`)
""" """
from __future__ import unicode_literals
from rest_framework import status from rest_framework import status
...@@ -23,6 +24,22 @@ class ParseError(APIException): ...@@ -23,6 +24,22 @@ class ParseError(APIException):
self.detail = detail or self.default_detail self.detail = detail or self.default_detail
class AuthenticationFailed(APIException):
status_code = status.HTTP_401_UNAUTHORIZED
default_detail = 'Incorrect authentication credentials.'
def __init__(self, detail=None):
self.detail = detail or self.default_detail
class NotAuthenticated(APIException):
status_code = status.HTTP_401_UNAUTHORIZED
default_detail = 'Authentication credentials were not provided.'
def __init__(self, detail=None):
self.detail = detail or self.default_detail
class PermissionDenied(APIException): class PermissionDenied(APIException):
status_code = status.HTTP_403_FORBIDDEN status_code = status.HTTP_403_FORBIDDEN
default_detail = 'You do not have permission to perform this action.' default_detail = 'You do not have permission to perform this action.'
......
rest_framework/filters.py
from __future__ import unicode_literals
from rest_framework.compat import django_filters from rest_framework.compat import django_filters
FilterSet = django_filters and django_filters.FilterSet or None FilterSet = django_filters and django_filters.FilterSet or None
...@@ -54,6 +55,6 @@ class DjangoFilterBackend(BaseFilterBackend): ...@@ -54,6 +55,6 @@ class DjangoFilterBackend(BaseFilterBackend):
filter_class = self.get_filter_class(view) filter_class = self.get_filter_class(view)
if filter_class: if filter_class:
return filter_class(request.GET, queryset=queryset) return filter_class(request.QUERY_PARAMS, queryset=queryset)
return queryset return queryset
rest_framework/generics.py
""" """
Generic views that provide commonly needed behaviour. Generic views that provide commonly needed behaviour.
""" """
from __future__ import unicode_literals
from rest_framework import views, mixins from rest_framework import views, mixins
from rest_framework.settings import api_settings from rest_framework.settings import api_settings
from django.views.generic.detail import SingleObjectMixin from django.views.generic.detail import SingleObjectMixin
...@@ -18,6 +18,16 @@ class GenericAPIView(views.APIView): ...@@ -18,6 +18,16 @@ class GenericAPIView(views.APIView):
model = None model = None
serializer_class = None serializer_class = None
model_serializer_class = api_settings.DEFAULT_MODEL_SERIALIZER_CLASS model_serializer_class = api_settings.DEFAULT_MODEL_SERIALIZER_CLASS
filter_backend = api_settings.FILTER_BACKEND
def filter_queryset(self, queryset):
"""
Given a queryset, filter it with whichever filter backend is in use.
"""
if not self.filter_backend:
return queryset
backend = self.filter_backend()
return backend.filter_queryset(self.request, queryset, self)
def get_serializer_context(self): def get_serializer_context(self):
""" """
...@@ -48,7 +58,7 @@ class GenericAPIView(views.APIView): ...@@ -48,7 +58,7 @@ class GenericAPIView(views.APIView):
return serializer_class return serializer_class
def get_serializer(self, instance=None, data=None, def get_serializer(self, instance=None, data=None,
files=None, partial=False): files=None, many=False, partial=False):
""" """
Return the serializer instance that should be used for validating and Return the serializer instance that should be used for validating and
deserializing input, and for serializing output. deserializing input, and for serializing output.
...@@ -56,7 +66,21 @@ class GenericAPIView(views.APIView): ...@@ -56,7 +66,21 @@ class GenericAPIView(views.APIView):
serializer_class = self.get_serializer_class() serializer_class = self.get_serializer_class()
context = self.get_serializer_context() context = self.get_serializer_context()
return serializer_class(instance, data=data, files=files, return serializer_class(instance, data=data, files=files,
partial=partial, context=context) many=many, partial=partial, context=context)
def pre_save(self, obj):
"""
Placeholder method for calling before saving an object.
May be used eg. to set attributes on the object that are implicit
in either the request, or the url.
"""
pass
def post_save(self, obj, created=False):
"""
Placeholder method for calling after saving an object.
"""
pass
def pre_save(self, obj): def pre_save(self, obj):
pass pass
...@@ -70,16 +94,6 @@ class MultipleObjectAPIView(MultipleObjectMixin, GenericAPIView): ...@@ -70,16 +94,6 @@ class MultipleObjectAPIView(MultipleObjectMixin, GenericAPIView):
paginate_by = api_settings.PAGINATE_BY paginate_by = api_settings.PAGINATE_BY
paginate_by_param = api_settings.PAGINATE_BY_PARAM paginate_by_param = api_settings.PAGINATE_BY_PARAM
pagination_serializer_class = api_settings.DEFAULT_PAGINATION_SERIALIZER_CLASS pagination_serializer_class = api_settings.DEFAULT_PAGINATION_SERIALIZER_CLASS
filter_backend = api_settings.FILTER_BACKEND
def filter_queryset(self, queryset):
"""
Given a queryset, filter it with whichever filter backend is in use.
"""
if not self.filter_backend:
return queryset
backend = self.filter_backend()
return backend.filter_queryset(self.request, queryset, self)
def get_pagination_serializer(self, page=None): def get_pagination_serializer(self, page=None):
""" """
...@@ -120,8 +134,7 @@ class SingleObjectAPIView(SingleObjectMixin, GenericAPIView): ...@@ -120,8 +134,7 @@ class SingleObjectAPIView(SingleObjectMixin, GenericAPIView):
Override default to add support for object-level permissions. Override default to add support for object-level permissions.
""" """
obj = super(SingleObjectAPIView, self).get_object(queryset) obj = super(SingleObjectAPIView, self).get_object(queryset)
if not self.has_permission(self.request, obj): self.check_object_permissions(self.request, obj)
self.permission_denied(self.request)
return obj return obj
......
rest_framework/mixins.py
...@@ -4,22 +4,48 @@ Basic building blocks for generic class based views. ...@@ -4,22 +4,48 @@ Basic building blocks for generic class based views.
We don't bind behaviour to http method handlers yet, We don't bind behaviour to http method handlers yet,
which allows mixin classes to be composed in interesting ways. which allows mixin classes to be composed in interesting ways.
""" """
from __future__ import unicode_literals
from django.http import Http404 from django.http import Http404
from rest_framework import status from rest_framework import status
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.request import clone_request
def _get_validation_exclusions(obj, pk=None, slug_field=None):
"""
Given a model instance, and an optional pk and slug field,
return the full list of all other field names on that model.
For use when performing full_clean on a model instance,
so we only clean the required fields.
"""
include = []
if pk:
pk_field = obj._meta.pk
while pk_field.rel:
pk_field = pk_field.rel.to._meta.pk
include.append(pk_field.name)
if slug_field:
include.append(slug_field)
return [field.name for field in obj._meta.fields if field.name not in include]
class CreateModelMixin(object): class CreateModelMixin(object):
""" """
Create a model instance. Create a model instance.
Should be mixed in with any `BaseView`. Should be mixed in with any `GenericAPIView`.
""" """
def create(self, request, *args, **kwargs): def create(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.DATA, files=request.FILES) serializer = self.get_serializer(data=request.DATA, files=request.FILES)
if serializer.is_valid(): if serializer.is_valid():
self.pre_save(serializer.object) self.pre_save(serializer.object)
self.object = serializer.save() self.object = serializer.save(force_insert=True)
self.post_save(self.object, created=True)
headers = self.get_success_headers(serializer.data) headers = self.get_success_headers(serializer.data)
return Response(serializer.data, status=status.HTTP_201_CREATED, return Response(serializer.data, status=status.HTTP_201_CREATED,
headers=headers) headers=headers)
...@@ -38,7 +64,7 @@ class ListModelMixin(object): ...@@ -38,7 +64,7 @@ class ListModelMixin(object):
List a queryset. List a queryset.
Should be mixed in with `MultipleObjectAPIView`. Should be mixed in with `MultipleObjectAPIView`.
""" """
empty_error = u"Empty list and '%(class_name)s.allow_empty' is False." empty_error = "Empty list and '%(class_name)s.allow_empty' is False."
def list(self, request, *args, **kwargs): def list(self, request, *args, **kwargs):
queryset = self.get_queryset() queryset = self.get_queryset()
...@@ -60,7 +86,7 @@ class ListModelMixin(object): ...@@ -60,7 +86,7 @@ class ListModelMixin(object):
paginator, page, queryset, is_paginated = packed paginator, page, queryset, is_paginated = packed
serializer = self.get_pagination_serializer(page) serializer = self.get_pagination_serializer(page)
else: else:
serializer = self.get_serializer(self.object_list) serializer = self.get_serializer(self.object_list, many=True)
return Response(serializer.data) return Response(serializer.data)
...@@ -68,10 +94,12 @@ class ListModelMixin(object): ...@@ -68,10 +94,12 @@ class ListModelMixin(object):
class RetrieveModelMixin(object): class RetrieveModelMixin(object):
""" """
Retrieve a model instance. Retrieve a model instance.
Should be mixed in with `SingleObjectBaseView`. Should be mixed in with `SingleObjectAPIView`.
""" """
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
self.object = self.get_object() queryset = self.get_queryset()
filtered_queryset = self.filter_queryset(queryset)
self.object = self.get_object(filtered_queryset)
serializer = self.get_serializer(self.object) serializer = self.get_serializer(self.object)
return Response(serializer.data) return Response(serializer.data)
...@@ -79,23 +107,32 @@ class RetrieveModelMixin(object): ...@@ -79,23 +107,32 @@ class RetrieveModelMixin(object):
class UpdateModelMixin(object): class UpdateModelMixin(object):
""" """
Update a model instance. Update a model instance.
Should be mixed in with `SingleObjectBaseView`. Should be mixed in with `SingleObjectAPIView`.
""" """
def update(self, request, *args, **kwargs): def update(self, request, *args, **kwargs):
partial = kwargs.pop('partial', False) partial = kwargs.pop('partial', False)
self.object = None
try: try:
self.object = self.get_object() self.object = self.get_object()
success_status_code = status.HTTP_200_OK
except Http404: except Http404:
self.object = None # If this is a PUT-as-create operation, we need to ensure that
# we have relevant permissions, as if this was a POST request.
self.check_permissions(clone_request(request, 'POST'))
created = True
save_kwargs = {'force_insert': True}
success_status_code = status.HTTP_201_CREATED success_status_code = status.HTTP_201_CREATED
else:
created = False
save_kwargs = {'force_update': True}
success_status_code = status.HTTP_200_OK
serializer = self.get_serializer(self.object, data=request.DATA, serializer = self.get_serializer(self.object, data=request.DATA,
files=request.FILES, partial=partial) files=request.FILES, partial=partial)
if serializer.is_valid(): if serializer.is_valid():
self.pre_save(serializer.object) self.pre_save(serializer.object)
self.object = serializer.save() self.object = serializer.save(**save_kwargs)
self.post_save(self.object, created=created)
return Response(serializer.data, status=success_status_code) return Response(serializer.data, status=success_status_code)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
...@@ -106,24 +143,26 @@ class UpdateModelMixin(object): ...@@ -106,24 +143,26 @@ class UpdateModelMixin(object):
""" """
# pk and/or slug attributes are implicit in the URL. # pk and/or slug attributes are implicit in the URL.
pk = self.kwargs.get(self.pk_url_kwarg, None) pk = self.kwargs.get(self.pk_url_kwarg, None)
slug = self.kwargs.get(self.slug_url_kwarg, None)
slug_field = slug and self.get_slug_field() or None
if pk: if pk:
setattr(obj, 'pk', pk) setattr(obj, 'pk', pk)
slug = self.kwargs.get(self.slug_url_kwarg, None)
if slug: if slug:
slug_field = self.get_slug_field()
setattr(obj, slug_field, slug) setattr(obj, slug_field, slug)
# Ensure we clean the attributes so that we don't eg return integer # Ensure we clean the attributes so that we don't eg return integer
# pk using a string representation, as provided by the url conf kwarg. # pk using a string representation, as provided by the url conf kwarg.
if hasattr(obj, 'full_clean'): if hasattr(obj, 'full_clean'):
obj.full_clean() exclude = _get_validation_exclusions(obj, pk, slug_field)
obj.full_clean(exclude)
class DestroyModelMixin(object): class DestroyModelMixin(object):
""" """
Destroy a model instance. Destroy a model instance.
Should be mixed in with `SingleObjectBaseView`. Should be mixed in with `SingleObjectAPIView`.
""" """
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):
obj = self.get_object() obj = self.get_object()
......
rest_framework/negotiation.py
from __future__ import unicode_literals
from django.http import Http404 from django.http import Http404
from rest_framework import exceptions from rest_framework import exceptions
from rest_framework.settings import api_settings from rest_framework.settings import api_settings
...@@ -33,7 +34,7 @@ class DefaultContentNegotiation(BaseContentNegotiation): ...@@ -33,7 +34,7 @@ class DefaultContentNegotiation(BaseContentNegotiation):
""" """
# Allow URL style format override. eg. "?format=json # Allow URL style format override. eg. "?format=json
format_query_param = self.settings.URL_FORMAT_OVERRIDE format_query_param = self.settings.URL_FORMAT_OVERRIDE
format = format_suffix or request.GET.get(format_query_param) format = format_suffix or request.QUERY_PARAMS.get(format_query_param)
if format: if format:
renderers = self.filter_renderers(renderers, format) renderers = self.filter_renderers(renderers, format)
...@@ -80,5 +81,5 @@ class DefaultContentNegotiation(BaseContentNegotiation): ...@@ -80,5 +81,5 @@ class DefaultContentNegotiation(BaseContentNegotiation):
Allows URL style accept override. eg. "?accept=application/json" Allows URL style accept override. eg. "?accept=application/json"
""" """
header = request.META.get('HTTP_ACCEPT', '*/*') header = request.META.get('HTTP_ACCEPT', '*/*')
header = request.GET.get(self.settings.URL_ACCEPT_OVERRIDE, header) header = request.QUERY_PARAMS.get(self.settings.URL_ACCEPT_OVERRIDE, header)
return [token.strip() for token in header.split(',')] return [token.strip() for token in header.split(',')]
rest_framework/pagination.py
from __future__ import unicode_literals
from rest_framework import serializers from rest_framework import serializers
from rest_framework.templatetags.rest_framework import replace_query_param from rest_framework.templatetags.rest_framework import replace_query_param
...@@ -34,6 +35,17 @@ class PreviousPageField(serializers.Field): ...@@ -34,6 +35,17 @@ class PreviousPageField(serializers.Field):
return replace_query_param(url, self.page_field, page) return replace_query_param(url, self.page_field, page)
class DefaultObjectSerializer(serializers.Field):
"""
If no object serializer is specified, then this serializer will be applied
as the default.
"""
def __init__(self, source=None, context=None):
# Note: Swallow context kwarg - only required for eg. ModelSerializer.
super(DefaultObjectSerializer, self).__init__(source=source)
class PaginationSerializerOptions(serializers.SerializerOptions): class PaginationSerializerOptions(serializers.SerializerOptions):
""" """
An object that stores the options that may be provided to a An object that stores the options that may be provided to a
...@@ -44,7 +56,7 @@ class PaginationSerializerOptions(serializers.SerializerOptions): ...@@ -44,7 +56,7 @@ class PaginationSerializerOptions(serializers.SerializerOptions):
def __init__(self, meta): def __init__(self, meta):
super(PaginationSerializerOptions, self).__init__(meta) super(PaginationSerializerOptions, self).__init__(meta)
self.object_serializer_class = getattr(meta, 'object_serializer_class', self.object_serializer_class = getattr(meta, 'object_serializer_class',
serializers.Field) DefaultObjectSerializer)
class BasePaginationSerializer(serializers.Serializer): class BasePaginationSerializer(serializers.Serializer):
...@@ -62,14 +74,13 @@ class BasePaginationSerializer(serializers.Serializer): ...@@ -62,14 +74,13 @@ class BasePaginationSerializer(serializers.Serializer):
super(BasePaginationSerializer, self).__init__(*args, **kwargs) super(BasePaginationSerializer, self).__init__(*args, **kwargs)
results_field = self.results_field results_field = self.results_field
object_serializer = self.opts.object_serializer_class object_serializer = self.opts.object_serializer_class
self.fields[results_field] = object_serializer(source='object_list')
def to_native(self, obj): if 'context' in kwargs:
""" context_kwarg = {'context': kwargs['context']}
Prevent default behaviour of iterating over elements, and serializing else:
each in turn. context_kwarg = {}
"""
return self.convert_object(obj) self.fields[results_field] = object_serializer(source='object_list', **context_kwarg)
class PaginationSerializer(BasePaginationSerializer): class PaginationSerializer(BasePaginationSerializer):
......
rest_framework/parsers.py
...@@ -4,14 +4,14 @@ Parsers are used to parse the content of incoming HTTP requests. ...@@ -4,14 +4,14 @@ Parsers are used to parse the content of incoming HTTP requests.
They give us a generic way of being able to handle various media types They give us a generic way of being able to handle various media types
on the request, such as form content or json encoded data. on the request, such as form content or json encoded data.
""" """
from __future__ import unicode_literals
from django.conf import settings
from django.http import QueryDict from django.http import QueryDict
from django.http.multipartparser import MultiPartParser as DjangoMultiPartParser from django.http.multipartparser import MultiPartParser as DjangoMultiPartParser
from django.http.multipartparser import MultiPartParserError from django.http.multipartparser import MultiPartParserError
from rest_framework.compat import yaml, ETParseError from rest_framework.compat import yaml, etree
from rest_framework.exceptions import ParseError from rest_framework.exceptions import ParseError
from xml.etree import ElementTree as ET from rest_framework.compat import six
from xml.parsers.expat import ExpatError
import json import json
import datetime import datetime
import decimal import decimal
...@@ -54,10 +54,14 @@ class JSONParser(BaseParser): ...@@ -54,10 +54,14 @@ class JSONParser(BaseParser):
`data` will be an object which is the parsed content of the response. `data` will be an object which is the parsed content of the response.
`files` will always be `None`. `files` will always be `None`.
""" """
parser_context = parser_context or {}
encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
try: try:
return json.load(stream) data = stream.read().decode(encoding)
except ValueError, exc: return json.loads(data)
raise ParseError('JSON parse error - %s' % unicode(exc)) except ValueError as exc:
raise ParseError('JSON parse error - %s' % six.text_type(exc))
class YAMLParser(BaseParser): class YAMLParser(BaseParser):
...@@ -74,10 +78,16 @@ class YAMLParser(BaseParser): ...@@ -74,10 +78,16 @@ class YAMLParser(BaseParser):
`data` will be an object which is the parsed content of the response. `data` will be an object which is the parsed content of the response.
`files` will always be `None`. `files` will always be `None`.
""" """
assert yaml, 'YAMLParser requires pyyaml to be installed'
parser_context = parser_context or {}
encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
try: try:
return yaml.safe_load(stream) data = stream.read().decode(encoding)
except (ValueError, yaml.parser.ParserError), exc: return yaml.safe_load(data)
raise ParseError('YAML parse error - %s' % unicode(exc)) except (ValueError, yaml.parser.ParserError) as exc:
raise ParseError('YAML parse error - %s' % six.u(exc))
class FormParser(BaseParser): class FormParser(BaseParser):
...@@ -94,7 +104,9 @@ class FormParser(BaseParser): ...@@ -94,7 +104,9 @@ class FormParser(BaseParser):
`data` will be a :class:`QueryDict` containing all the form parameters. `data` will be a :class:`QueryDict` containing all the form parameters.
`files` will always be :const:`None`. `files` will always be :const:`None`.
""" """
data = QueryDict(stream.read()) parser_context = parser_context or {}
encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
data = QueryDict(stream.read(), encoding=encoding)
return data return data
...@@ -114,15 +126,16 @@ class MultiPartParser(BaseParser): ...@@ -114,15 +126,16 @@ class MultiPartParser(BaseParser):
""" """
parser_context = parser_context or {} parser_context = parser_context or {}
request = parser_context['request'] request = parser_context['request']
encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
meta = request.META meta = request.META
upload_handlers = request.upload_handlers upload_handlers = request.upload_handlers
try: try:
parser = DjangoMultiPartParser(meta, stream, upload_handlers) parser = DjangoMultiPartParser(meta, stream, upload_handlers, encoding)
data, files = parser.parse() data, files = parser.parse()
return DataAndFiles(data, files) return DataAndFiles(data, files)
except MultiPartParserError, exc: except MultiPartParserError as exc:
raise ParseError('Multipart form parse error - %s' % unicode(exc)) raise ParseError('Multipart form parse error - %s' % six.u(exc))
class XMLParser(BaseParser): class XMLParser(BaseParser):
...@@ -133,10 +146,15 @@ class XMLParser(BaseParser): ...@@ -133,10 +146,15 @@ class XMLParser(BaseParser):
media_type = 'application/xml' media_type = 'application/xml'
def parse(self, stream, media_type=None, parser_context=None): def parse(self, stream, media_type=None, parser_context=None):
assert etree, 'XMLParser requires defusedxml to be installed'
parser_context = parser_context or {}
encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
parser = etree.DefusedXMLParser(encoding=encoding)
try: try:
tree = ET.parse(stream) tree = etree.parse(stream, parser=parser, forbid_dtd=True)
except (ExpatError, ETParseError, ValueError), exc: except (etree.ParseError, ValueError) as exc:
raise ParseError('XML parse error - %s' % unicode(exc)) raise ParseError('XML parse error - %s' % six.u(exc))
data = self._xml_convert(tree.getroot()) data = self._xml_convert(tree.getroot())
return data return data
...@@ -146,7 +164,7 @@ class XMLParser(BaseParser): ...@@ -146,7 +164,7 @@ class XMLParser(BaseParser):
convert the xml `element` into the corresponding python object convert the xml `element` into the corresponding python object
""" """
children = element.getchildren() children = list(element)
if len(children) == 0: if len(children) == 0:
return self._type_convert(element.text) return self._type_convert(element.text)
......
rest_framework/permissions.py
""" """
Provides a set of pluggable permission policies. Provides a set of pluggable permission policies.
""" """
from __future__ import unicode_literals
import inspect
import warnings
SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS'] SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
from rest_framework.compat import oauth2_provider_scope, oauth2_constants
class BasePermission(object): class BasePermission(object):
""" """
A base class from which all permission classes should inherit. A base class from which all permission classes should inherit.
""" """
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return True
def has_object_permission(self, request, view, obj):
""" """
Return `True` if permission is granted, `False` otherwise. Return `True` if permission is granted, `False` otherwise.
""" """
raise NotImplementedError(".has_permission() must be overridden.") if len(inspect.getargspec(self.has_permission)[0]) == 4:
warnings.warn('The `obj` argument in `has_permission` is due to be deprecated. '
'Use `has_object_permission()` instead for object permissions.',
PendingDeprecationWarning, stacklevel=2)
return self.has_permission(request, view, obj)
return True
class AllowAny(BasePermission): class AllowAny(BasePermission):
...@@ -25,7 +40,7 @@ class AllowAny(BasePermission): ...@@ -25,7 +40,7 @@ class AllowAny(BasePermission):
permission_classes list, but it's useful because it makes the intention permission_classes list, but it's useful because it makes the intention
more explicit. more explicit.
""" """
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
return True return True
...@@ -34,7 +49,7 @@ class IsAuthenticated(BasePermission): ...@@ -34,7 +49,7 @@ class IsAuthenticated(BasePermission):
Allows access only to authenticated users. Allows access only to authenticated users.
""" """
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
if request.user and request.user.is_authenticated(): if request.user and request.user.is_authenticated():
return True return True
return False return False
...@@ -45,7 +60,7 @@ class IsAdminUser(BasePermission): ...@@ -45,7 +60,7 @@ class IsAdminUser(BasePermission):
Allows access only to admin users. Allows access only to admin users.
""" """
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
if request.user and request.user.is_staff: if request.user and request.user.is_staff:
return True return True
return False return False
...@@ -56,7 +71,7 @@ class IsAuthenticatedOrReadOnly(BasePermission): ...@@ -56,7 +71,7 @@ class IsAuthenticatedOrReadOnly(BasePermission):
The request is authenticated as a user, or is a read-only request. The request is authenticated as a user, or is a read-only request.
""" """
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
if (request.method in SAFE_METHODS or if (request.method in SAFE_METHODS or
request.user and request.user and
request.user.is_authenticated()): request.user.is_authenticated()):
...@@ -89,6 +104,8 @@ class DjangoModelPermissions(BasePermission): ...@@ -89,6 +104,8 @@ class DjangoModelPermissions(BasePermission):
'DELETE': ['%(app_label)s.delete_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'],
} }
authenticated_users_only = True
def get_required_permissions(self, method, model_cls): def get_required_permissions(self, method, model_cls):
""" """
Given a model and an HTTP method, return the list of permission Given a model and an HTTP method, return the list of permission
...@@ -100,15 +117,43 @@ class DjangoModelPermissions(BasePermission): ...@@ -100,15 +117,43 @@ class DjangoModelPermissions(BasePermission):
} }
return [perm % kwargs for perm in self.perms_map[method]] return [perm % kwargs for perm in self.perms_map[method]]
def has_permission(self, request, view, obj=None): def has_permission(self, request, view):
model_cls = getattr(view, 'model', None) model_cls = getattr(view, 'model', None)
if not model_cls: queryset = getattr(view, 'queryset', None)
return True
if model_cls is None and queryset is not None:
model_cls = queryset.model
assert model_cls, ('Cannot apply DjangoModelPermissions on a view that'
' does not have `.model` or `.queryset` property.')
perms = self.get_required_permissions(request.method, model_cls) perms = self.get_required_permissions(request.method, model_cls)
if (request.user and if (request.user and
request.user.is_authenticated() and (request.user.is_authenticated() or not self.authenticated_users_only) and
request.user.has_perms(perms, obj)): request.user.has_perms(perms)):
return True return True
return False return False
class TokenHasReadWriteScope(BasePermission):
"""
The request is authenticated as a user and the token used has the right scope
"""
def has_permission(self, request, view):
token = request.auth
read_only = request.method in SAFE_METHODS
if not token:
return False
if hasattr(token, 'resource'): # OAuth 1
return read_only or not request.auth.resource.is_readonly
elif hasattr(token, 'scope'): # OAuth 2
required = oauth2_constants.READ if read_only else oauth2_constants.WRITE
return oauth2_provider_scope.check(required, request.auth.scope)
assert False, ('TokenHasReadWriteScope requires either the'
'`OAuthAuthentication` or `OAuth2Authentication` authentication '
'class to be used.')
rest_framework/renderers.py
...@@ -6,21 +6,25 @@ on the response, such as JSON encoded data or HTML output. ...@@ -6,21 +6,25 @@ on the response, such as JSON encoded data or HTML output.
REST framework also provides an HTML renderer the renders the browsable API. REST framework also provides an HTML renderer the renders the browsable API.
""" """
from __future__ import unicode_literals
import copy import copy
import string import string
import json import json
from django import forms from django import forms
from django.http.multipartparser import parse_header from django.http.multipartparser import parse_header
from django.template import RequestContext, loader, Template from django.template import RequestContext, loader, Template
from django.utils.xmlutils import SimplerXMLGenerator
from rest_framework.compat import StringIO
from rest_framework.compat import six
from rest_framework.compat import smart_text
from rest_framework.compat import yaml from rest_framework.compat import yaml
from rest_framework.exceptions import ConfigurationError from rest_framework.exceptions import ConfigurationError
from rest_framework.settings import api_settings from rest_framework.settings import api_settings
from rest_framework.request import clone_request from rest_framework.request import clone_request
from rest_framework.utils import dict2xml
from rest_framework.utils import encoders from rest_framework.utils import encoders
from rest_framework.utils.breadcrumbs import get_breadcrumbs from rest_framework.utils.breadcrumbs import get_breadcrumbs
from rest_framework import VERSION, status from rest_framework import exceptions, parsers, status, VERSION
from rest_framework import parsers
class BaseRenderer(object): class BaseRenderer(object):
...@@ -60,7 +64,7 @@ class JSONRenderer(BaseRenderer): ...@@ -60,7 +64,7 @@ class JSONRenderer(BaseRenderer):
if accepted_media_type: if accepted_media_type:
# If the media type looks like 'application/json; indent=4', # If the media type looks like 'application/json; indent=4',
# then pretty print the result. # then pretty print the result.
base_media_type, params = parse_header(accepted_media_type) base_media_type, params = parse_header(accepted_media_type.encode('ascii'))
indent = params.get('indent', indent) indent = params.get('indent', indent)
try: try:
indent = max(min(int(indent), 8), 0) indent = max(min(int(indent), 8), 0)
...@@ -86,7 +90,7 @@ class JSONPRenderer(JSONRenderer): ...@@ -86,7 +90,7 @@ class JSONPRenderer(JSONRenderer):
Determine the name of the callback to wrap around the json output. Determine the name of the callback to wrap around the json output.
""" """
request = renderer_context.get('request', None) request = renderer_context.get('request', None)
params = request and request.GET or {} params = request and request.QUERY_PARAMS or {}
return params.get(self.callback_parameter, self.default_callback) return params.get(self.callback_parameter, self.default_callback)
def render(self, data, accepted_media_type=None, renderer_context=None): def render(self, data, accepted_media_type=None, renderer_context=None):
...@@ -100,7 +104,7 @@ class JSONPRenderer(JSONRenderer): ...@@ -100,7 +104,7 @@ class JSONPRenderer(JSONRenderer):
callback = self.get_callback(renderer_context) callback = self.get_callback(renderer_context)
json = super(JSONPRenderer, self).render(data, accepted_media_type, json = super(JSONPRenderer, self).render(data, accepted_media_type,
renderer_context) renderer_context)
return u"%s(%s);" % (callback, json) return "%s(%s);" % (callback, json)
class XMLRenderer(BaseRenderer): class XMLRenderer(BaseRenderer):
...@@ -117,7 +121,38 @@ class XMLRenderer(BaseRenderer): ...@@ -117,7 +121,38 @@ class XMLRenderer(BaseRenderer):
""" """
if data is None: if data is None:
return '' return ''
return dict2xml(data)
stream = StringIO()
xml = SimplerXMLGenerator(stream, "utf-8")
xml.startDocument()
xml.startElement("root", {})
self._to_xml(xml, data)
xml.endElement("root")
xml.endDocument()
return stream.getvalue()
def _to_xml(self, xml, data):
if isinstance(data, (list, tuple)):
for item in data:
xml.startElement("list-item", {})
self._to_xml(xml, item)
xml.endElement("list-item")
elif isinstance(data, dict):
for key, value in six.iteritems(data):
xml.startElement(key, {})
self._to_xml(xml, value)
xml.endElement(key)
elif data is None:
# Don't output any value
pass
else:
xml.characters(smart_text(data))
class YAMLRenderer(BaseRenderer): class YAMLRenderer(BaseRenderer):
...@@ -133,6 +168,8 @@ class YAMLRenderer(BaseRenderer): ...@@ -133,6 +168,8 @@ class YAMLRenderer(BaseRenderer):
""" """
Renders *obj* into serialized YAML. Renders *obj* into serialized YAML.
""" """
assert yaml, 'YAMLRenderer requires pyyaml to be installed'
if data is None: if data is None:
return '' return ''
...@@ -215,7 +252,7 @@ class TemplateHTMLRenderer(BaseRenderer): ...@@ -215,7 +252,7 @@ class TemplateHTMLRenderer(BaseRenderer):
try: try:
# Try to find an appropriate error template # Try to find an appropriate error template
return self.resolve_template(template_names) return self.resolve_template(template_names)
except: except Exception:
# Fall back to using eg '404 Not Found' # Fall back to using eg '404 Not Found'
return Template('%d %s' % (response.status_code, return Template('%d %s' % (response.status_code,
response.status_text.title())) response.status_text.title()))
...@@ -297,12 +334,10 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -297,12 +334,10 @@ class BrowsableAPIRenderer(BaseRenderer):
if not api_settings.FORM_METHOD_OVERRIDE: if not api_settings.FORM_METHOD_OVERRIDE:
return # Cannot use form overloading return # Cannot use form overloading
request = clone_request(request, method)
try: try:
if not view.has_permission(request, obj): view.check_permissions(clone_request(request, method))
return # Don't have permission except exceptions.APIException:
except: return False # Doesn't have permissions
return # Don't have permission and exception explicitly raise
return True return True
def serializer_to_form_fields(self, serializer): def serializer_to_form_fields(self, serializer):
...@@ -333,6 +368,7 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -333,6 +368,7 @@ class BrowsableAPIRenderer(BaseRenderer):
kwargs['label'] = k kwargs['label'] = k
fields[k] = v.form_field_class(**kwargs) fields[k] = v.form_field_class(**kwargs)
return fields return fields
def get_form(self, view, method, request): def get_form(self, view, method, request):
...@@ -345,24 +381,23 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -345,24 +381,23 @@ class BrowsableAPIRenderer(BaseRenderer):
if not self.show_form_for_method(view, method, request, obj): if not self.show_form_for_method(view, method, request, obj):
return return
if method == 'DELETE' or method == 'OPTIONS': if method in ('DELETE', 'OPTIONS'):
return True # Don't actually need to return a form return True # Don't actually need to return a form
if not getattr(view, 'get_serializer', None) or not parsers.FormParser in view.parser_classes: if not getattr(view, 'get_serializer', None) or not parsers.FormParser in view.parser_classes:
media_types = [parser.media_type for parser in view.parser_classes] return
return self.get_generic_content_form(media_types)
serializer = view.get_serializer(instance=obj) serializer = view.get_serializer(instance=obj)
fields = self.serializer_to_form_fields(serializer) fields = self.serializer_to_form_fields(serializer)
# Creating an on the fly form see: # Creating an on the fly form see:
# http://stackoverflow.com/questions/3915024/dynamically-creating-classes-python # http://stackoverflow.com/questions/3915024/dynamically-creating-classes-python
OnTheFlyForm = type("OnTheFlyForm", (forms.Form,), fields) OnTheFlyForm = type(str("OnTheFlyForm"), (forms.Form,), fields)
data = (obj is not None) and serializer.data or None data = (obj is not None) and serializer.data or None
form_instance = OnTheFlyForm(data) form_instance = OnTheFlyForm(data)
return form_instance return form_instance
def get_generic_content_form(self, media_types): def get_raw_data_form(self, view, method, request, media_types):
""" """
Returns a form that allows for arbitrary content types to be tunneled Returns a form that allows for arbitrary content types to be tunneled
via standard HTML forms. via standard HTML forms.
...@@ -375,6 +410,11 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -375,6 +410,11 @@ class BrowsableAPIRenderer(BaseRenderer):
and api_settings.FORM_CONTENTTYPE_OVERRIDE): and api_settings.FORM_CONTENTTYPE_OVERRIDE):
return None return None
# Check permissions
obj = getattr(view, 'object', None)
if not self.show_form_for_method(view, method, request, obj):
return
content_type_field = api_settings.FORM_CONTENTTYPE_OVERRIDE content_type_field = api_settings.FORM_CONTENTTYPE_OVERRIDE
content_field = api_settings.FORM_CONTENT_OVERRIDE content_field = api_settings.FORM_CONTENT_OVERRIDE
choices = [(media_type, media_type) for media_type in media_types] choices = [(media_type, media_type) for media_type in media_types]
...@@ -386,7 +426,7 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -386,7 +426,7 @@ class BrowsableAPIRenderer(BaseRenderer):
super(GenericContentForm, self).__init__() super(GenericContentForm, self).__init__()
self.fields[content_type_field] = forms.ChoiceField( self.fields[content_type_field] = forms.ChoiceField(
label='Content Type', label='Media type',
choices=choices, choices=choices,
initial=initial initial=initial
) )
...@@ -401,13 +441,13 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -401,13 +441,13 @@ class BrowsableAPIRenderer(BaseRenderer):
try: try:
return view.get_name() return view.get_name()
except AttributeError: except AttributeError:
return view.__doc__ return smart_text(view.__class__.__name__)
def get_description(self, view): def get_description(self, view):
try: try:
return view.get_description(html=True) return view.get_description(html=True)
except AttributeError: except AttributeError:
return view.__doc__ return smart_text(view.__doc__ or '')
def render(self, data, accepted_media_type=None, renderer_context=None): def render(self, data, accepted_media_type=None, renderer_context=None):
""" """
...@@ -422,15 +462,22 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -422,15 +462,22 @@ class BrowsableAPIRenderer(BaseRenderer):
view = renderer_context['view'] view = renderer_context['view']
request = renderer_context['request'] request = renderer_context['request']
response = renderer_context['response'] response = renderer_context['response']
media_types = [parser.media_type for parser in view.parser_classes]
renderer = self.get_default_renderer(view) renderer = self.get_default_renderer(view)
content = self.get_content(renderer, data, accepted_media_type, renderer_context) content = self.get_content(renderer, data, accepted_media_type, renderer_context)
put_form = self.get_form(view, 'PUT', request) put_form = self.get_form(view, 'PUT', request)
post_form = self.get_form(view, 'POST', request) post_form = self.get_form(view, 'POST', request)
patch_form = self.get_form(view, 'PATCH', request)
delete_form = self.get_form(view, 'DELETE', request) delete_form = self.get_form(view, 'DELETE', request)
options_form = self.get_form(view, 'OPTIONS', request) options_form = self.get_form(view, 'OPTIONS', request)
raw_data_put_form = self.get_raw_data_form(view, 'PUT', request, media_types)
raw_data_post_form = self.get_raw_data_form(view, 'POST', request, media_types)
raw_data_patch_form = self.get_raw_data_form(view, 'PATCH', request, media_types)
raw_data_put_or_patch_form = raw_data_put_form or raw_data_patch_form
name = self.get_name(view) name = self.get_name(view)
description = self.get_description(view) description = self.get_description(view)
breadcrumb_list = get_breadcrumbs(request.path) breadcrumb_list = get_breadcrumbs(request.path)
...@@ -447,10 +494,18 @@ class BrowsableAPIRenderer(BaseRenderer): ...@@ -447,10 +494,18 @@ class BrowsableAPIRenderer(BaseRenderer):
'breadcrumblist': breadcrumb_list, 'breadcrumblist': breadcrumb_list,
'allowed_methods': view.allowed_methods, 'allowed_methods': view.allowed_methods,
'available_formats': [renderer.format for renderer in view.renderer_classes], 'available_formats': [renderer.format for renderer in view.renderer_classes],
'put_form': put_form, 'put_form': put_form,
'post_form': post_form, 'post_form': post_form,
'patch_form': patch_form,
'delete_form': delete_form, 'delete_form': delete_form,
'options_form': options_form, 'options_form': options_form,
'raw_data_put_form': raw_data_put_form,
'raw_data_post_form': raw_data_post_form,
'raw_data_patch_form': raw_data_patch_form,
'raw_data_put_or_patch_form': raw_data_put_or_patch_form,
'api_settings': api_settings 'api_settings': api_settings
}) })
......
rest_framework/request.py
...@@ -9,10 +9,14 @@ The wrapped request then offers a richer API, in particular : ...@@ -9,10 +9,14 @@ The wrapped request then offers a richer API, in particular :
- full support of PUT method, including support for file uploads - full support of PUT method, including support for file uploads
- form overloading of HTTP method, content type and content - form overloading of HTTP method, content type and content
""" """
from StringIO import StringIO from __future__ import unicode_literals
from django.conf import settings
from django.http import QueryDict
from django.http.multipartparser import parse_header from django.http.multipartparser import parse_header
from django.utils.datastructures import MultiValueDict
from rest_framework import HTTP_HEADER_ENCODING
from rest_framework import exceptions from rest_framework import exceptions
from rest_framework.compat import BytesIO
from rest_framework.settings import api_settings from rest_framework.settings import api_settings
...@@ -20,7 +24,7 @@ def is_form_media_type(media_type): ...@@ -20,7 +24,7 @@ def is_form_media_type(media_type):
""" """
Return True if the media type is a valid form media type. Return True if the media type is a valid form media type.
""" """
base_media_type, params = parse_header(media_type) base_media_type, params = parse_header(media_type.encode(HTTP_HEADER_ENCODING))
return (base_media_type == 'application/x-www-form-urlencoded' or return (base_media_type == 'application/x-www-form-urlencoded' or
base_media_type == 'multipart/form-data') base_media_type == 'multipart/form-data')
...@@ -42,10 +46,11 @@ def clone_request(request, method): ...@@ -42,10 +46,11 @@ def clone_request(request, method):
Internal helper method to clone a request, replacing with a different Internal helper method to clone a request, replacing with a different
HTTP method. Used for checking permissions against other methods. HTTP method. Used for checking permissions against other methods.
""" """
ret = Request(request._request, ret = Request(request=request._request,
request.parsers, parsers=request.parsers,
request.authenticators, authenticators=request.authenticators,
request.parser_context) negotiator=request.negotiator,
parser_context=request.parser_context)
ret._data = request._data ret._data = request._data
ret._files = request._files ret._files = request._files
ret._content_type = request._content_type ret._content_type = request._content_type
...@@ -55,6 +60,8 @@ def clone_request(request, method): ...@@ -55,6 +60,8 @@ def clone_request(request, method):
ret._user = request._user ret._user = request._user
if hasattr(request, '_auth'): if hasattr(request, '_auth'):
ret._auth = request._auth ret._auth = request._auth
if hasattr(request, '_authenticator'):
ret._authenticator = request._authenticator
return ret return ret
...@@ -90,6 +97,7 @@ class Request(object): ...@@ -90,6 +97,7 @@ class Request(object):
if self.parser_context is None: if self.parser_context is None:
self.parser_context = {} self.parser_context = {}
self.parser_context['request'] = self self.parser_context['request'] = self
self.parser_context['encoding'] = request.encoding or settings.DEFAULT_CHARSET
def _default_negotiator(self): def _default_negotiator(self):
return api_settings.DEFAULT_CONTENT_NEGOTIATION_CLASS() return api_settings.DEFAULT_CONTENT_NEGOTIATION_CLASS()
...@@ -166,17 +174,17 @@ class Request(object): ...@@ -166,17 +174,17 @@ class Request(object):
by the authentication classes provided to the request. by the authentication classes provided to the request.
""" """
if not hasattr(self, '_user'): if not hasattr(self, '_user'):
self._user, self._auth = self._authenticate() self._authenticator, self._user, self._auth = self._authenticate()
return self._user return self._user
@user.setter @user.setter
def user(self, value): def user(self, value):
""" """
Sets the user on the current request. This is necessary to maintain Sets the user on the current request. This is necessary to maintain
compatilbility with django.contrib.auth where the user proprety is compatilbility with django.contrib.auth where the user proprety is
set in the login and logout functions. set in the login and logout functions.
""" """
self._user = value self._user = value
@property @property
def auth(self): def auth(self):
...@@ -185,7 +193,7 @@ class Request(object): ...@@ -185,7 +193,7 @@ class Request(object):
request, such as an authentication token. request, such as an authentication token.
""" """
if not hasattr(self, '_auth'): if not hasattr(self, '_auth'):
self._user, self._auth = self._authenticate() self._authenticator, self._user, self._auth = self._authenticate()
return self._auth return self._auth
@auth.setter @auth.setter
...@@ -196,6 +204,16 @@ class Request(object): ...@@ -196,6 +204,16 @@ class Request(object):
""" """
self._auth = value self._auth = value
@property
def successful_authenticator(self):
"""
Return the instance of the authentication instance class that was used
to authenticate the request, or `None`.
"""
if not hasattr(self, '_authenticator'):
self._authenticator, self._user, self._auth = self._authenticate()
return self._authenticator
def _load_data_and_files(self): def _load_data_and_files(self):
""" """
Parses the request content into self.DATA and self.FILES. Parses the request content into self.DATA and self.FILES.
...@@ -213,11 +231,17 @@ class Request(object): ...@@ -213,11 +231,17 @@ class Request(object):
""" """
self._content_type = self.META.get('HTTP_CONTENT_TYPE', self._content_type = self.META.get('HTTP_CONTENT_TYPE',
self.META.get('CONTENT_TYPE', '')) self.META.get('CONTENT_TYPE', ''))
self._perform_form_overloading() self._perform_form_overloading()
# if the HTTP method was not overloaded, we take the raw HTTP method
if not _hasattr(self, '_method'): if not _hasattr(self, '_method'):
self._method = self._request.method self._method = self._request.method
if self._method == 'POST':
# Allow X-HTTP-METHOD-OVERRIDE header
self._method = self.META.get('HTTP_X_HTTP_METHOD_OVERRIDE',
self._method)
def _load_stream(self): def _load_stream(self):
""" """
Return the content body of the request, as a stream. Return the content body of the request, as a stream.
...@@ -233,7 +257,7 @@ class Request(object): ...@@ -233,7 +257,7 @@ class Request(object):
elif hasattr(self._request, 'read'): elif hasattr(self._request, 'read'):
self._stream = self._request self._stream = self._request
else: else:
self._stream = StringIO(self.raw_post_data) self._stream = BytesIO(self.raw_post_data)
def _perform_form_overloading(self): def _perform_form_overloading(self):
""" """
...@@ -268,7 +292,7 @@ class Request(object): ...@@ -268,7 +292,7 @@ class Request(object):
self._CONTENT_PARAM in self._data and self._CONTENT_PARAM in self._data and
self._CONTENTTYPE_PARAM in self._data): self._CONTENTTYPE_PARAM in self._data):
self._content_type = self._data[self._CONTENTTYPE_PARAM] self._content_type = self._data[self._CONTENTTYPE_PARAM]
self._stream = StringIO(self._data[self._CONTENT_PARAM]) self._stream = BytesIO(self._data[self._CONTENT_PARAM].encode(HTTP_HEADER_ENCODING))
self._data, self._files = (Empty, Empty) self._data, self._files = (Empty, Empty)
def _parse(self): def _parse(self):
...@@ -281,7 +305,9 @@ class Request(object): ...@@ -281,7 +305,9 @@ class Request(object):
media_type = self.content_type media_type = self.content_type
if stream is None or media_type is None: if stream is None or media_type is None:
return (None, None) empty_data = QueryDict('', self._request._encoding)
empty_files = MultiValueDict()
return (empty_data, empty_files)
parser = self.negotiator.select_parser(self, self.parsers) parser = self.negotiator.select_parser(self, self.parsers)
...@@ -295,25 +321,28 @@ class Request(object): ...@@ -295,25 +321,28 @@ class Request(object):
try: try:
return (parsed.data, parsed.files) return (parsed.data, parsed.files)
except AttributeError: except AttributeError:
return (parsed, None) empty_files = MultiValueDict()
return (parsed, empty_files)
def _authenticate(self): def _authenticate(self):
""" """
Attempt to authenticate the request using each authentication instance in turn. Attempt to authenticate the request using each authentication instance
Returns a two-tuple of (user, authtoken). in turn.
Returns a three-tuple of (authenticator, user, authtoken).
""" """
for authenticator in self.authenticators: for authenticator in self.authenticators:
user_auth_tuple = authenticator.authenticate(self) user_auth_tuple = authenticator.authenticate(self)
if not user_auth_tuple is None: if not user_auth_tuple is None:
return user_auth_tuple user, auth = user_auth_tuple
return (authenticator, user, auth)
return self._not_authenticated() return self._not_authenticated()
def _not_authenticated(self): def _not_authenticated(self):
""" """
Return a two-tuple of (user, authtoken), representing an Return a three-tuple of (authenticator, user, authtoken), representing
unauthenticated request. an unauthenticated request.
By default this will be (AnonymousUser, None). By default this will be (None, AnonymousUser, None).
""" """
if api_settings.UNAUTHENTICATED_USER: if api_settings.UNAUTHENTICATED_USER:
user = api_settings.UNAUTHENTICATED_USER() user = api_settings.UNAUTHENTICATED_USER()
...@@ -325,7 +354,7 @@ class Request(object): ...@@ -325,7 +354,7 @@ class Request(object):
else: else:
auth = None auth = None
return (user, auth) return (None, user, auth)
def __getattr__(self, attr): def __getattr__(self, attr):
""" """
......
rest_framework/response.py
from __future__ import unicode_literals
from django.core.handlers.wsgi import STATUS_CODE_TEXT from django.core.handlers.wsgi import STATUS_CODE_TEXT
from django.template.response import SimpleTemplateResponse from django.template.response import SimpleTemplateResponse
from rest_framework.compat import six
class Response(SimpleTemplateResponse): class Response(SimpleTemplateResponse):
...@@ -22,9 +24,9 @@ class Response(SimpleTemplateResponse): ...@@ -22,9 +24,9 @@ class Response(SimpleTemplateResponse):
self.data = data self.data = data
self.template_name = template_name self.template_name = template_name
self.exception = exception self.exception = exception
if headers: if headers:
for name,value in headers.iteritems(): for name, value in six.iteritems(headers):
self[name] = value self[name] = value
@property @property
......
rest_framework/reverse.py
""" """
Provide reverse functions that return fully qualified URLs Provide reverse functions that return fully qualified URLs
""" """
from __future__ import unicode_literals
from django.core.urlresolvers import reverse as django_reverse from django.core.urlresolvers import reverse as django_reverse
from django.utils.functional import lazy from django.utils.functional import lazy
......
rest_framework/runtests/runcoverage.py
...@@ -52,12 +52,15 @@ def main(): ...@@ -52,12 +52,15 @@ def main():
if os.path.basename(path) in ['tests', 'runtests', 'migrations']: if os.path.basename(path) in ['tests', 'runtests', 'migrations']:
continue continue
# Drop the compat module from coverage, since we're not interested in the coverage # Drop the compat and six modules from coverage, since we're not interested in the coverage
# of a module which is specifically for resolving environment dependant imports. # of modules which are specifically for resolving environment dependant imports.
# (Because we'll end up getting different coverage reports for it for each environment) # (Because we'll end up getting different coverage reports for it for each environment)
if 'compat.py' in files: if 'compat.py' in files:
files.remove('compat.py') files.remove('compat.py')
if 'six.py' in files:
files.remove('six.py')
# Same applies to template tags module. # Same applies to template tags module.
# This module has to include branching on Django versions, # This module has to include branching on Django versions,
# so it's never possible for it to have full coverage. # so it's never possible for it to have full coverage.
......
rest_framework/runtests/runtests.py
...@@ -33,7 +33,7 @@ def main(): ...@@ -33,7 +33,7 @@ def main():
elif len(sys.argv) == 1: elif len(sys.argv) == 1:
test_case = '' test_case = ''
else: else:
print usage() print(usage())
sys.exit(1) sys.exit(1)
failures = test_runner.run_tests(['tests' + test_case]) failures = test_runner.run_tests(['tests' + test_case])
......
rest_framework/runtests/settings.py
...@@ -97,11 +97,41 @@ INSTALLED_APPS = ( ...@@ -97,11 +97,41 @@ INSTALLED_APPS = (
# 'django.contrib.admindocs', # 'django.contrib.admindocs',
'rest_framework', 'rest_framework',
'rest_framework.authtoken', 'rest_framework.authtoken',
'rest_framework.tests' 'rest_framework.tests',
) )
# OAuth is optional and won't work if there is no oauth_provider & oauth2
try:
import oauth_provider
import oauth2
except ImportError:
pass
else:
INSTALLED_APPS += (
'oauth_provider',
)
try:
import provider
except ImportError:
pass
else:
INSTALLED_APPS += (
'provider',
'provider.oauth2',
)
STATIC_URL = '/static/' STATIC_URL = '/static/'
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
import django import django
if django.VERSION < (1, 3): if django.VERSION < (1, 3):
......
rest_framework/settings.py
...@@ -17,9 +17,14 @@ This module provides the `api_setting` object, that is used to access ...@@ -17,9 +17,14 @@ This module provides the `api_setting` object, that is used to access
REST framework settings, checking for user settings first, then falling REST framework settings, checking for user settings first, then falling
back to the defaults. back to the defaults.
""" """
from __future__ import unicode_literals
from django.conf import settings from django.conf import settings
from django.utils import importlib from django.utils import importlib
from rest_framework import ISO_8601
from rest_framework.compat import six
USER_SETTINGS = getattr(settings, 'REST_FRAMEWORK', None) USER_SETTINGS = getattr(settings, 'REST_FRAMEWORK', None)
...@@ -74,6 +79,22 @@ DEFAULTS = { ...@@ -74,6 +79,22 @@ DEFAULTS = {
'URL_FORMAT_OVERRIDE': 'format', 'URL_FORMAT_OVERRIDE': 'format',
'FORMAT_SUFFIX_KWARG': 'format', 'FORMAT_SUFFIX_KWARG': 'format',
# Input and output formats
'DATE_INPUT_FORMATS': (
ISO_8601,
),
'DATE_FORMAT': ISO_8601,
'DATETIME_INPUT_FORMATS': (
ISO_8601,
),
'DATETIME_FORMAT': ISO_8601,
'TIME_INPUT_FORMATS': (
ISO_8601,
),
'TIME_FORMAT': ISO_8601,
} }
...@@ -98,7 +119,7 @@ def perform_import(val, setting_name): ...@@ -98,7 +119,7 @@ def perform_import(val, setting_name):
If the given setting is a string import notation, If the given setting is a string import notation,
then perform the necessary import or imports. then perform the necessary import or imports.
""" """
if isinstance(val, basestring): if isinstance(val, six.string_types):
return import_from_string(val, setting_name) return import_from_string(val, setting_name)
elif isinstance(val, (list, tuple)): elif isinstance(val, (list, tuple)):
return [import_from_string(item, setting_name) for item in val] return [import_from_string(item, setting_name) for item in val]
......
rest_framework/static/rest_framework/css/default.css
...@@ -150,6 +150,49 @@ html, body { ...@@ -150,6 +150,49 @@ html, body {
margin: 0 auto -60px; margin: 0 auto -60px;
} }
.form-switcher {
margin-bottom: 0;
}
.well {
-webkit-box-shadow: none;
-moz-box-shadow: none;
box-shadow: none;
}
.well .form-actions {
padding-bottom: 0;
margin-bottom: 0;
}
.well form {
margin-bottom: 0;
}
.nav-tabs {
border: 0;
}
.nav-tabs > li {
float: right;
}
.nav-tabs li a {
margin-right: 0;
}
.nav-tabs > .active > a {
background: #f5f5f5;
}
.nav-tabs > .active > a:hover {
background: #f5f5f5;
}
.tabbable.first-tab-active .tab-content
{
border-top-right-radius: 0;
}
#footer, #push { #footer, #push {
height: 60px; /* .push must be the same height as .footer */ height: 60px; /* .push must be the same height as .footer */
......
rest_framework/static/rest_framework/js/default.js
...@@ -3,3 +3,11 @@ prettyPrint(); ...@@ -3,3 +3,11 @@ prettyPrint();
$('.js-tooltip').tooltip({ $('.js-tooltip').tooltip({
delay: 1000 delay: 1000
}); });
$('a[data-toggle="tab"]:first').on('shown', function (e) {
$(e.target).parents('.tabbable').addClass('first-tab-active');
});
$('a[data-toggle="tab"]:not(:first)').on('shown', function (e) {
$(e.target).parents('.tabbable').removeClass('first-tab-active');
});
$('.form-switcher a:first').tab('show');
rest_framework/status.py
...@@ -4,6 +4,7 @@ Descriptive HTTP status codes, for code readability. ...@@ -4,6 +4,7 @@ Descriptive HTTP status codes, for code readability.
See RFC 2616 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html See RFC 2616 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
And RFC 6585 - http://tools.ietf.org/html/rfc6585 And RFC 6585 - http://tools.ietf.org/html/rfc6585
""" """
from __future__ import unicode_literals
HTTP_100_CONTINUE = 100 HTTP_100_CONTINUE = 100
HTTP_101_SWITCHING_PROTOCOLS = 101 HTTP_101_SWITCHING_PROTOCOLS = 101
......
rest_framework/templates/rest_framework/base.html
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
<title>{% block title %}Django REST framework{% endblock %}</title> <title>{% block title %}Django REST framework{% endblock %}</title>
{% block style %} {% block style %}
<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap.min.css" %}"/> {% block bootstrap_theme %}<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap.min.css" %}"/>{% endblock %}
<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap-tweaks.css" %}"/> <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap-tweaks.css" %}"/>
<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/prettify.css" %}"/> <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/prettify.css" %}"/>
<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/default.css" %}"/> <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/default.css" %}"/>
...@@ -123,56 +123,88 @@ ...@@ -123,56 +123,88 @@
{% if response.status_code != 403 %} {% if response.status_code != 403 %}
{% if post_form %} {% if post_form or raw_data_post_form %}
<div class="well"> <div {% if post_form %}class="tabbable"{% endif %}>
<form action="{{ request.get_full_path }}" method="POST" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %} class="form-horizontal"> {% if post_form %}
<fieldset> <ul class="nav nav-tabs form-switcher">
{% csrf_token %} <li><a href="#object-form" data-toggle="tab">HTML form</a></li>
{{ post_form.non_field_errors }} <li><a href="#generic-content-form" data-toggle="tab">Raw data</a></li>
{% for field in post_form %} </ul>
<div class="control-group"> <!--{% if field.errors %}error{% endif %}--> {% endif %}
{{ field.label_tag|add_class:"control-label" }} <div class="well tab-content">
<div class="controls"> {% if post_form %}
{{ field }} <div class="tab-pane" id="object-form">
<span class="help-inline">{{ field.help_text }}</span> {% with form=post_form %}
<!--{{ field.errors|add_class:"help-block" }}--> <form action="{{ request.get_full_path }}" method="POST" {% if form.is_multipart %}enctype="multipart/form-data"{% endif %} class="form-horizontal">
<fieldset>
{% include "rest_framework/form.html" %}
<div class="form-actions">
<button class="btn btn-primary" title="Make a POST request on the {{ name }} resource">POST</button>
</div> </div>
</div> </fieldset>
{% endfor %} </form>
<div class="form-actions"> {% endwith %}
<button class="btn btn-primary" title="Make a POST request on the {{ name }} resource">POST</button> </div>
</div> {% endif %}
</fieldset> <div {% if post_form %}class="tab-pane"{% endif %} id="generic-content-form">
</form> {% with form=raw_data_post_form %}
<form action="{{ request.get_full_path }}" method="POST" class="form-horizontal">
<fieldset>
{% include "rest_framework/form.html" %}
<div class="form-actions">
<button class="btn btn-primary" title="Make a POST request on the {{ name }} resource">POST</button>
</div>
</fieldset>
</form>
{% endwith %}
</div>
</div>
</div> </div>
{% endif %} {% endif %}
{% if put_form %} {% if put_form or raw_data_put_form or raw_data_patch_form %}
<div class="well"> <div {% if put_form %}class="tabbable"{% endif %}>
<form action="{{ request.get_full_path }}" method="POST" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %} class="form-horizontal"> {% if put_form %}
<fieldset> <ul class="nav nav-tabs form-switcher">
<input type="hidden" name="{{ api_settings.FORM_METHOD_OVERRIDE }}" value="PUT" /> <li><a href="#object-form" data-toggle="tab">HTML form</a></li>
{% csrf_token %} <li><a href="#generic-content-form" data-toggle="tab">Raw data</a></li>
{{ put_form.non_field_errors }} </ul>
{% for field in put_form %} {% endif %}
<div class="control-group"> <!--{% if field.errors %}error{% endif %}--> <div class="well tab-content">
{{ field.label_tag|add_class:"control-label" }} {% if put_form %}
<div class="controls"> <div class="tab-pane" id="object-form">
{{ field }} {% with form=put_form %}
<span class='help-inline'>{{ field.help_text }}</span> <form action="{{ request.get_full_path }}" method="POST" {% if form.is_multipart %}enctype="multipart/form-data"{% endif %} class="form-horizontal">
<!--{{ field.errors|add_class:"help-block" }}--> <fieldset>
{% include "rest_framework/form.html" %}
<div class="form-actions">
<button class="btn btn-primary js-tooltip" name="{{ api_settings.FORM_METHOD_OVERRIDE }}" value="PUT" title="Make a PUT request on the {{ name }} resource">PUT</button>
</div> </div>
</div> </fieldset>
{% endfor %} </form>
<div class="form-actions"> {% endwith %}
<button class="btn btn-primary js-tooltip" title="Make a PUT request on the {{ name }} resource">PUT</button> </div>
</div> {% endif %}
<div {% if put_form %}class="tab-pane"{% endif %} id="generic-content-form">
</fieldset> {% with form=raw_data_put_or_patch_form %}
</form> <form action="{{ request.get_full_path }}" method="POST" class="form-horizontal">
<fieldset>
{% include "rest_framework/form.html" %}
<div class="form-actions">
{% if raw_data_put_form %}
<button class="btn btn-primary js-tooltip" name="{{ api_settings.FORM_METHOD_OVERRIDE }}" value="PUT" title="Make a PUT request on the {{ name }} resource">PUT</button>
{% endif %}
{% if raw_data_patch_form %}
<button class="btn btn-primary js-tooltip" name="{{ api_settings.FORM_METHOD_OVERRIDE }}" value="PATCH" title="Make a PUT request on the {{ name }} resource">PATCH</button>
{% endif %}
</div>
</fieldset>
</form>
{% endwith %}
</div>
</div>
</div> </div>
{% endif %} {% endif %}
{% endif %} {% endif %}
</div> </div>
......
rest_framework/templates/rest_framework/form.html 0 → 100644
{% load rest_framework %}
{% csrf_token %}
{{ form.non_field_errors }}
{% for field in form %}
<div class="control-group"> <!--{% if field.errors %}error{% endif %}-->
{{ field.label_tag|add_class:"control-label" }}
<div class="controls">
{{ field }}
<span class="help-inline">{{ field.help_text }}</span>
<!--{{ field.errors|add_class:"help-block" }}-->
</div>
</div>
{% endfor %}
rest_framework/templates/rest_framework/login.html
...@@ -25,14 +25,14 @@ ...@@ -25,14 +25,14 @@
<form action="{% url 'rest_framework:login' %}" class=" form-inline" method="post"> <form action="{% url 'rest_framework:login' %}" class=" form-inline" method="post">
{% csrf_token %} {% csrf_token %}
<div id="div_id_username" class="clearfix control-group"> <div id="div_id_username" class="clearfix control-group">
<div class="controls" style="height: 30px"> <div class="controls">
<Label class="span4" style="margin-top: 3px">Username:</label> <Label class="span4">Username:</label>
<input style="height: 25px" type="text" name="username" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_username"> <input style="height: 25px" type="text" name="username" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_username">
</div> </div>
</div> </div>
<div id="div_id_password" class="clearfix control-group"> <div id="div_id_password" class="clearfix control-group">
<div class="controls" style="height: 30px"> <div class="controls">
<Label class="span4" style="margin-top: 3px">Password:</label> <Label class="span4">Password:</label>
<input style="height: 25px" type="password" name="password" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_password"> <input style="height: 25px" type="password" name="password" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_password">
</div> </div>
</div> </div>
......
rest_framework/templatetags/rest_framework.py
from __future__ import unicode_literals, absolute_import
from django import template from django import template
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse, NoReverseMatch
from django.http import QueryDict from django.http import QueryDict
from django.utils.encoding import force_unicode
from django.utils.html import escape from django.utils.html import escape
from django.utils.safestring import SafeData, mark_safe from django.utils.safestring import SafeData, mark_safe
from urlparse import urlsplit, urlunsplit from rest_framework.compat import urlparse
from rest_framework.compat import force_text
from rest_framework.compat import six
import re import re
import string import string
...@@ -29,7 +31,7 @@ try: # Django 1.5+ ...@@ -29,7 +31,7 @@ try: # Django 1.5+
def do_static(parser, token): def do_static(parser, token):
return StaticFilesNode.handle_token(parser, token) return StaticFilesNode.handle_token(parser, token)
except: except ImportError:
try: # Django 1.4 try: # Django 1.4
from django.contrib.staticfiles.storage import staticfiles_storage from django.contrib.staticfiles.storage import staticfiles_storage
...@@ -41,7 +43,7 @@ except: ...@@ -41,7 +43,7 @@ except:
""" """
return staticfiles_storage.url(path) return staticfiles_storage.url(path)
except: # Django 1.3 except ImportError: # Django 1.3
from urlparse import urljoin from urlparse import urljoin
from django import template from django import template
from django.templatetags.static import PrefixNode from django.templatetags.static import PrefixNode
...@@ -99,11 +101,11 @@ def replace_query_param(url, key, val): ...@@ -99,11 +101,11 @@ def replace_query_param(url, key, val):
Given a URL and a key/val pair, set or replace an item in the query Given a URL and a key/val pair, set or replace an item in the query
parameters of the URL, and return the new URL. parameters of the URL, and return the new URL.
""" """
(scheme, netloc, path, query, fragment) = urlsplit(url) (scheme, netloc, path, query, fragment) = urlparse.urlsplit(url)
query_dict = QueryDict(query).copy() query_dict = QueryDict(query).copy()
query_dict[key] = val query_dict[key] = val
query = query_dict.urlencode() query = query_dict.urlencode()
return urlunsplit((scheme, netloc, path, query, fragment)) return urlparse.urlunsplit((scheme, netloc, path, query, fragment))
# Regex for adding classes to html snippets # Regex for adding classes to html snippets
...@@ -135,7 +137,7 @@ def optional_login(request): ...@@ -135,7 +137,7 @@ def optional_login(request):
""" """
try: try:
login_url = reverse('rest_framework:login') login_url = reverse('rest_framework:login')
except: except NoReverseMatch:
return '' return ''
snippet = "<a href='%s?next=%s'>Log in</a>" % (login_url, request.path) snippet = "<a href='%s?next=%s'>Log in</a>" % (login_url, request.path)
...@@ -149,7 +151,7 @@ def optional_logout(request): ...@@ -149,7 +151,7 @@ def optional_logout(request):
""" """
try: try:
logout_url = reverse('rest_framework:logout') logout_url = reverse('rest_framework:logout')
except: except NoReverseMatch:
return '' return ''
snippet = "<a href='%s?next=%s'>Log out</a>" % (logout_url, request.path) snippet = "<a href='%s?next=%s'>Log out</a>" % (logout_url, request.path)
...@@ -179,7 +181,7 @@ def add_class(value, css_class): ...@@ -179,7 +181,7 @@ def add_class(value, css_class):
In the case of REST Framework, the filter is used to add Bootstrap-specific In the case of REST Framework, the filter is used to add Bootstrap-specific
classes to the forms. classes to the forms.
""" """
html = unicode(value) html = six.text_type(value)
match = class_re.search(html) match = class_re.search(html)
if match: if match:
m = re.search(r'^%s$|^%s\s|\s%s\s|\s%s$' % (css_class, css_class, m = re.search(r'^%s$|^%s\s|\s%s\s|\s%s$' % (css_class, css_class,
...@@ -213,7 +215,7 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru ...@@ -213,7 +215,7 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
""" """
trim_url = lambda x, limit=trim_url_limit: limit is not None and (len(x) > limit and ('%s...' % x[:max(0, limit - 3)])) or x trim_url = lambda x, limit=trim_url_limit: limit is not None and (len(x) > limit and ('%s...' % x[:max(0, limit - 3)])) or x
safe_input = isinstance(text, SafeData) safe_input = isinstance(text, SafeData)
words = word_split_re.split(force_unicode(text)) words = word_split_re.split(force_text(text))
nofollow_attr = nofollow and ' rel="nofollow"' or '' nofollow_attr = nofollow and ' rel="nofollow"' or ''
for i, word in enumerate(words): for i, word in enumerate(words):
match = None match = None
...@@ -249,4 +251,4 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru ...@@ -249,4 +251,4 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
words[i] = mark_safe(word) words[i] = mark_safe(word)
elif autoescape: elif autoescape:
words[i] = escape(word) words[i] = escape(word)
return mark_safe(u''.join(words)) return mark_safe(''.join(words))
rest_framework/tests/breadcrumbs.py
from __future__ import unicode_literals
from django.test import TestCase from django.test import TestCase
from rest_framework.compat import patterns, url from rest_framework.compat import patterns, url
from rest_framework.utils.breadcrumbs import get_breadcrumbs from rest_framework.utils.breadcrumbs import get_breadcrumbs
......
rest_framework/tests/decorators.py
from __future__ import unicode_literals
from django.test import TestCase from django.test import TestCase
from rest_framework import status from rest_framework import status
from rest_framework.response import Response from rest_framework.response import Response
...@@ -28,13 +29,27 @@ class DecoratorTestCase(TestCase): ...@@ -28,13 +29,27 @@ class DecoratorTestCase(TestCase):
response.request = request response.request = request
return APIView.finalize_response(self, request, response, *args, **kwargs) return APIView.finalize_response(self, request, response, *args, **kwargs)
def test_wrap_view(self): def test_api_view_incorrect(self):
"""
If @api_view is not applied correct, we should raise an assertion.
"""
@api_view(['GET']) @api_view
def view(request): def view(request):
return Response({}) return Response()
request = self.factory.get('/')
self.assertRaises(AssertionError, view, request)
def test_api_view_incorrect_arguments(self):
"""
If @api_view is missing arguments, we should raise an assertion.
"""
self.assertTrue(isinstance(view.cls_instance, APIView)) with self.assertRaises(AssertionError):
@api_view('GET')
def view(request):
return Response()
def test_calling_method(self): def test_calling_method(self):
...@@ -44,11 +59,11 @@ class DecoratorTestCase(TestCase): ...@@ -44,11 +59,11 @@ class DecoratorTestCase(TestCase):
request = self.factory.get('/') request = self.factory.get('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, status.HTTP_200_OK)
request = self.factory.post('/') request = self.factory.post('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 405) self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
def test_calling_put_method(self): def test_calling_put_method(self):
...@@ -58,11 +73,11 @@ class DecoratorTestCase(TestCase): ...@@ -58,11 +73,11 @@ class DecoratorTestCase(TestCase):
request = self.factory.put('/') request = self.factory.put('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, status.HTTP_200_OK)
request = self.factory.post('/') request = self.factory.post('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 405) self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
def test_calling_patch_method(self): def test_calling_patch_method(self):
...@@ -72,11 +87,11 @@ class DecoratorTestCase(TestCase): ...@@ -72,11 +87,11 @@ class DecoratorTestCase(TestCase):
request = self.factory.patch('/') request = self.factory.patch('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, status.HTTP_200_OK)
request = self.factory.post('/') request = self.factory.post('/')
response = view(request) response = view(request)
self.assertEqual(response.status_code, 405) self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
def test_renderer_classes(self): def test_renderer_classes(self):
...@@ -124,7 +139,7 @@ class DecoratorTestCase(TestCase): ...@@ -124,7 +139,7 @@ class DecoratorTestCase(TestCase):
request = self.factory.get('/') request = self.factory.get('/')
response = view(request) response = view(request)
self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_throttle_classes(self): def test_throttle_classes(self):
class OncePerDayUserThrottle(UserRateThrottle): class OncePerDayUserThrottle(UserRateThrottle):
...@@ -137,7 +152,7 @@ class DecoratorTestCase(TestCase): ...@@ -137,7 +152,7 @@ class DecoratorTestCase(TestCase):
request = self.factory.get('/') request = self.factory.get('/')
response = view(request) response = view(request)
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
response = view(request) response = view(request)
self.assertEquals(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS) self.assertEqual(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
rest_framework/tests/description.py
# -- coding: utf-8 --
from __future__ import unicode_literals
from django.test import TestCase from django.test import TestCase
from rest_framework.views import APIView from rest_framework.views import APIView
from rest_framework.compat import apply_markdown from rest_framework.compat import apply_markdown
...@@ -50,7 +53,7 @@ class TestViewNamesAndDescriptions(TestCase): ...@@ -50,7 +53,7 @@ class TestViewNamesAndDescriptions(TestCase):
"""Ensure Resource names are based on the classname by default.""" """Ensure Resource names are based on the classname by default."""
class MockView(APIView): class MockView(APIView):
pass pass
self.assertEquals(MockView().get_name(), 'Mock') self.assertEqual(MockView().get_name(), 'Mock')
def test_resource_name_can_be_set_explicitly(self): def test_resource_name_can_be_set_explicitly(self):
"""Ensure Resource names can be set using the 'get_name' method.""" """Ensure Resource names can be set using the 'get_name' method."""
...@@ -58,7 +61,7 @@ class TestViewNamesAndDescriptions(TestCase): ...@@ -58,7 +61,7 @@ class TestViewNamesAndDescriptions(TestCase):
class MockView(APIView): class MockView(APIView):
def get_name(self): def get_name(self):
return example return example
self.assertEquals(MockView().get_name(), example) self.assertEqual(MockView().get_name(), example)
def test_resource_description_uses_docstring_by_default(self): def test_resource_description_uses_docstring_by_default(self):
"""Ensure Resource names are based on the docstring by default.""" """Ensure Resource names are based on the docstring by default."""
...@@ -78,7 +81,7 @@ class TestViewNamesAndDescriptions(TestCase): ...@@ -78,7 +81,7 @@ class TestViewNamesAndDescriptions(TestCase):
# hash style header #""" # hash style header #"""
self.assertEquals(MockView().get_description(), DESCRIPTION) self.assertEqual(MockView().get_description(), DESCRIPTION)
def test_resource_description_can_be_set_explicitly(self): def test_resource_description_can_be_set_explicitly(self):
"""Ensure Resource descriptions can be set using the 'get_description' method.""" """Ensure Resource descriptions can be set using the 'get_description' method."""
...@@ -88,7 +91,16 @@ class TestViewNamesAndDescriptions(TestCase): ...@@ -88,7 +91,16 @@ class TestViewNamesAndDescriptions(TestCase):
"""docstring""" """docstring"""
def get_description(self): def get_description(self):
return example return example
self.assertEquals(MockView().get_description(), example) self.assertEqual(MockView().get_description(), example)
def test_resource_description_supports_unicode(self):
class MockView(APIView):
"""Проверка"""
pass
self.assertEqual(MockView().get_description(), "Проверка")
def test_resource_description_does_not_require_docstring(self): def test_resource_description_does_not_require_docstring(self):
"""Ensure that empty docstrings do not affect the Resource's description if it has been set using the 'get_description' method.""" """Ensure that empty docstrings do not affect the Resource's description if it has been set using the 'get_description' method."""
...@@ -97,13 +109,13 @@ class TestViewNamesAndDescriptions(TestCase): ...@@ -97,13 +109,13 @@ class TestViewNamesAndDescriptions(TestCase):
class MockView(APIView): class MockView(APIView):
def get_description(self): def get_description(self):
return example return example
self.assertEquals(MockView().get_description(), example) self.assertEqual(MockView().get_description(), example)
def test_resource_description_can_be_empty(self): def test_resource_description_can_be_empty(self):
"""Ensure that if a resource has no doctring or 'description' class attribute, then it's description is the empty string.""" """Ensure that if a resource has no doctring or 'description' class attribute, then it's description is the empty string."""
class MockView(APIView): class MockView(APIView):
pass pass
self.assertEquals(MockView().get_description(), '') self.assertEqual(MockView().get_description(), '')
def test_markdown(self): def test_markdown(self):
"""Ensure markdown to HTML works as expected""" """Ensure markdown to HTML works as expected"""
......
rest_framework/tests/files.py
import StringIO from __future__ import unicode_literals
import datetime
from django.test import TestCase from django.test import TestCase
from rest_framework import serializers from rest_framework import serializers
from rest_framework.compat import BytesIO
from rest_framework.compat import six
import datetime
class UploadedFile(object): class UploadedFile(object):
...@@ -27,14 +27,14 @@ class UploadedFileSerializer(serializers.Serializer): ...@@ -27,14 +27,14 @@ class UploadedFileSerializer(serializers.Serializer):
class FileSerializerTests(TestCase): class FileSerializerTests(TestCase):
def test_create(self): def test_create(self):
now = datetime.datetime.now() now = datetime.datetime.now()
file = StringIO.StringIO('stuff') file = BytesIO(six.b('stuff'))
file.name = 'stuff.txt' file.name = 'stuff.txt'
file.size = file.len file.size = len(file.getvalue())
serializer = UploadedFileSerializer(data={'created': now}, files={'file': file}) serializer = UploadedFileSerializer(data={'created': now}, files={'file': file})
uploaded_file = UploadedFile(file=file, created=now) uploaded_file = UploadedFile(file=file, created=now)
self.assertTrue(serializer.is_valid()) self.assertTrue(serializer.is_valid())
self.assertEquals(serializer.object.created, uploaded_file.created) self.assertEqual(serializer.object.created, uploaded_file.created)
self.assertEquals(serializer.object.file, uploaded_file.file) self.assertEqual(serializer.object.file, uploaded_file.file)
self.assertFalse(serializer.object is uploaded_file) self.assertFalse(serializer.object is uploaded_file)
def test_creation_failure(self): def test_creation_failure(self):
......
rest_framework/tests/filterset.py
from __future__ import unicode_literals
import datetime import datetime
from decimal import Decimal from decimal import Decimal
from django.test import TestCase from django.test import TestCase
...@@ -64,8 +65,8 @@ class IntegrationTestFiltering(TestCase): ...@@ -64,8 +65,8 @@ class IntegrationTestFiltering(TestCase):
self.objects = FilterableItem.objects self.objects = FilterableItem.objects
self.data = [ self.data = [
{'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date} {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date.isoformat()}
for obj in self.objects.all() for obj in self.objects.all()
] ]
@unittest.skipUnless(django_filters, 'django-filters not installed') @unittest.skipUnless(django_filters, 'django-filters not installed')
...@@ -78,24 +79,24 @@ class IntegrationTestFiltering(TestCase): ...@@ -78,24 +79,24 @@ class IntegrationTestFiltering(TestCase):
# Basic test with no filter. # Basic test with no filter.
request = factory.get('/') request = factory.get('/')
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data) self.assertEqual(response.data, self.data)
# Tests that the decimal filter works. # Tests that the decimal filter works.
search_decimal = Decimal('2.25') search_decimal = Decimal('2.25')
request = factory.get('/?decimal=%s' % search_decimal) request = factory.get('/?decimal=%s' % search_decimal)
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if f['decimal'] == search_decimal] expected_data = [f for f in self.data if f['decimal'] == search_decimal]
self.assertEquals(response.data, expected_data) self.assertEqual(response.data, expected_data)
# Tests that the date filter works. # Tests that the date filter works.
search_date = datetime.date(2012, 9, 22) search_date = datetime.date(2012, 9, 22)
request = factory.get('/?date=%s' % search_date) # search_date str: '2012-09-22' request = factory.get('/?date=%s' % search_date) # search_date str: '2012-09-22'
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if f['date'] == search_date] expected_data = [f for f in self.data if datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() == search_date]
self.assertEquals(response.data, expected_data) self.assertEqual(response.data, expected_data)
@unittest.skipUnless(django_filters, 'django-filters not installed') @unittest.skipUnless(django_filters, 'django-filters not installed')
def test_get_filtered_class_root_view(self): def test_get_filtered_class_root_view(self):
...@@ -108,42 +109,43 @@ class IntegrationTestFiltering(TestCase): ...@@ -108,42 +109,43 @@ class IntegrationTestFiltering(TestCase):
# Basic test with no filter. # Basic test with no filter.
request = factory.get('/') request = factory.get('/')
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data) self.assertEqual(response.data, self.data)
# Tests that the decimal filter set with 'lt' in the filter class works. # Tests that the decimal filter set with 'lt' in the filter class works.
search_decimal = Decimal('4.25') search_decimal = Decimal('4.25')
request = factory.get('/?decimal=%s' % search_decimal) request = factory.get('/?decimal=%s' % search_decimal)
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if f['decimal'] < search_decimal] expected_data = [f for f in self.data if f['decimal'] < search_decimal]
self.assertEquals(response.data, expected_data) self.assertEqual(response.data, expected_data)
# Tests that the date filter set with 'gt' in the filter class works. # Tests that the date filter set with 'gt' in the filter class works.
search_date = datetime.date(2012, 10, 2) search_date = datetime.date(2012, 10, 2)
request = factory.get('/?date=%s' % search_date) # search_date str: '2012-10-02' request = factory.get('/?date=%s' % search_date) # search_date str: '2012-10-02'
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if f['date'] > search_date] expected_data = [f for f in self.data if datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() > search_date]
self.assertEquals(response.data, expected_data) self.assertEqual(response.data, expected_data)
# Tests that the text filter set with 'icontains' in the filter class works. # Tests that the text filter set with 'icontains' in the filter class works.
search_text = 'ff' search_text = 'ff'
request = factory.get('/?text=%s' % search_text) request = factory.get('/?text=%s' % search_text)
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if search_text in f['text'].lower()] expected_data = [f for f in self.data if search_text in f['text'].lower()]
self.assertEquals(response.data, expected_data) self.assertEqual(response.data, expected_data)
# Tests that multiple filters works. # Tests that multiple filters works.
search_decimal = Decimal('5.25') search_decimal = Decimal('5.25')
search_date = datetime.date(2012, 10, 2) search_date = datetime.date(2012, 10, 2)
request = factory.get('/?decimal=%s&date=%s' % (search_decimal, search_date)) request = factory.get('/?decimal=%s&date=%s' % (search_decimal, search_date))
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
expected_data = [f for f in self.data if f['date'] > search_date and expected_data = [f for f in self.data if
f['decimal'] < search_decimal] datetime.datetime.strptime(f['date'], '%Y-%m-%d').date() > search_date and
self.assertEquals(response.data, expected_data) f['decimal'] < search_decimal]
self.assertEqual(response.data, expected_data)
@unittest.skipUnless(django_filters, 'django-filters not installed') @unittest.skipUnless(django_filters, 'django-filters not installed')
def test_incorrectly_configured_filter(self): def test_incorrectly_configured_filter(self):
...@@ -165,4 +167,4 @@ class IntegrationTestFiltering(TestCase): ...@@ -165,4 +167,4 @@ class IntegrationTestFiltering(TestCase):
search_integer = 10 search_integer = 10
request = factory.get('/?integer=%s' % search_integer) request = factory.get('/?integer=%s' % search_integer)
response = view(request).render() response = view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
rest_framework/tests/genericrelations.py
from __future__ import unicode_literals
from django.contrib.contenttypes.models import ContentType
from django.contrib.contenttypes.generic import GenericRelation, GenericForeignKey
from django.db import models
from django.test import TestCase from django.test import TestCase
from rest_framework import serializers from rest_framework import serializers
from rest_framework.tests.models import *
class Tag(models.Model):
"""
Tags have a descriptive slug, and are attached to an arbitrary object.
"""
tag = models.SlugField()
content_type = models.ForeignKey(ContentType)
object_id = models.PositiveIntegerField()
tagged_item = GenericForeignKey('content_type', 'object_id')
def __unicode__(self):
return self.tag
class Bookmark(models.Model):
"""
A URL bookmark that may have multiple tags attached.
"""
url = models.URLField()
tags = GenericRelation(Tag)
def __unicode__(self):
return 'Bookmark: %s' % self.url
class Note(models.Model):
"""
A textual note that may have multiple tags attached.
"""
text = models.TextField()
tags = GenericRelation(Tag)
def __unicode__(self):
return 'Note: %s' % self.text
class TestGenericRelations(TestCase): class TestGenericRelations(TestCase):
def setUp(self): def setUp(self):
bookmark = Bookmark(url='https://www.djangoproject.com/') self.bookmark = Bookmark.objects.create(url='https://www.djangoproject.com/')
bookmark.save() Tag.objects.create(tagged_item=self.bookmark, tag='django')
django = Tag(tag_name='django') Tag.objects.create(tagged_item=self.bookmark, tag='python')
django.save() self.note = Note.objects.create(text='Remember the milk')
python = Tag(tag_name='python') Tag.objects.create(tagged_item=self.note, tag='reminder')
python.save()
t1 = TaggedItem(content_object=bookmark, tag=django) def test_generic_relation(self):
t1.save() """
t2 = TaggedItem(content_object=bookmark, tag=python) Test a relationship that spans a GenericRelation field.
t2.save() IE. A reverse generic relationship.
self.bookmark = bookmark """
def test_reverse_generic_relation(self):
class BookmarkSerializer(serializers.ModelSerializer): class BookmarkSerializer(serializers.ModelSerializer):
tags = serializers.ManyRelatedField(source='tags') tags = serializers.RelatedField(many=True)
class Meta: class Meta:
model = Bookmark model = Bookmark
...@@ -27,7 +64,37 @@ class TestGenericRelations(TestCase): ...@@ -27,7 +64,37 @@ class TestGenericRelations(TestCase):
serializer = BookmarkSerializer(self.bookmark) serializer = BookmarkSerializer(self.bookmark)
expected = { expected = {
'tags': [u'django', u'python'], 'tags': ['django', 'python'],
'url': u'https://www.djangoproject.com/' 'url': 'https://www.djangoproject.com/'
}
self.assertEqual(serializer.data, expected)
def test_generic_fk(self):
"""
Test a relationship that spans a GenericForeignKey field.
IE. A forward generic relationship.
"""
class TagSerializer(serializers.ModelSerializer):
tagged_item = serializers.RelatedField()
class Meta:
model = Tag
exclude = ('id', 'content_type', 'object_id')
serializer = TagSerializer(Tag.objects.all(), many=True)
expected = [
{
'tag': 'django',
'tagged_item': 'Bookmark: https://www.djangoproject.com/'
},
{
'tag': 'python',
'tagged_item': 'Bookmark: https://www.djangoproject.com/'
},
{
'tag': 'reminder',
'tagged_item': 'Note: Remember the milk'
} }
self.assertEquals(serializer.data, expected) ]
self.assertEqual(serializer.data, expected)
rest_framework/tests/htmlrenderer.py
from __future__ import unicode_literals
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.http import Http404 from django.http import Http404
from django.test import TestCase from django.test import TestCase
from django.template import TemplateDoesNotExist, Template from django.template import TemplateDoesNotExist, Template
import django.template.loader import django.template.loader
from rest_framework import status
from rest_framework.compat import patterns, url from rest_framework.compat import patterns, url
from rest_framework.decorators import api_view, renderer_classes from rest_framework.decorators import api_view, renderer_classes
from rest_framework.renderers import TemplateHTMLRenderer from rest_framework.renderers import TemplateHTMLRenderer
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.compat import six
@api_view(('GET',)) @api_view(('GET',))
...@@ -63,19 +66,19 @@ class TemplateHTMLRendererTests(TestCase): ...@@ -63,19 +66,19 @@ class TemplateHTMLRendererTests(TestCase):
def test_simple_html_view(self): def test_simple_html_view(self):
response = self.client.get('/') response = self.client.get('/')
self.assertContains(response, "example: foobar") self.assertContains(response, "example: foobar")
self.assertEquals(response['Content-Type'], 'text/html') self.assertEqual(response['Content-Type'], 'text/html')
def test_not_found_html_view(self): def test_not_found_html_view(self):
response = self.client.get('/not_found') response = self.client.get('/not_found')
self.assertEquals(response.status_code, 404) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertEquals(response.content, "404 Not Found") self.assertEqual(response.content, six.b("404 Not Found"))
self.assertEquals(response['Content-Type'], 'text/html') self.assertEqual(response['Content-Type'], 'text/html')
def test_permission_denied_html_view(self): def test_permission_denied_html_view(self):
response = self.client.get('/permission_denied') response = self.client.get('/permission_denied')
self.assertEquals(response.status_code, 403) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEquals(response.content, "403 Forbidden") self.assertEqual(response.content, six.b("403 Forbidden"))
self.assertEquals(response['Content-Type'], 'text/html') self.assertEqual(response['Content-Type'], 'text/html')
class TemplateHTMLRendererExceptionTests(TestCase): class TemplateHTMLRendererExceptionTests(TestCase):
...@@ -104,12 +107,12 @@ class TemplateHTMLRendererExceptionTests(TestCase): ...@@ -104,12 +107,12 @@ class TemplateHTMLRendererExceptionTests(TestCase):
def test_not_found_html_view_with_template(self): def test_not_found_html_view_with_template(self):
response = self.client.get('/not_found') response = self.client.get('/not_found')
self.assertEquals(response.status_code, 404) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertEquals(response.content, "404: Not found") self.assertEqual(response.content, six.b("404: Not found"))
self.assertEquals(response['Content-Type'], 'text/html') self.assertEqual(response['Content-Type'], 'text/html')
def test_permission_denied_html_view_with_template(self): def test_permission_denied_html_view_with_template(self):
response = self.client.get('/permission_denied') response = self.client.get('/permission_denied')
self.assertEquals(response.status_code, 403) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEquals(response.content, "403: Permission denied") self.assertEqual(response.content, six.b("403: Permission denied"))
self.assertEquals(response['Content-Type'], 'text/html') self.assertEqual(response['Content-Type'], 'text/html')
rest_framework/tests/hyperlinkedserializers.py
from __future__ import unicode_literals
import json import json
from django.test import TestCase from django.test import TestCase
from django.test.client import RequestFactory from django.test.client import RequestFactory
...@@ -99,7 +100,7 @@ class TestBasicHyperlinkedView(TestCase): ...@@ -99,7 +100,7 @@ class TestBasicHyperlinkedView(TestCase):
def setUp(self): def setUp(self):
""" """
Create 3 BasicModel intances. Create 3 BasicModel instances.
""" """
items = ['foo', 'bar', 'baz'] items = ['foo', 'bar', 'baz']
for item in items: for item in items:
...@@ -118,8 +119,8 @@ class TestBasicHyperlinkedView(TestCase): ...@@ -118,8 +119,8 @@ class TestBasicHyperlinkedView(TestCase):
""" """
request = factory.get('/basic/') request = factory.get('/basic/')
response = self.list_view(request).render() response = self.list_view(request).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data) self.assertEqual(response.data, self.data)
def test_get_detail_view(self): def test_get_detail_view(self):
""" """
...@@ -127,8 +128,8 @@ class TestBasicHyperlinkedView(TestCase): ...@@ -127,8 +128,8 @@ class TestBasicHyperlinkedView(TestCase):
""" """
request = factory.get('/basic/1') request = factory.get('/basic/1')
response = self.detail_view(request, pk=1).render() response = self.detail_view(request, pk=1).render()
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data[0]) self.assertEqual(response.data, self.data[0])
class TestManyToManyHyperlinkedView(TestCase): class TestManyToManyHyperlinkedView(TestCase):
...@@ -136,7 +137,7 @@ class TestManyToManyHyperlinkedView(TestCase): ...@@ -136,7 +137,7 @@ class TestManyToManyHyperlinkedView(TestCase):
def setUp(self): def setUp(self):
""" """
Create 3 BasicModel intances. Create 3 BasicModel instances.
""" """
items = ['foo', 'bar', 'baz'] items = ['foo', 'bar', 'baz']
anchors = [] anchors = []
...@@ -166,8 +167,8 @@ class TestManyToManyHyperlinkedView(TestCase): ...@@ -166,8 +167,8 @@ class TestManyToManyHyperlinkedView(TestCase):
""" """
request = factory.get('/manytomany/') request = factory.get('/manytomany/')
response = self.list_view(request) response = self.list_view(request)
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data) self.assertEqual(response.data, self.data)
def test_get_detail_view(self): def test_get_detail_view(self):
""" """
...@@ -175,8 +176,8 @@ class TestManyToManyHyperlinkedView(TestCase): ...@@ -175,8 +176,8 @@ class TestManyToManyHyperlinkedView(TestCase):
""" """
request = factory.get('/manytomany/1/') request = factory.get('/manytomany/1/')
response = self.detail_view(request, pk=1) response = self.detail_view(request, pk=1)
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data[0]) self.assertEqual(response.data, self.data[0])
class TestCreateWithForeignKeys(TestCase): class TestCreateWithForeignKeys(TestCase):
...@@ -234,7 +235,7 @@ class TestOptionalRelationHyperlinkedView(TestCase): ...@@ -234,7 +235,7 @@ class TestOptionalRelationHyperlinkedView(TestCase):
def setUp(self): def setUp(self):
""" """
Create 1 OptionalRelationModel intances. Create 1 OptionalRelationModel instances.
""" """
OptionalRelationModel().save() OptionalRelationModel().save()
self.objects = OptionalRelationModel.objects self.objects = OptionalRelationModel.objects
...@@ -248,8 +249,8 @@ class TestOptionalRelationHyperlinkedView(TestCase): ...@@ -248,8 +249,8 @@ class TestOptionalRelationHyperlinkedView(TestCase):
""" """
request = factory.get('/optionalrelationmodel-detail/1') request = factory.get('/optionalrelationmodel-detail/1')
response = self.detail_view(request, pk=1) response = self.detail_view(request, pk=1)
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, self.data) self.assertEqual(response.data, self.data)
def test_put_detail_view(self): def test_put_detail_view(self):
""" """
......
rest_framework/tests/models.py
from __future__ import unicode_literals
from django.db import models from django.db import models
from django.contrib.contenttypes.models import ContentType
from django.contrib.contenttypes.generic import GenericForeignKey, GenericRelation
# from django.contrib.auth.models import Group
# class CustomUser(models.Model):
# """
# A custom user model, which uses a 'through' table for the foreign key
# """
# username = models.CharField(max_length=255, unique=True)
# groups = models.ManyToManyField(
# to=Group, blank=True, null=True, through='UserGroupMap'
# )
# @models.permalink
# def get_absolute_url(self):
# return ('custom_user', (), {
# 'pk': self.id
# })
# class UserGroupMap(models.Model):
# user = models.ForeignKey(to=CustomUser)
# group = models.ForeignKey(to=Group)
# @models.permalink
# def get_absolute_url(self):
# return ('user_group_map', (), {
# 'pk': self.id
# })
def foobar(): def foobar():
return 'foobar' return 'foobar'
...@@ -86,27 +57,6 @@ class ReadOnlyManyToManyModel(RESTFrameworkModel): ...@@ -86,27 +57,6 @@ class ReadOnlyManyToManyModel(RESTFrameworkModel):
text = models.CharField(max_length=100, default='anchor') text = models.CharField(max_length=100, default='anchor')
rel = models.ManyToManyField(Anchor) rel = models.ManyToManyField(Anchor)
# Models to test generic relations
class Tag(RESTFrameworkModel):
tag_name = models.SlugField()
class TaggedItem(RESTFrameworkModel):
tag = models.ForeignKey(Tag, related_name='items')
content_type = models.ForeignKey(ContentType)
object_id = models.PositiveIntegerField()
content_object = GenericForeignKey('content_type', 'object_id')
def __unicode__(self):
return self.tag.tag_name
class Bookmark(RESTFrameworkModel):
url = models.URLField()
tags = GenericRelation(TaggedItem)
# Model to test filtering. # Model to test filtering.
class FilterableItem(RESTFrameworkModel): class FilterableItem(RESTFrameworkModel):
......
rest_framework/tests/modelviews.py deleted 100644 → 0
# from rest_framework.compat import patterns, url
# from django.forms import ModelForm
# from django.contrib.auth.models import Group, User
# from rest_framework.resources import ModelResource
# from rest_framework.views import ListOrCreateModelView, InstanceModelView
# from rest_framework.tests.models import CustomUser
# from rest_framework.tests.testcases import TestModelsTestCase
# class GroupResource(ModelResource):
# model = Group
# class UserForm(ModelForm):
# class Meta:
# model = User
# exclude = ('last_login', 'date_joined')
# class UserResource(ModelResource):
# model = User
# form = UserForm
# class CustomUserResource(ModelResource):
# model = CustomUser
# urlpatterns = patterns('',
# url(r'^users/$', ListOrCreateModelView.as_view(resource=UserResource), name='users'),
# url(r'^users/(?P<id>[0-9]+)/$', InstanceModelView.as_view(resource=UserResource)),
# url(r'^customusers/$', ListOrCreateModelView.as_view(resource=CustomUserResource), name='customusers'),
# url(r'^customusers/(?P<id>[0-9]+)/$', InstanceModelView.as_view(resource=CustomUserResource)),
# url(r'^groups/$', ListOrCreateModelView.as_view(resource=GroupResource), name='groups'),
# url(r'^groups/(?P<id>[0-9]+)/$', InstanceModelView.as_view(resource=GroupResource)),
# )
# class ModelViewTests(TestModelsTestCase):
# """Test the model views rest_framework provides"""
# urls = 'rest_framework.tests.modelviews'
# def test_creation(self):
# """Ensure that a model object can be created"""
# self.assertEqual(0, Group.objects.count())
# response = self.client.post('/groups/', {'name': 'foo'})
# self.assertEqual(response.status_code, 201)
# self.assertEqual(1, Group.objects.count())
# self.assertEqual('foo', Group.objects.all()[0].name)
# def test_creation_with_m2m_relation(self):
# """Ensure that a model object with a m2m relation can be created"""
# group = Group(name='foo')
# group.save()
# self.assertEqual(0, User.objects.count())
# response = self.client.post('/users/', {'username': 'bar', 'password': 'baz', 'groups': [group.id]})
# self.assertEqual(response.status_code, 201)
# self.assertEqual(1, User.objects.count())
# user = User.objects.all()[0]
# self.assertEqual('bar', user.username)
# self.assertEqual('baz', user.password)
# self.assertEqual(1, user.groups.count())
# group = user.groups.all()[0]
# self.assertEqual('foo', group.name)
# def test_creation_with_m2m_relation_through(self):
# """
# Ensure that a model object with a m2m relation can be created where that
# relation uses a through table
# """
# group = Group(name='foo')
# group.save()
# self.assertEqual(0, User.objects.count())
# response = self.client.post('/customusers/', {'username': 'bar', 'groups': [group.id]})
# self.assertEqual(response.status_code, 201)
# self.assertEqual(1, CustomUser.objects.count())
# user = CustomUser.objects.all()[0]
# self.assertEqual('bar', user.username)
# self.assertEqual(1, user.groups.count())
# group = user.groups.all()[0]
# self.assertEqual('foo', group.name)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment