# Use Django's standard `django.contrib.auth` permissions,
# Use Django's standard `django.contrib.auth` permissions,
# or allow read-only access for unauthenticated users.
# or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES':[
'DEFAULT_PERMISSION_CLASSES':[
...
@@ -93,10 +104,35 @@ REST_FRAMEWORK = {
...
@@ -93,10 +104,35 @@ REST_FRAMEWORK = {
]
]
}
}
```
```
Don't forget to make sure you've also added `rest_framework` to your `INSTALLED_APPS` setting.
That's it, we're done!
That's it, we're done!
./manage.py runserver
You can now open the API in your browser at `http://127.0.0.1:8000/`, and view your new 'users' API. If you use the `Login` control in the top right corner you'll also be able to add, create and delete users from the system.
You can also interact with the API using command line tools such as [`curl`](http://curl.haxx.se/). For example, to list the users endpoint:
@@ -74,10 +74,6 @@ The following attributes control the basic view behavior.
...
@@ -74,10 +74,6 @@ The following attributes control the basic view behavior.
*`lookup_field` - The model field that should be used to for performing object lookup of individual model instances. Defaults to `'pk'`. Note that when using hyperlinked APIs you'll need to ensure that *both* the API views *and* the serializer classes set the lookup fields if you need to use a custom value.
*`lookup_field` - The model field that should be used to for performing object lookup of individual model instances. Defaults to `'pk'`. Note that when using hyperlinked APIs you'll need to ensure that *both* the API views *and* the serializer classes set the lookup fields if you need to use a custom value.
*`lookup_url_kwarg` - The URL keyword argument that should be used for object lookup. The URL conf should include a keyword argument corresponding to this value. If unset this defaults to using the same value as `lookup_field`.
*`lookup_url_kwarg` - The URL keyword argument that should be used for object lookup. The URL conf should include a keyword argument corresponding to this value. If unset this defaults to using the same value as `lookup_field`.
**Shortcuts**:
*`model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes, although using the explicit style is generally preferred. If used instead of `serializer_class`, then `DEFAULT_MODEL_SERIALIZER_CLASS` setting will determine the base serializer class. Note that `model` is only ever used for generating a default queryset or serializer class - the `queryset` and `serializer_class` attributes are always preferred if provided.
**Pagination**:
**Pagination**:
The following attributes are used to control pagination when used with list views.
The following attributes are used to control pagination when used with list views.
...
@@ -91,6 +87,10 @@ The following attributes are used to control pagination when used with list view
...
@@ -91,6 +87,10 @@ The following attributes are used to control pagination when used with list view
*`filter_backends` - A list of filter backend classes that should be used for filtering the queryset. Defaults to the same value as the `DEFAULT_FILTER_BACKENDS` setting.
*`filter_backends` - A list of filter backend classes that should be used for filtering the queryset. Defaults to the same value as the `DEFAULT_FILTER_BACKENDS` setting.
**Deprecatedattributes**:
*`model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes. The explicit style is preferred over the `.model` shortcut, and usage of this attribute is now deprecated.
@@ -114,7 +114,7 @@ This permission is suitable if you want to your API to allow read permissions to
...
@@ -114,7 +114,7 @@ This permission is suitable if you want to your API to allow read permissions to
## DjangoModelPermissions
## DjangoModelPermissions
This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. This permission must only be applied to views that has a `.queryset` property set. Authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
*`POST` requests require the user to have the `add` permission on the model.
*`POST` requests require the user to have the `add` permission on the model.
*`PUT` and `PATCH` requests require the user to have the `change` permission on the model.
*`PUT` and `PATCH` requests require the user to have the `change` permission on the model.
...
@@ -124,6 +124,12 @@ The default behaviour can also be overridden to support custom model permissions
...
@@ -124,6 +124,12 @@ The default behaviour can also be overridden to support custom model permissions
To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details.
To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details.
#### Using with views that do not include a `queryset` attribute.
If you're using this permission with a view that uses an overridden `get_queryset()` method there may not be a `queryset` attribute on the view. In this case we suggest also marking the view with a sential queryset, so that this class can determine the required permissions. For example:
queryset = User.objects.none()# Required for DjangoModelPermissions
## DjangoModelPermissionsOrAnonReadOnly
## DjangoModelPermissionsOrAnonReadOnly
Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
...
@@ -132,7 +138,7 @@ Similar to `DjangoModelPermissions`, but also allows unauthenticated users to ha
...
@@ -132,7 +138,7 @@ Similar to `DjangoModelPermissions`, but also allows unauthenticated users to ha
This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian].
This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian].
When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned.
As with `DjangoModelPermissions`, this permission must only be applied to views that have a `.queryset` property. Authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned.
*`POST` requests require the user to have the `add` permission on the model instance.
*`POST` requests require the user to have the `add` permission on the model instance.
*`PUT` and `PATCH` requests require the user to have the `change` permission on the model instance.
*`PUT` and `PATCH` requests require the user to have the `change` permission on the model instance.
@@ -41,9 +41,9 @@ The example above would generate the following URL patterns:
...
@@ -41,9 +41,9 @@ The example above would generate the following URL patterns:
**Note**: The `base_name` argument is used to specify the initial part of the view name pattern. In the example above, that's the `user` or `account` part.
**Note**: The `base_name` argument is used to specify the initial part of the view name pattern. In the example above, that's the `user` or `account` part.
Typically you won't *need* to specify the `base-name` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have any `.model` or`.queryset` attribute set. If you try to register that viewset you'll see an error like this:
Typically you won't *need* to specify the `base-name` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set. If you try to register that viewset you'll see an error like this:
'base_name' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.model' or '.queryset' attribute.
'base_name' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute.
This means you'll need to explicitly set the `base_name` argument when registering the viewset, as it could not be automatically determined from the model name.
This means you'll need to explicitly set the `base_name` argument when registering the viewset, as it could not be automatically determined from the model name.
*The following settings control the behavior of the generic class based views.*
*The following settings control the behavior of the generic class based views.*
#### DEFAULT_MODEL_SERIALIZER_CLASS
A class that determines the default type of model serializer that should be used by a generic view if `model` is specified, but `serializer_class` is not provided.
@@ -96,16 +96,11 @@ Note that the URL path can be whatever you want, but you must include `'rest_fra
...
@@ -96,16 +96,11 @@ Note that the URL path can be whatever you want, but you must include `'rest_fra
Let's take a look at a quick example of using REST framework to build a simple model-backed API.
Let's take a look at a quick example of using REST framework to build a simple model-backed API.
We'll create a read-write API for accessing users and groups.
We'll create a read-write API for accessing information on the users of our project.
Any global settings for a REST framework API are kept in a single configuration dictionary named `REST_FRAMEWORK`. Start off by adding the following to your `settings.py` module:
Any global settings for a REST framework API are kept in a single configuration dictionary named `REST_FRAMEWORK`. Start off by adding the following to your `settings.py` module:
REST_FRAMEWORK = {
REST_FRAMEWORK = {
# Use hyperlinked styles by default.
# Only used if the `serializer_class` attribute is not set on a view.
You can now open the API in your browser at [http://127.0.0.1:8000/](http://127.0.0.1:8000/), and view your new 'users' API. If you use the login control in the top right corner you'll also be able to add, create and delete users from the system.
## Quickstart
## Quickstart
Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running, and building APIs with REST framework.
Can't wait to get started? The [quickstart guide][quickstart] is the fastest way to get up and running, and building APIs with REST framework.
@@ -15,6 +15,16 @@ The optional authtoken application now includes support for *both* Django 1.7 sc
...
@@ -15,6 +15,16 @@ The optional authtoken application now includes support for *both* Django 1.7 sc
**If you are using authtoken, and you want to continue using `south`, you must upgrade your `south` package to version 1.0.**
**If you are using authtoken, and you want to continue using `south`, you must upgrade your `south` package to version 1.0.**
## Deprecation of `.model` view attribute
The `.model` attribute on view classes is an optional shortcut for either or both of `.serializer_class` and `.queryset`. It's usage results in more implicit, less obvious behavior.
The documentation has previously stated that usage of the more explict style is prefered, and we're now taking that one step further and deprecating the usage of the `.model` shortcut.
Doing so will mean that there are cases of API code where you'll now need to include a serializer class where you previously were just using the `.model` shortcut. However we firmly believe that it is the right trade-off to make. Removing the shortcut takes away an unneccessary layer of abstraction, and makes your codebase more explict without any significant extra complexity.
The `DEFAULT_MODEL_SERIALIZER_CLASS` API setting is now also deprecated.
## Updated test runner
## Updated test runner
We now have a new test runner for developing against the project,, that uses the excellent [py.test](http://pytest.org) library.
We now have a new test runner for developing against the project,, that uses the excellent [py.test](http://pytest.org) library.
@@ -48,6 +48,7 @@ You can determine your currently installed version using `pip freeze`:
...
@@ -48,6 +48,7 @@ You can determine your currently installed version using `pip freeze`:
*Added compatibility with Django 1.7's database migration support.
*Added compatibility with Django 1.7's database migration support.
*New test runner, using `py.test`.
*New test runner, using `py.test`.
*Deprecated `.model` view attribute in favor of explict `.queryset` and `.serializer_class` attributes. The `DEFAULT_MODEL_SERIALIZER_CLASS` setting is also deprecated.
*`@detail_route` and `@list_route` decorators replace `@action` and `@link`.
*`@detail_route` and `@list_route` decorators replace `@action` and `@link`.
*Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
*Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
*Added `NUM_PROXIES` setting for smarter client IP identification.
*Added `NUM_PROXIES` setting for smarter client IP identification.
@@ -18,34 +18,23 @@ Create a new Django project named `tutorial`, then start a new app called `quick
...
@@ -18,34 +18,23 @@ Create a new Django project named `tutorial`, then start a new app called `quick
pip install django
pip install django
pip install djangorestframework
pip install djangorestframework
# Set up a new project
# Set up a new project with a single application
django-admin.py startproject tutorial
django-admin.py startproject tutorial .
cd tutorial
# Create a new app
django-admin.py startapp quickstart
python manage.py startapp quickstart
cd ..
Next you'll need to get a database set up and synced. If you just want to use SQLite for now, then you'll want to edit your `tutorial/settings.py` module to include something like this:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': 'database.sql',
'USER': '',
'PASSWORD': '',
'HOST': '',
'PORT': ''
}
}
The run `syncdb` like so:
Now sync your database for the first time:
python manage.py syncdb
python manage.py syncdb
Make sure to create an initial user named `admin` with a password of `password`. We'll authenticate as that user later in our example.
Once you've set up a database and got everything synced and ready to go, open up the app's directory and we'll get coding...
Once you've set up a database and got everything synced and ready to go, open up the app's directory and we'll get coding...
## Serializers
## Serializers
First up we're going to define some serializers in `quickstart/serializers.py` that we'll use for our data representations.
First up we're going to define some serializers. Let's create a new module named `tutorial/quickstart/serializers.py` that we'll use for our data representations.
from django.contrib.auth.models import User, Group
from django.contrib.auth.models import User, Group
from rest_framework import serializers
from rest_framework import serializers
...
@@ -66,11 +55,11 @@ Notice that we're using hyperlinked relations in this case, with `HyperlinkedMod
...
@@ -66,11 +55,11 @@ Notice that we're using hyperlinked relations in this case, with `HyperlinkedMod
## Views
## Views
Right, we'd better write some views then. Open `quickstart/views.py` and get typing.
Right, we'd better write some views then. Open `tutorial/quickstart/views.py` and get typing.
from django.contrib.auth.models import User, Group
from django.contrib.auth.models import User, Group
from rest_framework import viewsets
from rest_framework import viewsets
from quickstart.serializers import UserSerializer, GroupSerializer
from tutorial.quickstart.serializers import UserSerializer, GroupSerializer
class UserViewSet(viewsets.ModelViewSet):
class UserViewSet(viewsets.ModelViewSet):
...
@@ -100,9 +89,9 @@ For trivial cases you can simply set a `model` attribute on the `ViewSet` class
...
@@ -100,9 +89,9 @@ For trivial cases you can simply set a `model` attribute on the `ViewSet` class
Okay, now let's wire up the API URLs. On to `tutorial/urls.py`...
Okay, now let's wire up the API URLs. On to `tutorial/urls.py`...
from django.conf.urls import patterns, url, include
from django.conf.urls import url, include
from rest_framework import routers
from rest_framework import routers
from quickstart import views
from tutorial.quickstart import views
router = routers.DefaultRouter()
router = routers.DefaultRouter()
router.register(r'users', views.UserViewSet)
router.register(r'users', views.UserViewSet)
...
@@ -110,10 +99,10 @@ Okay, now let's wire up the API URLs. On to `tutorial/urls.py`...
...
@@ -110,10 +99,10 @@ Okay, now let's wire up the API URLs. On to `tutorial/urls.py`...
# Wire up our API using automatic URL routing.
# Wire up our API using automatic URL routing.
# Additionally, we include login URLs for the browseable API.
# Additionally, we include login URLs for the browseable API.
Because we're using viewsets instead of views, we can automatically generate the URL conf for our API, by simply registering the viewsets with a router class.
Because we're using viewsets instead of views, we can automatically generate the URL conf for our API, by simply registering the viewsets with a router class.
...
@@ -172,6 +161,8 @@ Or directly through the browser...
...
@@ -172,6 +161,8 @@ Or directly through the browser...
![Quick start image][image]
![Quick start image][image]
If you're working through the browser, make sure to login using the control in the top right corner.
Great, that was easy!
Great, that was easy!
If you want to get a more in depth understanding of how REST framework fits together head on over to [the tutorial][tutorial], or start browsing the [API guide][guide].
If you want to get a more in depth understanding of how REST framework fits together head on over to [the tutorial][tutorial], or start browsing the [API guide][guide].
