Merge remote-tracking branch 'upstream/master'

.travis.yml

@@ -14,8 +14,11 @@ env:
 install:
   - pip install $DJANGO
   - pip install defusedxml==0.3
-  - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-filter==0.5.4 --use-mirrors; fi"
-  - "if [[ ${TRAVIS_PYTHON_VERSION::1} == '3' ]]; then pip install https://github.com/alex/django-filter/tarball/master; fi"
+  - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install oauth2==1.5.211 --use-mirrors; fi"
+  - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth-plus==2.0 --use-mirrors; fi"
+  - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth2-provider==0.2.3 --use-mirrors; fi"
+  - "if [[ ${DJANGO::11} == 'django==1.3' ]]; then pip install django-filter==0.5.4 --use-mirrors; fi"
+  - "if [[ ${DJANGO::11} != 'django==1.3' ]]; then pip install django-filter==0.6a1 --use-mirrors; fi"
   - export PYTHONPATH=.
 
 script:

MANIFEST.in

 recursive-include rest_framework/static *.js *.css *.png
-recursive-include rest_framework/templates *.txt *.html
+recursive-include rest_framework/templates *.html

README.md

 # Django REST framework
 
-**A toolkit for building well-connected, self-describing web APIs.**
-
-**Author:** Tom Christie.  [Follow me on Twitter][twitter].
-
-**Support:** [REST framework group][group], or `#restframework` on freenode IRC.
+**Awesome web-browseable Web APIs.**
 
 [![build-status-image]][travis]
 
----
+**Note**: Full documentation for the project is available at [http://django-rest-framework.org][docs].
 
-**Full documentation for REST framework is available on [http://django-rest-framework.org][docs].**
+# Overview
 
----
+Django REST framework is a powerful and flexible toolkit that makes it easy to build Web APIs.
 
-# Overview
+Some reasons you might want to use REST framework:
 
-Django REST framework is a lightweight library that makes it easy to build Web APIs.  It is designed as a modular and easy to customize architecture, based on Django's class based views.
+* The Web browseable API is a huge useability win for your developers.
+* Authentication policies including OAuth1a and OAuth2 out of the box.
+* Serialization that supports both ORM and non-ORM data sources.
+* Customizable all the way down - just use regular function-based views if you don't need the more powerful features.
+* Extensive documentation, and great community support.
 
-Web APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers.  It also supports a wide range of media types, authentication and permission policies out of the box.
+There is a live example API for testing purposes, [available here][sandbox].
 
-If you are considering using REST framework for your API, we recommend reading the [REST framework 2 announcment][rest-framework-2-announcement] which gives a good overview of the framework and it's capabilities.
+**Below**: *Screenshot from the browseable API*
 
-There is also a sandbox API you can use for testing purposes, [available here][sandbox].
+![Screenshot][image]
 
 # Requirements
 
 * Python (2.6.5+, 2.7, 3.2, 3.3)
 * Django (1.3, 1.4, 1.5)
 
-**Optional:**
-
-* [Markdown][markdown] - Markdown support for the self describing API.
-* [PyYAML][pyyaml] - YAML content type support.
-* [defusedxml][defusedxml] - XML content-type support.
-* [django-filter][django-filter] - Filtering support.
-
 # Installation
 
-Install using `pip`, including any optional packages you want...
+Install using `pip`...
 
     pip install djangorestframework
-    pip install markdown  # Markdown support for the browseable API.
-    pip install pyyaml    # YAML content-type support.
-    pip install defusedxml  # XML content-type support.
-    pip install django-filter  # Filtering support
-
-...or clone the project from github.
-
-    git clone git@github.com:tomchristie/django-rest-framework.git
-    cd django-rest-framework
-    pip install -r requirements.txt
-    pip install -r optionals.txt
 
 Add `'rest_framework'` to your `INSTALLED_APPS` setting.
 
@@ -60,24 +42,65 @@ Add `'rest_framework'` to your `INSTALLED_APPS` setting.
         'rest_framework',        
     )
 
-If you're intending to use the browseable API you'll probably also want to add REST framework's login and logout views.  Add the following to your root `urls.py` file.
+# Example
+
+Let's take a look at a quick example of using REST framework to build a simple model-backed API for accessing users and groups.
+
+Here's our project's root `urls.py` module:
+
+    from django.conf.urls.defaults import url, patterns, include
+    from django.contrib.auth.models import User, Group
+    from rest_framework import viewsets, routers
+
+    # ViewSets define the view behavior.
+    class UserViewSet(viewsets.ModelViewSet):
+        model = User
 
+    class GroupViewSet(viewsets.ModelViewSet):
+        model = Group
+
+    
+    # Routers provide an easy way of automatically determining the URL conf
+    router = routers.DefaultRouter()
+    router.register(r'users', UserViewSet)
+    router.register(r'groups', GroupViewSet)
+
+
+    # Wire up our API using automatic URL routing.
+    # Additionally, we include login URLs for the browseable API.
     urlpatterns = patterns('',
-        ...
+        url(r'^', include(router.urls)),
         url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
     )
 
-Note that the URL path can be whatever you want, but you must include `'rest_framework.urls'` with the `'rest_framework'` namespace.
+We'd also like to configure a couple of settings for our API.
+
+Add the following to your `settings.py` module:
 
-# Development
+    REST_FRAMEWORK = {
+        # Use hyperlinked styles by default.
+        # Only used if the `serializer_class` attribute is not set on a view.
+        'DEFAULT_MODEL_SERIALIZER_CLASS':
+            'rest_framework.serializers.HyperlinkedModelSerializer',
 
-To build the docs.
+        # Use Django's standard `django.contrib.auth` permissions,
+        # or allow read-only access for unauthenticated users.
+        'DEFAULT_PERMISSION_CLASSES': [
+            'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
+        ]
+    }
 
-    ./mkdocs.py
+Don't forget to make sure you've also added `rest_framework` to your `INSTALLED_APPS` setting.
 
-To run the tests.
+That's it, we're done!
 
-    ./rest_framework/runtests/runtests.py
+# Documentation & Support
+
+Full documentation for the project is available at [http://django-rest-framework.org][docs].
+
+For questions and support, use the [REST framework discussion group][group], or `#restframework` on freenode IRC.
+
+You may also want to [follow the author on Twitter][twitter].
 
 # License
 
@@ -112,6 +135,13 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 [sandbox]: http://restframework.herokuapp.com/
 [rest-framework-2-announcement]: http://django-rest-framework.org/topics/rest-framework-2-announcement.html
 [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion
+[image]: http://django-rest-framework.org/img/quickstart.png
+
+[tox]: http://testrun.org/tox/latest/
+
+[tehjones]: https://twitter.com/tehjones/status/294986071979196416
+[wlonk]: https://twitter.com/wlonk/status/261689665952833536
+[laserllama]: https://twitter.com/laserllama/status/328688333750407168
 
 [docs]: http://django-rest-framework.org/
 [urlobject]: https://github.com/zacharyvoase/urlobject

docs/api-guide/fields.md

@@ -2,7 +2,7 @@
 
 # Serializer fields
 
-> Each field in a Form class is responsible not only for validating data, but also for "cleaning" it -- normalizing it to a consistent format. 
+> Each field in a Form class is responsible not only for validating data, but also for "cleaning" it — normalizing it to a consistent format. 
 >
 > — [Django documentation][cite]
 
@@ -181,12 +181,6 @@ Corresponds to `django.forms.fields.RegexField`
 
 **Signature:** `RegexField(regex, max_length=None, min_length=None)`
 
-## DateField
-
-A date representation.
-
-Corresponds to `django.db.models.fields.DateField`
-
 ## DateTimeField
 
 A date and time representation.
@@ -203,12 +197,45 @@ If you want to override this behavior, you'll need to declare the `DateTimeField
         class Meta:
             model = Comment
 
+Note that by default, datetime representations are deteremined by the renderer in use, although this can be explicitly overridden as detailed below.
+
+In the case of JSON this means the default datetime representation uses the [ECMA 262 date time string specification][ecma262].  This is a subset of ISO 8601 which uses millisecond precision, and includes the 'Z' suffix for the UTC timezone, for example: `2013-01-29T12:34:56.123Z`.
+
+**Signature:** `DateTimeField(format=None, input_formats=None)`
+
+* `format` - A string representing the output format.  If not specified, this defaults to `None`, which indicates that python `datetime` objects should be returned by `to_native`.  In this case the datetime encoding will be determined by the renderer. 
+* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATETIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
+
+DateTime format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000Z'`)
+
+## DateField
+
+A date representation.
+
+Corresponds to `django.db.models.fields.DateField`
+
+**Signature:** `DateField(format=None, input_formats=None)`
+
+* `format` - A string representing the output format.  If not specified, this defaults to `None`, which indicates that python `date` objects should be returned by `to_native`.  In this case the date encoding will be determined by the renderer.
+* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATE_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`. 
+
+Date format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style dates should be used. (eg `'2013-01-29'`)
+
 ## TimeField
 
 A time representation.
 
+Optionally takes `format` as parameter to replace the matching pattern.
+
 Corresponds to `django.db.models.fields.TimeField`
 
+**Signature:** `TimeField(format=None, input_formats=None)`
+
+* `format` - A string representing the output format.  If not specified, this defaults to `None`, which indicates that python `time` objects should be returned by `to_native`.  In this case the time encoding will be determined by the renderer.
+* `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `TIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
+
+Time format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style times should be used. (eg `'12:34:56.000000'`)
+
 ## IntegerField
 
 An integer representation.
@@ -221,6 +248,12 @@ A floating point representation.
 
 Corresponds to `django.db.models.fields.FloatField`.
 
+## DecimalField
+
+A decimal representation.
+
+Corresponds to `django.db.models.fields.DecimalField`.
+
 ## FileField
 
 A file representation. Performs Django's standard FileField validation. 
@@ -250,5 +283,51 @@ Django's regular [FILE_UPLOAD_HANDLERS] are used for handling uploaded files.
 
 ---
 
+# Custom fields
+
+If you want to create a custom field, you'll probably want to override either one or both of the `.to_native()` and `.from_native()` methods.  These two methods are used to convert between the intial datatype, and a primative, serializable datatype.  Primative datatypes may be any of a number, string, date/time/datetime or None.  They may also be any list or dictionary like object that only contains other primative objects.
+
+The `.to_native()` method is called to convert the initial datatype into a primative, serializable datatype.  The `from_native()` method is called to restore a primative datatype into it's initial representation.
+
+## Examples
+
+Let's look at an example of serializing a class that represents an RGB color value:
+
+    class Color(object):
+        """
+        A color represented in the RGB colorspace.
+        """
+        def __init__(self, red, green, blue):
+            assert(red >= 0 and green >= 0 and blue >= 0)
+            assert(red < 256 and green < 256 and blue < 256)
+            self.red, self.green, self.blue = red, green, blue
+
+    class ColourField(serializers.WritableField):
+        """
+        Color objects are serialized into "rgb(#, #, #)" notation.
+        """
+        def to_native(self, obj):
+            return "rgb(%d, %d, %d)" % (obj.red, obj.green, obj.blue)
+      
+        def from_native(self, data):
+            data = data.strip('rgb(').rstrip(')')
+            red, green, blue = [int(col) for col in data.split(',')]
+            return Color(red, green, blue)
+            
+
+By default field values are treated as mapping to an attribute on the object.  If you need to customize how the field value is accessed and set you need to override `.field_to_native()` and/or `.field_from_native()`.
+
+As an example, let's create a field that can be used represent the class name of the object being serialized:
+
+    class ClassNameField(serializers.Field):
+        def field_to_native(self, obj, field_name):
+            """
+            Serialize the object's class name.
+            """
+            return obj.__class__
+
 [cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data
 [FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS
+[ecma262]: http://ecma-international.org/ecma-262/5.1/#sec-15.9.1.15
+[strftime]: http://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
+[iso8601]: http://www.w3.org/TR/NOTE-datetime

docs/api-guide/pagination.md

@@ -93,7 +93,8 @@ The default pagination style may be set globally, using the `DEFAULT_PAGINATION_
 You can also set the pagination style on a per-view basis, using the `ListAPIView` generic class-based view.
 
     class PaginatedListView(ListAPIView):
-        model = ExampleModel
+        queryset = ExampleModel.objects.all()
+        serializer_class = ExampleModelSerializer
         paginate_by = 10
         paginate_by_param = 'page_size'
 

docs/api-guide/parsers.md

@@ -34,7 +34,8 @@ The default set of parsers may be set globally, using the `DEFAULT_PARSER_CLASSE
         )
     }
 
-You can also set the renderers used for an individual view, using the `APIView` class based views.
+You can also set the renderers used for an individual view, or viewset,
+using the `APIView` class based views.
 
     class ExampleView(APIView):
         """
@@ -101,6 +102,33 @@ You will typically want to use both `FormParser` and `MultiPartParser` together
 
 **.media_type**: `multipart/form-data`
 
+## FileUploadParser
+
+Parses raw file upload content.  The `request.DATA` property will be an empty `QueryDict`, and `request.FILES` will be a dictionary with a single key `'file'` containing the uploaded file.
+
+If the view used with `FileUploadParser` is called with a `filename` URL keyword argument, then that argument will be used as the filename.  If it is called without a `filename` URL keyword argument, then the client must set the filename in the `Content-Disposition` HTTP header.  For example `Content-Disposition: attachment; filename=upload.jpg`.
+
+**.media_type**: `*/*`
+
+##### Notes:
+
+* The `FileUploadParser` is for usage with native clients that can upload the file as a raw data request.  For web-based uploads, or for native clients with multipart upload support, you should use the `MultiPartParser` parser instead.
+* Since this parser's `media_type` matches any content type, `FileUploadParser` should generally be the only parser set on an API view.
+* `FileUploadParser` respects Django's standard `FILE_UPLOAD_HANDLERS` setting, and the `request.upload_handlers` attribute.  See the [Django documentation][upload-handlers] for more details.
+
+##### Basic usage example:
+
+    class FileUploadView(views.APIView):
+        parser_classes = (FileUploadParser,)
+
+        def put(self, request, filename, format=None):
+            file_obj = request.FILES['file']
+            # ...
+            # do some staff with uploaded file
+            # ...
+            return Response(status=204)
+
+
 ---
 
 # Custom parsers
@@ -144,35 +172,6 @@ The following is an example plaintext parser that will populate the `request.DAT
         """
         return stream.read()
 
-## Uploading file content
-
-If your custom parser needs to support file uploads, you may return a `DataAndFiles` object from the `.parse()` method.  `DataAndFiles` should be instantiated with two arguments.  The first argument will be used to populate the `request.DATA` property, and the second argument will be used to populate the `request.FILES` property.
-
-For example:
-
-    class SimpleFileUploadParser(BaseParser):
-        """
-        A naive raw file upload parser.
-        """
-        media_type = '*/*'  # Accept anything
-
-        def parse(self, stream, media_type=None, parser_context=None):
-            content = stream.read()
-            name = 'example.dat'
-            content_type = 'application/octet-stream'
-            size = len(content)
-            charset = 'utf-8'
-
-            # Write a temporary file based on the request content
-            temp = tempfile.NamedTemporaryFile(delete=False)
-            temp.write(content)
-            uploaded = UploadedFile(temp, name, content_type, size, charset)
-
-            # Return the uploaded file
-            data = {}
-            files = {name: uploaded}
-            return DataAndFiles(data, files)
-
 ---
 
 # Third party packages
@@ -185,6 +184,7 @@ The following third party packages are also available.
 
 [jquery-ajax]: http://api.jquery.com/jQuery.ajax/
 [cite]: https://groups.google.com/d/topic/django-developers/dxI4qVzrBY4/discussion
+[upload-handlers]: https://docs.djangoproject.com/en/dev/topics/http/file-uploads/#upload-handlers
 [messagepack]: https://github.com/juanriaza/django-rest-framework-msgpack
 [juanriaza]: https://github.com/juanriaza
 [djangorestframework-msgpack]: https://github.com/juanriaza/django-rest-framework-msgpack

docs/api-guide/permissions.md

@@ -21,7 +21,12 @@ If any permission check fails an `exceptions.PermissionDenied` exception will be
 
 REST framework permissions also support object-level permissioning.  Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.
 
-Object level permissions are run by REST framework's generic views when `.get_object()` is called.  As with view level permissions, an `exceptions.PermissionDenied` exception will be raised if the user is not allowed to act on the given object.
+Object level permissions are run by REST framework's generic views when `.get_object()` is called.
+As with view level permissions, an `exceptions.PermissionDenied` exception will be raised if the user is not allowed to act on the given object.
+
+If you're writing your own views and want to enforce object level permissions,
+you'll need to explicitly call the `.check_object_permissions(request, obj)` method on the view at the point at which you've retrieved the object.
+This will either raise a `PermissionDenied` or `NotAuthenticated` exception, or simply return if the view has the appropriate permissions.
 
 ## Setting the permission policy
 
@@ -39,7 +44,8 @@ If not specified, this setting defaults to allowing unrestricted access:
        'rest_framework.permissions.AllowAny',
     )
 
-You can also set the authentication policy on a per-view basis, using the `APIView` class based views.
+You can also set the authentication policy on a per-view, or per-viewset basis,
+using the `APIView` class based views.
 
     class ExampleView(APIView):
         permission_classes = (IsAuthenticated,)
@@ -90,7 +96,7 @@ This permission is suitable if you want to your API to allow read permissions to
 
 ## DjangoModelPermissions
 
-This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth].  When applied to a view that has a `.model` property, authorization will only be granted if the user has the relevant model permissions assigned.
+This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth].  When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
 
 * `POST` requests require the user to have the `add` permission on the model.
 * `PUT` and `PATCH` requests require the user to have the `change` permission on the model.
@@ -100,6 +106,25 @@ The default behaviour can also be overridden to support custom model permissions
 
 To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property.  Refer to the source code for details.
 
+## DjangoModelPermissionsOrAnonReadOnly
+
+Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have  read-only access to the API.
+
+## TokenHasReadWriteScope
+
+This permission class is intended for use with either of the `OAuthAuthentication` and `OAuth2Authentication` classes, and ties into the scoping that their backends provide.
+
+Requests with a safe methods of `GET`, `OPTIONS` or `HEAD` will be allowed if the authenticated token has read permission.
+
+Requests for `POST`, `PUT`, `PATCH` and `DELETE` will be allowed if the authenticated token has write permission.
+
+This permission class relies on the implementations of the [django-oauth-plus][django-oauth-plus] and [django-oauth2-provider][django-oauth2-provider] libraries, which both provide limited support for controlling the scope of access tokens:
+
+* `django-oauth-plus`: Tokens are associated with a `Resource` class which has a `name`, `url` and `is_readonly` properties.
+* `django-oauth2-provider`: Tokens are associated with a bitwise `scope` attribute, that defaults to providing bitwise values for `read` and/or `write`.
+
+If you require more advanced scoping for your API, such as restricting tokens to accessing a subset of functionality of your API then you will need to provide a custom permission class.  See the source of the `django-oauth-plus` or `django-oauth2-provider` package for more details on scoping token access.
+
 ---
 
 # Custom permissions
@@ -168,5 +193,7 @@ Also note that the generic views will only check the object-level permissions fo
 [throttling]: throttling.md
 [contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions
 [guardian]: https://github.com/lukaszb/django-guardian
+[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus
+[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
 [2.2-announcement]: ../topics/2.2-announcement.md
 [filtering]: filtering.md

docs/api-guide/relations.md

@@ -123,9 +123,9 @@ Would serialize to a representation like this:
         'album_name': 'Graceland',
         'artist': 'Paul Simon'
         'tracks': [
-            'http://www.example.com/api/tracks/45',
-            'http://www.example.com/api/tracks/46',
-            'http://www.example.com/api/tracks/47',
+            'http://www.example.com/api/tracks/45/',
+            'http://www.example.com/api/tracks/46/',
+            'http://www.example.com/api/tracks/47/',
             ...
         ]
     }
@@ -138,9 +138,7 @@ By default this field is read-write, although you can change this behavior using
 * `many` - If applied to a to-many relationship, you should set this argument to `True`.
 * `required` - If set to `False`, the field will accept values of `None` or the empty-string for nullable relationships.
 * `queryset` - By default `ModelSerializer` classes will use the default queryset for the relationship.  `Serializer` classes must either set a queryset explicitly, or set `read_only=True`.
-* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`.
-* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`.
-* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`.
+* `lookup_field` - The field on the target that should be used for the lookup.  Should correspond to a URL keyword argument on the referenced view. Default is `'pk'`.
 * `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument.
 
 ## SlugRelatedField
@@ -196,7 +194,7 @@ Would serialize to a representation like this:
     {
         'album_name': 'The Eraser',
         'artist': 'Thom Yorke'
-        'track_listing': 'http://www.example.com/api/track_list/12',
+        'track_listing': 'http://www.example.com/api/track_list/12/',
     }
 
 This field is always read-only.
@@ -204,9 +202,7 @@ This field is always read-only.
 **Arguments**:
 
 * `view_name` - The view name that should be used as the target of the relationship.  **required**.
-* `slug_field` - The field on the target that should be used for the lookup. Default is `'slug'`.
-* `pk_url_kwarg` - The named url parameter for the pk field lookup. Default is `pk`.
-* `slug_url_kwarg` - The named url parameter for the slug field lookup. Default is to use the same value as given for `slug_field`.
+* `lookup_field` - The field on the target that should be used for the lookup.  Should correspond to a URL keyword argument on the referenced view. Default is `'pk'`.
 * `format` - If using format suffixes, hyperlinked fields will use the same format suffix for the target unless overridden by using the `format` argument.
 
 ---
@@ -291,32 +287,23 @@ This custom field would then serialize to the following representation.
 
 ## Reverse relations
 
-Note that reverse relationships are not automatically generated by the `ModelSerializer` and `HyperlinkedModelSerializer` classes.  To include a reverse relationship, you cannot simply add it to the fields list.
-
-**The following will not work:**
+Note that reverse relationships are not automatically included by the `ModelSerializer` and `HyperlinkedModelSerializer` classes.  To include a reverse relationship, you must explicitly add it to the fields list.  For example:
 
     class AlbumSerializer(serializers.ModelSerializer):
         class Meta:
             fields = ('tracks', ...)
 
-Instead, you must explicitly add it to the serializer.  For example:
-
-    class AlbumSerializer(serializers.ModelSerializer):
-        tracks = serializers.PrimaryKeyRelatedField(many=True)
-        ...
-
-By default, the field will uses the same accessor as it's field name to retrieve the relationship, so in this example, `Album` instances would need to have the `tracks` attribute for this relationship to work.
-
-The best way to ensure this is typically to make sure that the relationship on the model definition has it's `related_name` argument properly set.  For example:
+You'll normally want to ensure that you've set an appropriate `related_name` argument on the relationship, that you can use as the field name.  For example:
 
     class Track(models.Model):
         album = models.ForeignKey(Album, related_name='tracks')
         ...
 
-Alternatively, you can use the `source` argument on the serializer field, to use a different accessor attribute than the field name.  For example.
+If you have not set a related name for the reverse relationship, you'll need to use the automatically generated related name in the `fields` argument.  For example:
 
     class AlbumSerializer(serializers.ModelSerializer):
-        tracks = serializers.PrimaryKeyRelatedField(many=True, source='track_set')
+        class Meta:
+            fields = ('track_set', ...) 
 
 See the Django documentation on [reverse relationships][reverse-relationships] for more details.
 
@@ -394,6 +381,40 @@ Note that reverse generic keys, expressed using the `GenericRelation` field, can
 
 For more information see [the Django documentation on generic relations][generic-relations].
 
+## Advanced Hyperlinked fields
+
+If you have very specific requirements for the style of your hyperlinked relationships you can override `HyperlinkedRelatedField`. 
+
+There are two methods you'll need to override.
+
+#### get_url(self, obj, view_name, request, format)
+
+This method should return the URL that corresponds to the given object.
+
+May raise a `NoReverseMatch` if the `view_name` and `lookup_field`
+attributes are not configured to correctly match the URL conf.
+
+#### get_object(self, queryset, view_name, view_args, view_kwargs)
+
+
+This method should the object that corresponds to the matched URL conf arguments.
+
+May raise an `ObjectDoesNotExist` exception.
+
+### Example
+
+For example, if all your object URLs used both a account and a slug in the the URL to reference the object, you might create a custom field like this: 
+
+    class CustomHyperlinkedField(serializers.HyperlinkedRelatedField):
+        def get_url(self, obj, view_name, request, format):
+            kwargs = {'account': obj.account, 'slug': obj.slug}
+            return reverse(view_name, kwargs=kwargs, request=request, format=format)
+
+        def get_object(self, queryset, view_name, view_args, view_kwargs):
+            account = view_kwargs['account']
+            slug = view_kwargs['slug']
+            return queryset.get(account=account, slug=sug)
+
 ---
 
 ## Deprecated APIs

docs/api-guide/renderers.md

@@ -27,7 +27,8 @@ The default set of renderers may be set globally, using the `DEFAULT_RENDERER_CL
         )
     }
 
-You can also set the renderers used for an individual view, using the `APIView` class based views.
+You can also set the renderers used for an individual view, or viewset,
+using the `APIView` class based views.
 
     class UserCountView(APIView):
         """
@@ -56,7 +57,7 @@ Or, if you're using the `@api_view` decorator with function based views.
 
 It's important when specifying the renderer classes for your API to think about what priority you want to assign to each media type.  If a client underspecifies the representations it can accept, such as sending an `Accept: */*` header, or not including an `Accept` header at all, then REST framework will select the first renderer in the list to use for the response.
 
-For example if your API serves JSON responses and the HTML browseable API, you might want to make `JSONRenderer` your default renderer, in order to send `JSON` responses to clients that do not specify an `Accept` header.
+For example if your API serves JSON responses and the HTML browsable API, you might want to make `JSONRenderer` your default renderer, in order to send `JSON` responses to clients that do not specify an `Accept` header.
 
 If your API includes views that can serve both regular webpages and API responses depending on the request, then you might consider making `TemplateHTMLRenderer` your default renderer, in order to play nicely with older browsers that send [broken accept headers][browser-accept-headers].
 
@@ -127,7 +128,7 @@ An example of a view that uses `TemplateHTMLRenderer`:
         """
         A view that returns a templated HTML representations of a given user.
         """
-        model = Users
+        queryset = User.objects.all()
         renderer_classes = (TemplateHTMLRenderer,)
 
         def get(self, request, *args, **kwargs)
@@ -166,7 +167,7 @@ See also: `TemplateHTMLRenderer`
 
 ## BrowsableAPIRenderer
 
-Renders data into HTML for the Browseable API.  This renderer will determine which other renderer would have been given highest priority, and use that to display an API style response within the HTML page.
+Renders data into HTML for the Browsable API.  This renderer will determine which other renderer would have been given highest priority, and use that to display an API style response within the HTML page.
 
 **.media_type**: `text/html`
 

docs/api-guide/routers.md

+<a class="github" href="routers.py"></a>
+
+# Routers
+
+> Resource routing allows you to quickly declare all of the common routes for a given resourceful controller. Instead of declaring separate routes for your index... a resourceful route declares them in a single line of code.
+>
+> &mdash; [Ruby on Rails Documentation][cite]
+
+Some Web frameworks such as Rails provide functionality for automatically determining how the URLs for an application should be mapped to the logic that deals with handling incoming requests.
+
+REST framework adds support for automatic URL routing to Django, and provides you with a simple, quick and consistent way of wiring your view logic to a set of URLs.
+
+## Usage
+
+Here's an example of a simple URL conf, that uses `DefaultRouter`.
+
+    router = routers.SimpleRouter()
+    router.register(r'users', UserViewSet)
+    router.register(r'accounts', AccountViewSet)
+    urlpatterns = router.urls
+
+There are two mandatory arguments to the `register()` method:
+
+* `prefix` - The URL prefix to use for this set of routes.
+* `viewset` - The viewset class.
+
+Optionally, you may also specify an additional argument:
+
+* `base_name` - The base to use for the URL names that are created.  If unset the basename will be automatically generated based on the `model` or `queryset` attribute on the viewset, if it has one.
+
+The example above would generate the following URL patterns:
+
+* URL pattern: `^users/$`  Name: `'user-list'`
+* URL pattern: `^users/{pk}/$`  Name: `'user-detail'`
+* URL pattern: `^accounts/$`  Name: `'account-list'`
+* URL pattern: `^accounts/{pk}/$`  Name: `'account-detail'`
+
+### Extra link and actions
+
+Any methods on the viewset decorated with `@link` or `@action` will also be routed.
+For example, a given method like this on the `UserViewSet` class:
+
+    @action(permission_classes=[IsAdminOrIsSelf])
+    def set_password(self, request, pk=None):
+        ...
+
+The following URL pattern would additionally be generated:
+
+* URL pattern: `^users/{pk}/set_password/$`  Name: `'user-set-password'`
+
+# API Guide
+
+## SimpleRouter
+
+This router includes routes for the standard set of `list`, `create`, `retrieve`, `update`, `partial_update` and `destroy` actions.  The viewset can also mark additional methods to be routed, using the `@link` or `@action` decorators.
+
+<table border=1>
+    <tr><th>URL Style</th><th>HTTP Method</th><th>Action</th><th>URL Name</th></tr>
+    <tr><td rowspan=2>{prefix}/</td><td>GET</td><td>list</td><td rowspan=2>{basename}-list</td></tr></tr>
+    <tr><td>POST</td><td>create</td></tr>
+    <tr><td rowspan=4>{prefix}/{lookup}/</td><td>GET</td><td>retrieve</td><td rowspan=4>{basename}-detail</td></tr></tr>
+    <tr><td>PUT</td><td>update</td></tr>
+    <tr><td>PATCH</td><td>partial_update</td></tr>
+    <tr><td>DELETE</td><td>destroy</td></tr>
+    <tr><td rowspan=2>{prefix}/{lookup}/{methodname}/</td><td>GET</td><td>@link decorated method</td><td rowspan=2>{basename}-{methodname}</td></tr>
+    <tr><td>POST</td><td>@action decorated method</td></tr>
+</table>
+
+## DefaultRouter
+
+This router is similar to `SimpleRouter` as above, but additionally includes a default API root view, that returns a response containing hyperlinks to all the list views.  It also generates routes for optional `.json` style format suffixes.
+
+<table border=1>
+    <tr><th>URL Style</th><th>HTTP Method</th><th>Action</th><th>URL Name</th></tr>
+    <tr><td>[.format]</td><td>GET</td><td>automatically generated root view</td><td>api-root</td></tr></tr>
+    <tr><td rowspan=2>{prefix}/[.format]</td><td>GET</td><td>list</td><td rowspan=2>{basename}-list</td></tr></tr>
+    <tr><td>POST</td><td>create</td></tr>
+    <tr><td rowspan=4>{prefix}/{lookup}/[.format]</td><td>GET</td><td>retrieve</td><td rowspan=4>{basename}-detail</td></tr></tr>
+    <tr><td>PUT</td><td>update</td></tr>
+    <tr><td>PATCH</td><td>partial_update</td></tr>
+    <tr><td>DELETE</td><td>destroy</td></tr>
+    <tr><td rowspan=2>{prefix}/{lookup}/{methodname}/[.format]</td><td>GET</td><td>@link decorated method</td><td rowspan=2>{basename}-{methodname}</td></tr>
+    <tr><td>POST</td><td>@action decorated method</td></tr>
+</table>
+
+# Custom Routers
+
+Implementing a custom router isn't something you'd need to do very often, but it can be useful if you have specfic requirements about how the your URLs for your API are strutured.  Doing so allows you to encapsulate the URL structure in a reusable way that ensures you don't have to write your URL patterns explicitly for each new view.
+
+The simplest way to implement a custom router is to subclass one of the existing router classes.  The `.routes` attribute is used to template the URL patterns that will be mapped to each viewset. 
+
+## Example
+
+The following example will only route to the `list` and `retrieve` actions, and unlike the routers included by REST framework, it does not use the trailing slash convention.
+
+    class ReadOnlyRouter(SimpleRouter):
+        """
+        A router for read-only APIs, which doesn't use trailing suffixes.
+        """
+        routes = [
+            (r'^{prefix}$', {'get': 'list'}, '{basename}-list'),
+            (r'^{prefix}/{lookup}$', {'get': 'retrieve'}, '{basename}-detail')
+        ]
+
+## Advanced custom routers
+
+If you want to provide totally custom behavior, you can override `BaseRouter` and override the `get_urls(self)` method.  The method should insect the registered viewsets and return a list of URL patterns.  The registered prefix, viewset and basename tuples may be inspected by accessing the `self.registry` attribute.  
+
+You may also want to override the `get_default_base_name(self, viewset)` method, or else always explicitly set the `base_name` argument when registering your viewsets with the router.
+
+[cite]: http://guides.rubyonrails.org/routing.html

docs/api-guide/settings.md

@@ -34,7 +34,11 @@ The `api_settings` object will check for any user-defined settings, and otherwis
 
 # API Reference
 
-## DEFAULT_RENDERER_CLASSES
+## API policy settings
+
+*The following settings control the basic API policies, and are applied to every `APIView` class based view, or `@api_view` function based view.*
+
+#### DEFAULT_RENDERER_CLASSES
 
 A list or tuple of renderer classes, that determines the default set of renderers that may be used when returning a `Response` object.
 
@@ -45,7 +49,7 @@ Default:
         'rest_framework.renderers.BrowsableAPIRenderer',
     )
 
-## DEFAULT_PARSER_CLASSES
+#### DEFAULT_PARSER_CLASSES
 
 A list or tuple of parser classes, that determines the default set of parsers used when accessing the `request.DATA` property.
 
@@ -57,7 +61,7 @@ Default:
         'rest_framework.parsers.MultiPartParser'
     )
 
-## DEFAULT_AUTHENTICATION_CLASSES
+#### DEFAULT_AUTHENTICATION_CLASSES
 
 A list or tuple of authentication classes, that determines the default set of authenticators used when accessing the `request.user` or `request.auth` properties.
 
@@ -68,7 +72,7 @@ Default:
         'rest_framework.authentication.BasicAuthentication'
     )
 
-## DEFAULT_PERMISSION_CLASSES
+#### DEFAULT_PERMISSION_CLASSES
 
 A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view.
 
@@ -78,59 +82,78 @@ Default:
         'rest_framework.permissions.AllowAny',
     )
 
-## DEFAULT_THROTTLE_CLASSES
+#### DEFAULT_THROTTLE_CLASSES
 
 A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view.
 
 Default: `()`
 
-## DEFAULT_CONTENT_NEGOTIATION_CLASS
+#### DEFAULT_CONTENT_NEGOTIATION_CLASS
 
 A content negotiation class, that determines how a renderer is selected for the response, given an incoming request.
 
 Default: `'rest_framework.negotiation.DefaultContentNegotiation'`
 
-## DEFAULT_MODEL_SERIALIZER_CLASS
+---
+
+## Generic view settings
+
+*The following settings control the behavior of the generic class based views.*
+
+#### DEFAULT_MODEL_SERIALIZER_CLASS
 
 A class that determines the default type of model serializer that should be used by a generic view if `model` is specified, but `serializer_class` is not provided.
 
 Default: `'rest_framework.serializers.ModelSerializer'`
 
-## DEFAULT_PAGINATION_SERIALIZER_CLASS
+#### DEFAULT_PAGINATION_SERIALIZER_CLASS
 
 A class the determines the default serialization style for paginated responses.
 
 Default: `rest_framework.pagination.PaginationSerializer`
 
-## FILTER_BACKEND
+#### DEFAULT_FILTER_BACKENDS
 
-The filter backend class that should be used for generic filtering.  If set to `None` then generic filtering is disabled.
+A list of filter backend classes that should be used for generic filtering.
+If set to `None` then generic filtering is disabled.
 
-## PAGINATE_BY
+#### PAGINATE_BY
 
 The default page size to use for pagination.  If set to `None`, pagination is disabled by default.
 
 Default: `None`
 
-## PAGINATE_BY_PARAM
+#### PAGINATE_BY_PARAM
 
 The name of a query parameter, which can be used by the client to overide the default page size to use for pagination.  If set to `None`, clients may not override the default page size.
 
 Default: `None`
 
-## UNAUTHENTICATED_USER
+---
+
+## Authentication settings
+
+*The following settings control the behavior of unauthenticated requests.*
+
+#### UNAUTHENTICATED_USER
 
 The class that should be used to initialize `request.user` for unauthenticated requests.
 
 Default: `django.contrib.auth.models.AnonymousUser`
 
-## UNAUTHENTICATED_TOKEN
+#### UNAUTHENTICATED_TOKEN
 
 The class that should be used to initialize `request.auth` for unauthenticated requests.
 
 Default: `None`
 
-## FORM_METHOD_OVERRIDE
+---
+
+## Browser overrides
+
+*The following settings provide URL or form-based overrides of the default browser behavior.*
+
+#### FORM_METHOD_OVERRIDE
 
 The name of a form field that may be used to override the HTTP method of the form.
 
@@ -138,7 +161,7 @@ If the value of this setting is `None` then form method overloading will be disa
 
 Default: `'_method'`
 
-## FORM_CONTENT_OVERRIDE
+#### FORM_CONTENT_OVERRIDE
 
 The name of a form field that may be used to override the content of the form payload.  Must be used together with `FORM_CONTENTTYPE_OVERRIDE`.
 
@@ -146,7 +169,7 @@ If either setting is `None` then form content overloading will be disabled.
 
 Default: `'_content'`
 
-## FORM_CONTENTTYPE_OVERRIDE
+#### FORM_CONTENTTYPE_OVERRIDE
 
 The name of a form field that may be used to override the content type of the form payload.  Must be used together with `FORM_CONTENT_OVERRIDE`.
 
@@ -154,7 +177,7 @@ If either setting is `None` then form content overloading will be disabled.
 
 Default: `'_content_type'`
 
-## URL_ACCEPT_OVERRIDE
+#### URL_ACCEPT_OVERRIDE
 
 The name of a URL parameter that may be used to override the HTTP `Accept` header.
 
@@ -162,16 +185,75 @@ If the value of this setting is `None` then URL accept overloading will be disab
 
 Default: `'accept'`
 
-## URL_FORMAT_OVERRIDE
+#### URL_FORMAT_OVERRIDE
 
 The name of a URL parameter that may be used to override the default `Accept` header based content negotiation.
 
 Default: `'format'`
 
-## FORMAT_SUFFIX_KWARG
+---
+
+## Date and time formatting
+
+*The following settings are used to control how date and time representations may be parsed and rendered.*
+
+#### DATETIME_FORMAT
+
+A format string that should be used by default for rendering the output of `DateTimeField` serializer fields.  If `None`, then `DateTimeField` serializer fields will return python `datetime` objects, and the datetime encoding will be determined by the renderer.
+
+May be any of `None`, `'iso-8601'` or a python [strftime format][strftime] string.
+
+Default: `None`
+
+#### DATETIME_INPUT_FORMATS
+
+A list of format strings that should be used by default for parsing inputs to `DateTimeField` serializer fields.
+
+May be a list including the string `'iso-8601'` or python [strftime format][strftime] strings.
+
+Default: `['iso-8601']`
+
+#### DATE_FORMAT
+
+A format string that should be used by default for rendering the output of `DateField` serializer fields.  If `None`, then `DateField` serializer fields will return python `date` objects, and the date encoding will be determined by the renderer.
+
+May be any of `None`, `'iso-8601'` or a python [strftime format][strftime] string.
+
+Default: `None`
+
+#### DATE_INPUT_FORMATS
+
+A list of format strings that should be used by default for parsing inputs to `DateField` serializer fields.
+
+May be a list including the string `'iso-8601'` or python [strftime format][strftime] strings.
+
+Default: `['iso-8601']`
+
+#### TIME_FORMAT
+
+A format string that should be used by default for rendering the output of `TimeField` serializer fields.  If `None`, then `TimeField` serializer fields will return python `time` objects, and the time encoding will be determined by the renderer.
+
+May be any of `None`, `'iso-8601'` or a python [strftime format][strftime] string.
+
+Default: `None`
+
+#### TIME_INPUT_FORMATS
+
+A list of format strings that should be used by default for parsing inputs to `TimeField` serializer fields.
+
+May be a list including the string `'iso-8601'` or python [strftime format][strftime] strings.
+
+Default: `['iso-8601']`
+
+---
+
+## Miscellaneous settings
+
+#### FORMAT_SUFFIX_KWARG
 
 The name of a parameter in the URL conf that may be used to provide a format suffix.
 
 Default: `'format'`
 
 [cite]: http://www.python.org/dev/peps/pep-0020/
+[strftime]: http://docs.python.org/2/library/time.html#time.strftime

docs/api-guide/throttling.md

@@ -40,7 +40,8 @@ The default throttling policy may be set globally, using the `DEFAULT_THROTTLE_C
 
 The rate descriptions used in `DEFAULT_THROTTLE_RATES` may include `second`, `minute`, `hour` or `day` as the throttle period.
 
-You can also set the throttling policy on a per-view basis, using the `APIView` class based views.
+You can also set the throttling policy on a per-view or per-viewset basis,
+using the `APIView` class based views.
 
     class ExampleView(APIView):
         throttle_classes = (UserThrottle,)

docs/api-guide/viewsets.md

+<a class="github" href="viewsets.py"></a>
+
+# ViewSets
+
+> After routing has determined which controller to use for a request, your controller is responsible for making sense of the request and producing the appropriate output.
+>
+> &mdash; [Ruby on Rails Documentation][cite]
+
+
+Django REST framework allows you to combine the logic for a set of related views in a single class, called a `ViewSet`.  In other frameworks you may also find conceptually similar implementations named something like 'Resources' or 'Controllers'.
+
+A `ViewSet` class is simply **a type of class-based View, that does not provide any method handlers** such as `.get()` or `.post()`, and instead provides actions such as `.list()` and `.create()`.
+
+The method handlers for a `ViewSet` are only bound to the corresponding actions at the point of finalizing the view, using the `.as_view()` method.
+
+Typically, rather than explicitly registering the views in a viewset in the urlconf, you'll register the viewset with a router class, that automatically determines the urlconf for you.
+
+## Example
+
+Let's define a simple viewset that can be used to list or retrieve all the users in the system.
+
+    class UserViewSet(viewsets.ViewSet):
+        """
+        A simple ViewSet that for listing or retrieving users.
+        """
+        def list(self, request):
+            queryset = User.objects.all()
+            serializer = UserSerializer(queryset, many=True)
+            return Response(serializer.data)
+            
+        def retrieve(self, request, pk=None):
+            queryset = User.objects.all()
+            user = get_object_or_404(queryset, pk=pk)
+            serializer = UserSerializer(user)
+            return Response(serializer.data)
+
+If we need to, we can bind this viewset into two seperate views, like so:
+
+    user_list = UserViewSet.as_view({'get': 'list'})
+    user_detail = UserViewSet.as_view({'get': 'retrieve'})
+
+Typically we wouldn't do this, but would instead register the viewset with a router, and allow the urlconf to be automatically generated.
+
+    router = DefaultRouter()
+    router.register(r'users', UserViewSet)
+    urlpatterns = router.urls
+
+Rather than writing your own viewsets, you'll often want to use the existing base classes that provide a default set of behavior.  For example:
+
+    class UserViewSet(viewsets.ModelViewSet):
+        """
+        A viewset for viewing and editing user instances.
+        """
+        serializer_class = UserSerializer
+        queryset = User.objects.all()
+
+There are two main advantages of using a `ViewSet` class over using a `View` class.
+
+* Repeated logic can be combined into a single class.  In the above example, we only need to specify the `queryset` once, and it'll be used across multiple views.
+* By using routers, we no longer need to deal with wiring up the URL conf ourselves.
+
+Both of these come with a trade-off.  Using regular views and URL confs is more explicit and gives you more control.  ViewSets are helpful if you want to get up and running quickly, or when you have a large API and you want to enforce a consistent URL configuration throughout.
+
+## Marking extra methods for routing
+
+The default routers included with REST framework will provide routes for a standard set of create/retrieve/update/destroy style operations, as shown below:
+
+    class UserViewSet(viewsets.VietSet):
+        """
+        Example empty viewset demonstrating the standard
+        actions that will be handled by a router class.
+        
+        If you're using format suffixes, make sure to also include
+        the `format=None` keyword argument for each action.
+        """
+
+        def list(self, request):
+            pass
+
+        def create(self, request):
+            pass
+
+        def retrieve(self, request, pk=None):
+            pass
+
+        def update(self, request, pk=None):
+            pass
+
+        def partial_update(self, request, pk=None):
+            pass
+
+        def destroy(self, request, pk=None):
+            pass
+
+If you have ad-hoc methods that you need to be routed to, you can mark them as requiring routing using the `@link` or `@action` decorators.  The `@link` decorator will route `GET` requests, and the `@action` decroator will route `POST` requests.
+
+For example:
+
+    from django.contrib.auth.models import User
+    from rest_framework import viewsets
+    from rest_framework.decorators import action
+    from myapp.serializers import UserSerializer
+
+    class UserViewSet(viewsets.ModelViewSet):
+        """
+        A viewset that provides the standard actions 
+        """
+        queryset = User.objects.all()
+        serializer_class = UserSerializer
+        
+        @action
+        def set_password(self, request, pk=None):
+            user = self.get_object()
+            serializer = PasswordSerializer(data=request.DATA)
+            if serializer.is_valid():
+                user.set_password(serializer.data['password'])
+                user.save()
+                return Response({'status': 'password set'})
+            else:
+                return Response(serializer.errors,
+                                status=status.HTTP_400_BAD_REQUEST)
+
+The `@action` and `@link` decorators can additionally take extra arguments that will be set for the routed view only.  For example...
+
+        @action(permission_classes=[IsAdminOrIsSelf])
+        def set_password(self, request, pk=None):
+           ...
+
+---
+
+# API Reference
+
+## ViewSet
+
+The `ViewSet` class inherits from `APIView`.  You can use any of the standard attributes such as `permission_classes`, `authentication_classes` in order to control the API policy on the viewset.
+
+The `ViewSet` class does not provide any implementations of actions.  In order to use a `ViewSet` class you'll override the class and define the action implementations explicitly.
+
+## GenericViewSet
+
+The `GenericViewSet` class inherits from `GenericAPIView`, and provides the default set of `get_object`, `get_queryset` methods and other generic view base behavior, but does not include any actions by default.
+
+In order to use a `GenericViewSet` class you'll override the class and either mixin the required mixin classes, or define the action implementations explicitly.
+
+## ModelViewSet
+
+The `ModelViewSet` class inherits from `GenericAPIView` and includes implementations for various actions, by mixing in the behavior of the various mixin classes.
+
+The actions provided by the `ModelViewSet` class are `.list()`, `.retrieve()`,  `.create()`, `.update()`, and `.destroy()`.
+
+#### Example
+
+Because `ModelViewSet` extends `GenericAPIView`, you'll normally need to provide at least the `queryset` and `serializer_class` attributes.  For example:
+
+    class AccountViewSet(viewsets.ModelViewSet):
+        """
+        A simple ViewSet for viewing and editing accounts.
+        """
+        queryset = Account.objects.all()
+        serializer_class = AccountSerializer
+        permission_classes = [IsAccountAdminOrReadOnly]
+
+Note that you can use any of the standard attributes or method overrides provided by `GenericAPIView`.  For example, to use a `ViewSet` that dynamically determines the queryset it should operate on, you might do something like this:
+
+    class AccountViewSet(viewsets.ModelViewSet):
+        """
+        A simple ViewSet for viewing and editing the accounts
+        associated with the user.
+        """
+        serializer_class = AccountSerializer
+        permission_classes = [IsAccountAdminOrReadOnly]
+
+        def get_queryset(self):
+            return request.user.accounts.all()
+
+Also note that although this class provides the complete set of create/list/retrieve/update/destroy actions by default, you can restrict the available operations by using the standard permission classes.
+
+## ReadOnlyModelViewSet
+
+The `ReadOnlyModelViewSet` class also inherits from `GenericAPIView`.  As with `ModelViewSet` it also includes implementations for various actions, but unlike `ModelViewSet` only provides the 'read-only' actions, `.list()` and `.retrieve()`.
+
+#### Example
+
+As with `ModelViewSet`, you'll normally need to provide at least the `queryset` and `serializer_class` attributes.  For example:
+
+    class AccountViewSet(viewsets.ReadOnlyModelViewSet):
+        """
+        A simple ViewSet for viewing accounts.
+        """
+        queryset = Account.objects.all()
+        serializer_class = AccountSerializer
+
+Again, as with `ModelViewSet`, you can use any of the standard attributes and method overrides available to `GenericAPIView`.
+
+# Custom ViewSet base classes 
+
+You may need to provide custom `ViewSet` classes that do not have the full set of `ModelViewSet` actions, or that customize the behavior in some other way.
+
+## Example
+
+To create a base viewset class that provides `create`, `list` and `retrieve` operations, inherit from `GenericViewSet`, and mixin the required actions:
+
+    class CreateListRetrieveViewSet(mixins.CreateMixin,
+                                    mixins.ListMixin,
+                                    mixins.RetrieveMixin,
+                                    viewsets.GenericViewSet):
+        pass
+
+        """
+        A viewset that provides `retrieve`, `update`, and `list` actions.
+        
+        To use it, override the class and set the `.queryset` and
+        `.serializer_class` attributes.
+        """
+        pass
+
+By creating your own base `ViewSet` classes, you can provide common behavior that can be reused in multiple viewsets across your API.
+
+[cite]: http://guides.rubyonrails.org/routing.html

docs/css/default.css

@@ -47,7 +47,7 @@ body.index-page #main-content iframe.twitter-share-button {
 body.index-page #main-content img.travis-build-image {
     float: right;
     margin-right: 8px;
-    margin-top: -9px;
+    margin-top: -11px;
     margin-bottom: 0px;
 }
 
@@ -277,3 +277,24 @@ footer a {
 footer a:hover {
   color: gray;
 }
+
+.btn-inverse {
+  background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#606060), to(#404040)) !important;
+  background-image: -webkit-linear-gradient(top, #606060, #404040) !important;
+}
+
+.modal-open .modal,.btn:focus{outline:none;}
+
+@media (max-width: 650px) {
+  .repo-link.btn-inverse {display: none;}
+}
+
+td, th {
+  padding: 0.25em;
+  background-color: #f7f7f9;
+  border-color: #e1e1e8;
+}
+
+table {
+  border-color: white;
+}

docs/index.md

@@ -9,17 +9,21 @@
 
 # Django REST framework
 
-**A toolkit for building well-connected, self-describing Web APIs.**
+**Awesome web-browsable Web APIs.**
 
-Django REST framework is a lightweight library that makes it easy to build Web APIs.  It is designed as a modular and easy to customize architecture, based on Django's class based views.
+Django REST framework is a powerful and flexible toolkit that makes it easy to build Web APIs.
 
-Web APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers.  It also supports a wide range of media types, authentication and permission policies out of the box.
+Some reasons you might want to use REST framework:
 
-If you are considering using REST framework for your API, we recommend reading the [REST framework 2 announcement][rest-framework-2-announcement] which gives a good overview of the framework and it's capabilities.
+* The Web browseable API is a huge useability win for your developers.
+* Authentication policies including OAuth1a and OAuth2 out of the box.
+* Serialization that supports both ORM and non-ORM data sources.
+* Customizable all the way down - just use regular function-based views if you don't need the more powerful features.
+* Extensive documentation, and great community support.
 
-There is also a sandbox API you can use for testing purposes, [available here][sandbox].
+There is a live example API for testing purposes, [available here][sandbox].
 
-**Below**: *Screenshot from the browseable API*
+**Below**: *Screenshot from the browsable API*
 
 ![Screenshot][image]
 
@@ -32,26 +36,26 @@ REST framework requires the following:
 
 The following packages are optional:
 
-* [Markdown][markdown] (2.1.0+) - Markdown support for the browseable API.
+* [Markdown][markdown] (2.1.0+) - Markdown support for the browsable API.
 * [PyYAML][yaml] (3.10+) - YAML content-type support.
 * [defusedxml][defusedxml] (0.3+) - XML content-type support.
 * [django-filter][django-filter] (0.5.4+) - Filtering support.
+* [django-oauth-plus][django-oauth-plus] (2.0+) and [oauth2][oauth2] (1.5.211+) - OAuth 1.0a support.
+* [django-oauth2-provider][django-oauth2-provider] (0.2.3+) - OAuth 2.0 support.
+
+**Note**: The `oauth2` python package is badly misnamed, and actually provides OAuth 1.0a support.  Also note that packages required for both OAuth 1.0a, and OAuth 2.0 are not yet Python 3 compatible.
 
 ## Installation
 
 Install using `pip`, including any optional packages you want...
 
     pip install djangorestframework
-    pip install markdown  # Markdown support for the browseable API.
-    pip install pyyaml    # YAML content-type support.
+    pip install markdown       # Markdown support for the browsable API.
     pip install django-filter  # Filtering support
 
 ...or clone the project from github.
 
     git clone git@github.com:tomchristie/django-rest-framework.git
-    cd django-rest-framework
-    pip install -r requirements.txt
-    pip install -r optionals.txt
 
 Add `'rest_framework'` to your `INSTALLED_APPS` setting.
 
@@ -60,7 +64,7 @@ Add `'rest_framework'` to your `INSTALLED_APPS` setting.
         'rest_framework',        
     )
 
-If you're intending to use the browseable API you'll probably also want to add REST framework's login and logout views.  Add the following to your root `urls.py` file.
+If you're intending to use the browsable API you'll probably also want to add REST framework's login and logout views.  Add the following to your root `urls.py` file.
 
     urlpatterns = patterns('',
         ...
@@ -69,9 +73,60 @@ If you're intending to use the browseable API you'll probably also want to add R
 
 Note that the URL path can be whatever you want, but you must include `'rest_framework.urls'` with the `'rest_framework'` namespace.
 
+## Example
+
+Let's take a look at a quick example of using REST framework to build a simple model-backed API.
+
+We'll create a read-write API for accessing users and groups.
+
+Any global settings for a REST framework API are kept in a single configuration dictionary named `REST_FRAMEWORK`.  Start off by adding the following to your `settings.py` module:
+
+    REST_FRAMEWORK = {
+        # Use hyperlinked styles by default.
+        # Only used if the `serializer_class` attribute is not set on a view.
+        'DEFAULT_MODEL_SERIALIZER_CLASS':
+            'rest_framework.serializers.HyperlinkedModelSerializer',
+
+        # Use Django's standard `django.contrib.auth` permissions,
+        # or allow read-only access for unauthenticated users.
+        'DEFAULT_PERMISSION_CLASSES': [
+            'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
+        ]
+    }
+
+Don't forget to make sure you've also added `rest_framework` to your `INSTALLED_APPS`.
+
+We're ready to create our API now.
+Here's our project's root `urls.py` module:
+
+    from django.conf.urls.defaults import url, patterns, include
+    from django.contrib.auth.models import User, Group
+    from rest_framework import viewsets, routers
+
+    # ViewSets define the view behavior.
+    class UserViewSet(viewsets.ModelViewSet):
+        model = User
+
+    class GroupViewSet(viewsets.ModelViewSet):
+        model = Group
+
+    
+    # Routers provide an easy way of automatically determining the URL conf
+    router = routers.DefaultRouter()
+    router.register(r'users', UserViewSet)
+    router.register(r'groups', GroupViewSet)
+
+
+    # Wire up our API using automatic URL routing.
+    # Additionally, we include login URLs for the browseable API.
+    urlpatterns = patterns('',
+        url(r'^', include(router.urls)),
+        url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
+    )
+
 ## Quickstart
 
-Can't wait to get started?  The [quickstart guide][quickstart] is the fastest way to get up and running with REST framework.
+Can't wait to get started?  The [quickstart guide][quickstart] is the fastest way to get up and running, and building APIs with REST framework.
 
 ## Tutorial
 
@@ -82,6 +137,7 @@ The tutorial will walk you through the building blocks that make up REST framewo
 * [3 - Class based views][tut-3]
 * [4 - Authentication & permissions][tut-4]
 * [5 - Relationships & hyperlinked APIs][tut-5]
+* [6 - Viewsets & routers][tut-6]
 
 ## API Guide
 
@@ -91,6 +147,8 @@ The API guide is your complete reference manual to all the functionality provide
 * [Responses][response]
 * [Views][views]
 * [Generic views][generic-views]
+* [Viewsets][viewsets]
+* [Routers][routers]
 * [Parsers][parsers]
 * [Renderers][renderers]
 * [Serializers][serializers]
@@ -118,6 +176,7 @@ General guides to using REST framework.
 * [REST, Hypermedia & HATEOAS][rest-hypermedia-hateoas]
 * [2.0 Announcement][rest-framework-2-announcement]
 * [2.2 Announcement][2.2-announcement]
+* [2.3 Announcement][2.3-announcement]
 * [Release Notes][release-notes]
 * [Credits][credits]
 
@@ -133,6 +192,10 @@ Run the tests:
 
     ./rest_framework/runtests/runtests.py
 
+To run the tests against all supported configurations, first install [the tox testing tool][tox] globally, using `pip install tox`, then simply run `tox`: 
+
+    tox
+
 ## Support
 
 For support please see the [REST framework discussion group][group], try the  `#restframework` channel on `irc.freenode.net`, or raise a  question on [Stack Overflow][stack-overflow], making sure to include the ['django-rest-framework'][django-rest-framework-tag] tag.
@@ -176,6 +239,9 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 [yaml]: http://pypi.python.org/pypi/PyYAML
 [defusedxml]: https://pypi.python.org/pypi/defusedxml
 [django-filter]: http://pypi.python.org/pypi/django-filter
+[oauth2]: https://github.com/simplegeo/python-oauth2
+[django-oauth-plus]: https://bitbucket.org/david/django-oauth-plus/wiki/Home
+[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
 [0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X
 [image]: img/quickstart.png
 [sandbox]: http://restframework.herokuapp.com/
@@ -186,11 +252,14 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 [tut-3]: tutorial/3-class-based-views.md
 [tut-4]: tutorial/4-authentication-and-permissions.md
 [tut-5]: tutorial/5-relationships-and-hyperlinked-apis.md
+[tut-6]: tutorial/6-viewsets-and-routers.md
 
 [request]: api-guide/requests.md
 [response]: api-guide/responses.md
 [views]: api-guide/views.md
 [generic-views]: api-guide/generic-views.md
+[viewsets]: api-guide/viewsets.md
+[routers]: api-guide/routers.md
 [parsers]: api-guide/parsers.md
 [renderers]: api-guide/renderers.md
 [serializers]: api-guide/serializers.md
@@ -215,9 +284,12 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 [contributing]: topics/contributing.md
 [rest-framework-2-announcement]: topics/rest-framework-2-announcement.md
 [2.2-announcement]: topics/2.2-announcement.md
+[2.3-announcement]: topics/2.3-announcement.md
 [release-notes]: topics/release-notes.md
 [credits]: topics/credits.md
 
+[tox]: http://testrun.org/tox/latest/
+
 [group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
 [stack-overflow]: http://stackoverflow.com/
 [django-rest-framework-tag]: http://stackoverflow.com/questions/tagged/django-rest-framework

docs/template.html

@@ -2,11 +2,11 @@
 <html lang="en">
 <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
     <meta charset="utf-8">
-    <title>Django REST framework</title>
+    <title>{{ title }}</title>
     <link href="{{ base_url }}/img/favicon.ico" rel="icon" type="image/x-icon">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="">
-    <meta name="author" content="">
+    <meta name="description" content="{{ description }}">
+    <meta name="author" content="Tom Christie">
 
     <!-- Le styles -->
     <link href="{{ base_url }}/css/prettify.css" rel="stylesheet">
@@ -41,6 +41,9 @@
       <div class="navbar-inner">
         <div class="container-fluid">
             <a class="repo-link btn btn-primary btn-small" href="https://github.com/tomchristie/django-rest-framework/tree/master">GitHub</a>
+            <a class="repo-link btn btn-inverse btn-small {{ next_url_disabled }}" href="{{ next_url }}">Next <i class="icon-arrow-right icon-white"></i></a>
+            <a class="repo-link btn btn-inverse btn-small {{ prev_url_disabled }}" href="{{ prev_url }}"><i class="icon-arrow-left icon-white"></i> Previous</a>
+            <a class="repo-link btn btn-inverse btn-small" href="#searchModal" data-toggle="modal"><i class="icon-search icon-white"></i> Search</a>
           <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
@@ -59,6 +62,7 @@
                   <li><a href="{{ base_url }}/tutorial/3-class-based-views{{ suffix }}">3 - Class based views</a></li>
                   <li><a href="{{ base_url }}/tutorial/4-authentication-and-permissions{{ suffix }}">4 - Authentication and permissions</a></li>
                   <li><a href="{{ base_url }}/tutorial/5-relationships-and-hyperlinked-apis{{ suffix }}">5 - Relationships and hyperlinked APIs</a></li>
+                  <li><a href="{{ base_url }}/tutorial/6-viewsets-and-routers{{ suffix }}">6 - Viewsets and routers</a></li>
                 </ul>
               </li>
               <li class="dropdown">
@@ -68,6 +72,8 @@
                   <li><a href="{{ base_url }}/api-guide/responses{{ suffix }}">Responses</a></li>
                   <li><a href="{{ base_url }}/api-guide/views{{ suffix }}">Views</a></li>
                   <li><a href="{{ base_url }}/api-guide/generic-views{{ suffix }}">Generic views</a></li>
+                  <li><a href="{{ base_url }}/api-guide/viewsets{{ suffix }}">Viewsets</a></li>
+                  <li><a href="{{ base_url }}/api-guide/routers{{ suffix }}">Routers</a></li>
                   <li><a href="{{ base_url }}/api-guide/parsers{{ suffix }}">Parsers</a></li>
                   <li><a href="{{ base_url }}/api-guide/renderers{{ suffix }}">Renderers</a></li>
                   <li><a href="{{ base_url }}/api-guide/serializers{{ suffix }}">Serializers</a></li>
@@ -95,6 +101,7 @@
                   <li><a href="{{ base_url }}/topics/rest-hypermedia-hateoas{{ suffix }}">REST, Hypermedia & HATEOAS</a></li>
                   <li><a href="{{ base_url }}/topics/rest-framework-2-announcement{{ suffix }}">2.0 Announcement</a></li>
                   <li><a href="{{ base_url }}/topics/2.2-announcement{{ suffix }}">2.2 Announcement</a></li>
+                  <li><a href="{{ base_url }}/topics/2.3-announcement{{ suffix }}">2.3 Announcement</a></li>
                   <li><a href="{{ base_url }}/topics/release-notes{{ suffix }}">Release Notes</a></li>
                   <li><a href="{{ base_url }}/topics/credits{{ suffix }}">Credits</a></li>
                 </ul>
@@ -118,6 +125,34 @@
 
     <div class="body-content">
       <div class="container-fluid">
+
+<!-- Search Modal -->
+<div id="searchModal" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
+  <div class="modal-header">
+    <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+    <h3 id="myModalLabel">Documentation search</h3>
+  </div>
+  <div class="modal-body">
+    <!-- Custom google search -->
+    <script>
+      (function() {
+        var cx = '015016005043623903336:rxraeohqk6w';
+        var gcse = document.createElement('script');
+        gcse.type = 'text/javascript';
+        gcse.async = true;
+        gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
+            '//www.google.com/cse/cse.js?cx=' + cx;
+        var s = document.getElementsByTagName('script')[0];
+        s.parentNode.insertBefore(gcse, s);
+      })();
+    </script>
+    <gcse:search></gcse:search>
+  </div>
+  <div class="modal-footer">
+    <button class="btn" data-dismiss="modal" aria-hidden="true">Close</button>
+  </div>
+</div>
+
         <div class="row-fluid">
 
           <div class="span3">

docs/topics/browsable-api.md

@@ -60,6 +60,17 @@ All of the [Bootstrap components][bcomponents] are available.
 
 The browsable API makes use of the Bootstrap tooltips component. Any element with the `js-tooltip` class and a `title` attribute has that title content displayed in a tooltip on hover after a 1000ms delay.
 
+### Login Template
+
+To add branding and customize the look-and-feel of the auth login template, create a template called `login.html` and add it to your project, eg: `templates/rest_framework/login.html`, that extends the `rest_framework/base_login.html` template.
+
+You can add your site name or branding by including the branding block:
+
+    {% block branding %}
+        <h3 style="margin: 0 0 20px;">My Site Name</h3>
+    {% endblock %}
+    
+You can also customize the style by adding the `bootstrap_theme` or `style` block similar to `api.html`.
 
 ### Advanced Customization
 

docs/topics/browser-enhancements.md

@@ -19,6 +19,21 @@ For example, given the following form:
 
 `request.method` would return `"DELETE"`.
 
+## HTTP header based method overriding
+
+REST framework also supports method overriding via the semi-standard `X-HTTP-Method-Override` header. This can be useful if you are working with non-form content such as JSON and are working with an older web server and/or hosting provider that doesn't recognise particular HTTP methods such as `PATCH`. For example [Amazon Web Services ELB][aws_elb].
+
+To use it, make a `POST` request, setting the `X-HTTP-Method-Override` header.
+
+For example, making a `PATCH` request via `POST` in jQuery:
+
+	$.ajax({
+		url: '/myresource/',
+		method: 'POST',
+		headers: {'X-HTTP-Method-Override': 'PATCH'},
+		...
+	});
+
 ## Browser based submission of non-form content
 
 Browser-based submission of content types other than form are supported by
@@ -62,3 +77,4 @@ as well as how to support content types other than form-encoded data.
 [rails]: http://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-put-or-delete-methods-work
 [html5]: http://www.w3.org/TR/html5-diff/#changes-2010-06-24
 [put_delete]: http://amundsen.com/examples/put-delete-forms/
+[aws_elb]: https://forums.aws.amazon.com/thread.jspa?messageID=400724

docs/topics/contributing.md

@@ -4,12 +4,138 @@
 >
 > — [Tim Berners-Lee][cite]
 
-## Running the tests
+There are many ways you can contribute to Django REST framework.  We'd like it to be a community-led project, so please get involved and help shape the future of the project.
 
-## Building the docs
+# Community
 
-## Managing compatibility issues
+If you use and enjoy REST framework please consider [staring the project on GitHub][github], and [upvoting it on Django packages][django-packages].  Doing so helps potential new users see that the project is well used, and help us continue to attract new users.
 
-**Describe compat module**
+You might also consider writing a blog post on your experience with using REST framework, writing a tutorial about using the project with a particular javascript framework, or simply sharing the love on Twitter.
+
+Other really great ways you can help move the community forward include helping answer questions on the [discussion group][google-group], or setting up an [email alert on StackOverflow][so-filter] so that you get notified of any new questions with the `django-rest-framework` tag.
+
+When answering questions make sure to help future contributors find their way around by hyperlinking wherever possible to related threads and tickets, and include backlinks from those items if relevant. 
+
+# Issues
+
+It's really helpful if you make sure you address issues to the correct channel.  Usage questions should be directed to the [discussion group][google-group].  Feature requests, bug reports and other issues should be raised on the GitHub [issue tracker][issues].
+
+Some tips on good issue reporting:
+
+* When decribing issues try to phrase your ticket in terms of the *behavior* you think needs changing rather than the *code* you think need changing.
+* Search the issue list first for related items, and make sure you're running the latest version of REST framework before reporting an issue.
+* If reporting a bug, then try to include a pull request with a failing test case.  This'll help us quickly identify if there is a valid issue, and make sure that it gets fixed more quickly if there is one. 
+
+
+
+* TODO: Triage
+
+# Development
+
+* git clone & PYTHONPATH
+* Pep8
+* Recommend editor that runs pep8
+
+### Pull requests
+
+* Make pull requests early
+* Describe branching
+
+### Managing compatibility issues
+
+* Describe compat module
+
+# Testing
+
+* Running the tests
+* tox
+
+# Documentation
+
+The documentation for REST framework is built from the [Markdown][markdown] source files in [the docs directory][docs].
+
+There are many great markdown editors that make working with the documentation really easy.  The [Mou editor for Mac][mou] is one such editor that comes highly recommended.
+
+## Building the documentation
+
+To build the documentation, simply run the `mkdocs.py` script.
+
+    ./mkdocs.py
+
+This will build the html output into the `html` directory.
+
+You can build the documentation and open a preview in a browser window by using the `-p` flag.
+
+    ./mkdocs.py -p
+
+## Language style
+
+Documentation should be in American English.  The tone of the documentation is very important - try to stick to a simple, plain, objective and well-balanced style where possible.
+
+Some other tips:
+
+* Keep paragraphs reasonably short.
+* Use double spacing after the end of sentences.
+* Don't use the abbreviations such as 'e.g..' but instead use long form, such as 'For example'.
+
+## Markdown style
+
+There are a couple of conventions you should follow when working on the documentation.
+
+##### 1. Headers
+
+Headers should use the hash style.  For example:
+
+    ### Some important topic
+    
+The underline style should not be used.  **Don't do this:** 
+
+    Some important topic
+    ====================
+
+##### 2. Links
+
+Links should always use the reference style, with the referenced hyperlinks kept at the end of the document.
+
+    Here is a link to [some other thing][other-thing].
+    
+    More text...
+    
+    [other-thing]: http://example.com/other/thing
+
+This style helps keep the documentation source consistent and readable.
+
+If you are hyperlinking to another REST framework document, you should use a relative link, and link to the `.md` suffix.  For example:
+
+    [authentication]: ../api-guide/authentication.md
+
+Linking in this style means you'll be able to click the hyperlink in your markdown editor to open the referenced document.  When the documentation is built, these links will be converted into regular links to HTML pages.
+
+##### 3. Notes
+
+If you want to draw attention to a note or warning, use a pair of enclosing lines, like so:
+
+    ---
+    
+    **Note:** Make sure you do this thing.
+    
+    ---
+
+# Third party packages
+
+* Django reusable app
+
+# Core committers
+
+* Still use pull reqs
+* Credits
 
 [cite]: http://www.w3.org/People/Berners-Lee/FAQ.html
+[github]: https://github.com/tomchristie/django-rest-framework
+[django-packages]: https://www.djangopackages.com/grids/g/api/
+[google-group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
+[so-filter]: http://stackexchange.com/filters/66475/rest-framework
+[issues]: https://github.com/tomchristie/django-rest-framework/issues?state=open
+[markdown]: http://daringfireball.net/projects/markdown/basics
+[docs]: https://github.com/tomchristie/django-rest-framework/tree/master/docs
+[mou]: http://mouapp.com/

docs/topics/credits.md

@@ -107,6 +107,23 @@ The following people have helped make REST framework great.
 * Ryan Detzel - [ryanrdetzel]
 * Omer Katz - [thedrow]
 * Wiliam Souza - [waa]
+* Jonas Braun - [iekadou]
+* Ian Dash - [bitmonkey]
+* Bouke Haarsma - [bouke]
+* Pierre Dulac - [dulaccc]
+* Dave Kuhn - [kuhnza]
+* Sitong Peng - [stoneg]
+* Victor Shih - [vshih]
+* Atle Frenvik Sveen - [atlefren]
+* J Paul Reed - [preed]
+* Matt Majewski - [forgingdestiny]
+* Jerome Chen - [chenjyw]
+* Andrew Hughes - [eyepulp]
+* Daniel Hepper - [dhepper]
+* Hamish Campbell - [hamishcampbell]
+* Marlon Bailey - [avinash240]
+* James Summerfield - [jsummerfield]
+* Andy Freeland - [rouge8]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -120,7 +137,7 @@ Continuous integration testing is managed with [Travis CI][travis-ci].
 
 The [live sandbox][sandbox] is hosted on [Heroku].
 
-Various inspiration taken from the [Piston], [Tastypie] and [Dagny] projects.
+Various inspiration taken from the [Rails], [Piston], [Tastypie], [Dagny] and [django-viewsets] projects.
 
 Development of REST framework 2.0 was sponsored by [DabApps].
 
@@ -135,9 +152,11 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [markdown]: http://daringfireball.net/projects/markdown/
 [github]: https://github.com/tomchristie/django-rest-framework
 [travis-ci]: https://secure.travis-ci.org/tomchristie/django-rest-framework
+[rails]: http://rubyonrails.org/
 [piston]: https://bitbucket.org/jespern/django-piston
 [tastypie]: https://github.com/toastdriven/django-tastypie
 [dagny]: https://github.com/zacharyvoase/dagny
+[django-viewsets]: https://github.com/BertrandBordage/django-viewsets
 [dabapps]: http://lab.dabapps.com
 [sandbox]: http://restframework.herokuapp.com/
 [heroku]: http://www.heroku.com/
@@ -248,3 +267,20 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [ryanrdetzel]: https://github.com/ryanrdetzel
 [thedrow]: https://github.com/thedrow
 [waa]: https://github.com/wiliamsouza
+[iekadou]: https://github.com/iekadou
+[bitmonkey]: https://github.com/bitmonkey
+[bouke]: https://github.com/bouke
+[dulaccc]: https://github.com/dulaccc
+[kuhnza]: https://github.com/kuhnza
+[stoneg]: https://github.com/stoneg
+[vshih]: https://github.com/vshih
+[atlefren]: https://github.com/atlefren
+[preed]: https://github.com/preed
+[forgingdestiny]: https://github.com/forgingdestiny
+[chenjyw]: https://github.com/chenjyw
+[eyepulp]: https://github.com/eyepulp
+[dhepper]: https://github.com/dhepper
+[hamishcampbell]: https://github.com/hamishcampbell
+[avinash240]: https://github.com/avinash240
+[jsummerfield]: https://github.com/jsummerfield
+[rouge8]: https://github.com/rouge8

docs/topics/migration.md

-# 2.0 Migration Guide
-
-> Move fast and break things
->
-> — Mark Zuckerberg, [the Hacker Way][cite].
-
-REST framework 2.0 introduces a radical redesign of the core components, and a large number of backwards breaking changes.
-
-### Serialization redesign.
-
-REST framework's serialization and deserialization previously used a slightly odd combination of serializers for output, and Django Forms and Model Forms for input.  The serialization core has been completely redesigned based on work that was originally intended for Django core.
-
-2.0's form-like serializers comprehensively address those issues, and are a much more flexible and clean solution to the problems around accepting both form-based and non-form based inputs.
-
-### Generic views improved.
-
-When REST framework 0.1 was released the current Django version was 1.2.  REST framework included a backport of the Django 1.3's upcoming `View` class, but it didn't take full advantage of the generic view implementations.
-
-As of 2.0 the generic views in REST framework tie in much more cleanly and obviously with Django's existing codebase, and the mixin architecture is radically simplified.
-
-### Cleaner request-response cycle.
-
-REST framework 2.0's request-response cycle is now much less complex.
-
-* Responses inherit from `SimpleTemplateResponse`, allowing rendering to be delegated to the response, not handled by the view.
-* Requests extend the regular `HttpRequest`, allowing authentication and parsing to be delegated to the request, not handled by the view.
-
-### Renamed attributes & classes.
-
-Various attributes and classes have been renamed in order to fit in better with Django's conventions.
-
-## Example: Blog Posts API
-
-Let's take a look at an example from the REST framework 0.4 documentation...
-
-    from djangorestframework.resources import ModelResource
-    from djangorestframework.reverse import reverse
-    from blogpost.models import BlogPost, Comment
-
-
-    class BlogPostResource(ModelResource):
-        """
-        A Blog Post has a *title* and *content*, and can be associated
-        with zero or more comments.
-        """
-        model = BlogPost
-        fields = ('created', 'title', 'slug', 'content', 'url', 'comments')
-        ordering = ('-created',)
-
-        def url(self, instance):
-            return reverse('blog-post',
-                            kwargs={'key': instance.key},
-                            request=self.request)
-
-        def comments(self, instance):
-            return reverse('comments',
-                           kwargs={'blogpost': instance.key},
-                           request=self.request)
-
-
-    class CommentResource(ModelResource):
-        """
-        A Comment is associated with a given Blog Post and has a
-        *username* and *comment*, and optionally a *rating*.
-        """
-        model = Comment
-        fields = ('username', 'comment', 'created', 'rating', 'url', 'blogpost')
-        ordering = ('-created',)
-
-        def blogpost(self, instance):
-            return reverse('blog-post',
-                           kwargs={'key': instance.blogpost.key},
-                           request=self.request)
-
-There's a bit of a mix of concerns going on there.  We've got some information about how the data should be serialized, such as the `fields` attribute, and some information about how it should be retrieved from the database - the `ordering` attribute.
-
-Let's start to re-write this for REST framework 2.0.
-
-    from rest_framework import serializers
-
-    class BlogPostSerializer(serializers.HyperlinkedModelSerializer):
-        model = BlogPost
-        fields = ('created', 'title', 'slug', 'content', 'url', 'comments')
-
-    class CommentSerializer(serializers.HyperlinkedModelSerializer):
-        model = Comment
-        fields = ('username', 'comment', 'created', 'rating', 'url', 'blogpost')
-
-[cite]: http://www.wired.com/business/2012/02/zuck-letter/

docs/topics/release-notes.md

@@ -38,23 +38,122 @@ You can determine your currently installed version using `pip freeze`:
 
 ---
 
-## 2.2.x series
+## 2.3.x series
 
 ### Master
 
-* Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior.  Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view.
+* Bugfix: HyperlinkedIdentityField now uses `lookup_field` kwarg.
+
+### 2.3.2
+
+**Date**: 16th May 2013
+
+* Added SearchFilter
+* Added OrderingFilter
+* Added GenericViewSet
+* Bugfix: Multiple `@action` and `@link` methods now allowed on viewsets. 
+* Bugfix: Fix API Root view issue with DjangoModelPermissions
+
+### 2.3.2
+
+**Date**: 8th May 2013
+
+* Bugfix: Fix `TIME_FORMAT`, `DATETIME_FORMAT` and `DATE_FORMAT` settings.
+* Bugfix: Fix `DjangoFilterBackend` issue, failing when used on view with queryset attribute.
+
+### 2.3.1
+
+**Date**: 7th May 2013
+
+* Bugfix: Fix breadcrumb rendering issue.
+
+### 2.3.0
+
+**Date**: 7th May 2013
+
+* ViewSets and Routers.
+* ModelSerializers support reverse relations in 'fields' option.
+* HyperLinkedModelSerializers support 'id' field in 'fields' option.
+* Cleaner generic views.
+* Support for multiple filter classes.
+* FileUploadParser support for raw file uploads.
+* DecimalField support.
+* Made Login template easier to restyle.
+* Bugfix: Fix issue with depth>1 on ModelSerializer.
+
+**Note**: See the [2.3 announcement][2.3-announcement] for full details.
+
+---
+
+## 2.2.x series
+
+### 2.2.7
+
+**Date**: 17th April 2013
+
+* Loud failure when view does not return a `Response` or `HttpResponse`.
+* Bugfix: Fix for Django 1.3 compatiblity.
+* Bugfix: Allow overridden `get_object()` to work correctly.
+
+### 2.2.6
+
+**Date**: 4th April 2013
+
+* OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
+* URL hyperlinking in browsable API now handles more cases correctly.
+* Long HTTP headers in browsable API are broken in multiple lines when possible.
+* Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
+* Bugfix: OAuth should fail hard when invalid token used.
+* Bugfix: Fix serializer potentially returning `None` object for models that define `__bool__` or `__len__`. 
+
+### 2.2.5
+
+**Date**: 26th March 2013
+
+* Serializer support for bulk create and bulk update operations.
+* Regression fix: Date and time fields return date/time objects by default.  Fixes regressions caused by 2.2.2.  See [#743][743] for more details.
+* Bugfix: Fix 500 error is OAuth not attempted with OAuthAuthentication class installed.
+* `Serializer.save()` now supports arbitrary keyword args which are passed through to the object `.save()` method.  Mixins use `force_insert` and `force_update` where appropriate, resulting in one less database query.
+
+### 2.2.4
+
+**Date**: 13th March 2013
+
+* OAuth 2 support.
+* OAuth 1.0a support.
+* Support X-HTTP-Method-Override header.
+* Filtering backends are now applied to the querysets for object lookups as well as lists.  (Eg you can use a filtering backend to control which objects should 404)
+* Deal with error data nicely when deserializing lists of objects.
+* Extra override hook to configure `DjangoModelPermissions` for unauthenticated users.
+* Bugfix: Fix regression which caused extra database query on paginated list views.
+* Bugfix: Fix pk relationship bug for some types of 1-to-1 relations.
+* Bugfix: Workaround for Django bug causing case where `Authtoken` could be registered for cascade delete from `User` even if not installed.
+
+### 2.2.3
+
+**Date**: 7th March 2013
+
+* Bugfix: Fix None values for for `DateField`, `DateTimeField` and `TimeField`.
+
+### 2.2.2
+
+**Date**: 6th March 2013
+
+* Support for custom input and output formats for `DateField`, `DateTimeField` and `TimeField`.
+* Cleanup: Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior.  Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view.
 * Bugfix for serializer data being uncacheable with pickle protocol 0.
 * Bugfixes for model field validation edge-cases.
+* Bugfix for authtoken migration while using a custom user model and south.
 
 ### 2.2.1
 
 **Date**: 22nd Feb 2013
 
 * Security fix: Use `defusedxml` package to address XML parsing vulnerabilities.
-* Raw data tab added to browseable API.  (Eg. Allow for JSON input.)
+* Raw data tab added to browsable API.  (Eg. Allow for JSON input.)
 * Added TimeField.
 * Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults.
-* Unicode support for view names/descriptions in browseable API.
+* Unicode support for view names/descriptions in browsable API.
 * Bugfix: request.DATA should return an empty `QueryDict` with no data, not `None`.
 * Bugfix: Remove unneeded field validation, which caused extra queries.
 
@@ -151,14 +250,14 @@ This change will not affect user code, so long as it's following the recommended
 **Date**: 21st Dec 2012
 
 * Bugfix: Fix bug that could occur using ChoiceField.
-* Bugfix: Fix exception in browseable API on DELETE.
+* Bugfix: Fix exception in browsable API on DELETE.
 * Bugfix: Fix issue where pk was was being set to a string if set by URL kwarg.
 
 ### 2.1.11
 
 **Date**: 17th Dec 2012
 
-* Bugfix: Fix issue with M2M fields in browseable API.
+* Bugfix: Fix issue with M2M fields in browsable API.
 
 ### 2.1.10
 
@@ -254,7 +353,7 @@ This change will not affect user code, so long as it's following the recommended
 * Hyperlinked related fields optionally take `slug_field` and `slug_url_kwarg` arguments.
 * Support Django's cache framework.
 * Minor field improvements. (Don't stringify dicts, more robust many-pk fields.)
-* Bugfix: Support choice field in Browseable API.
+* Bugfix: Support choice field in Browsable API.
 * Bugfix: Related fields with `read_only=True` do not require a `queryset` argument.
 
 **API-incompatible changes**: Please read [this thread][2.1.0-notes] regarding the `instance` and `data` keyword args before updating to 2.1.0.
@@ -406,6 +505,8 @@ This change will not affect user code, so long as it's following the recommended
 [django-deprecation-policy]: https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy
 [defusedxml-announce]: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
 [2.2-announcement]: 2.2-announcement.md
+[2.3-announcement]: 2.3-announcement.md
+[743]: https://github.com/tomchristie/django-rest-framework/pull/743
 [staticfiles14]: https://docs.djangoproject.com/en/1.4/howto/static-files/#with-a-template-tag
 [staticfiles13]: https://docs.djangoproject.com/en/1.3/howto/static-files/#with-a-template-tag
 [2.1.0-notes]: https://groups.google.com/d/topic/django-rest-framework/Vv2M0CMY9bg/discussion

docs/topics/rest-framework-2-announcement.md

@@ -62,19 +62,19 @@ REST framework 2 also allows you to work with both function-based and class-base
 
 Pretty much every aspect of REST framework has been reworked, with the aim of ironing out some of the design flaws of the previous versions.  Each of the components of REST framework are cleanly decoupled, and can be used independantly of each-other, and there are no monolithic resource classes, overcomplicated mixin combinations, or opinionated serialization or URL routing decisions.
 
-## The Browseable API
+## The Browsable API
 
 Django REST framework's most unique feature is the way it is able to serve up both machine-readable representations, and a fully browsable HTML representation to the same endpoints.
 
-Browseable Web APIs are easier to work with, visualize and debug, and generally makes it easier and more frictionless to inspect and work with.
+Browsable Web APIs are easier to work with, visualize and debug, and generally makes it easier and more frictionless to inspect and work with.
 
-With REST framework 2, the browseable API gets a snazzy new bootstrap-based theme that looks great and is even nicer to work with.
+With REST framework 2, the browsable API gets a snazzy new bootstrap-based theme that looks great and is even nicer to work with.
 
 There are also some functionality improvments - actions such as as `POST` and `DELETE` will only display if the user has the appropriate permissions.
 
-![Browseable API][image]
+![Browsable API][image]
 
-**Image above**: An example of the browseable API in REST framework 2
+**Image above**: An example of the browsable API in REST framework 2
 
 ## Documentation
 

docs/topics/rest-hypermedia-hateoas.md

@@ -26,7 +26,7 @@ REST framework is an agnostic Web API toolkit.  It does help guide you towards b
 
 ## What REST framework provides.
 
-It is self evident that REST framework makes it possible to build Hypermedia APIs.  The browseable API that it offers is built on HTML - the hypermedia language of the web.
+It is self evident that REST framework makes it possible to build Hypermedia APIs.  The browsable API that it offers is built on HTML - the hypermedia language of the web.
 
 REST framework also includes [serialization] and [parser]/[renderer] components that make it easy to build appropriate media types, [hyperlinked relations][fields] for building well-connected systems, and great support for [content negotiation][conneg].
 

docs/tutorial/1-serialization.md

@@ -126,7 +126,11 @@ The first thing we need to get started on our Web API is provide a way of serial
     
         def restore_object(self, attrs, instance=None):
             """
-            Create or update a new snippet instance.
+            Create or update a new snippet instance, given a dictionary
+            of deserialized field values.
+            
+            Note that if we don't define this method, then deserializing
+            data will simply return a dictionary of items.
             """
             if instance:
                 # Update existing instance
@@ -200,7 +204,7 @@ We can also serialize querysets instead of model instances.  To do so we simply
 
 ## Using ModelSerializers
 
-Our `SnippetSerializer` class is replicating a lot of information that's also contained in the `Snippet` model.  It would be nice if we could keep out code a bit  more concise.
+Our `SnippetSerializer` class is replicating a lot of information that's also contained in the `Snippet` model.  It would be nice if we could keep our code a bit  more concise.
 
 In the same way that Django provides both `Form` classes and `ModelForm` classes, REST framework includes both `Serializer` classes, and `ModelSerializer` classes.
 

docs/tutorial/2-requests-and-responses.md

@@ -8,7 +8,7 @@ Let's introduce a couple of essential building blocks.
 REST framework introduces a `Request` object that extends the regular `HttpRequest`, and provides more flexible request parsing.  The core functionality of the `Request` object is the `request.DATA` attribute, which is similar to `request.POST`, but more useful for working with Web APIs.
 
     request.POST  # Only handles form data.  Only works for 'POST' method.
-    request.DATA  # Handles arbitrary data.  Works any HTTP request with content.
+    request.DATA  # Handles arbitrary data.  Works for 'POST', 'PUT' and 'PATCH' methods.
 
 ## Response objects
 
@@ -140,7 +140,7 @@ We can control the format of the response that we get back, either by using the
 Or by appending a format suffix:
 
     curl http://127.0.0.1:8000/snippets/.json  # JSON suffix
-    curl http://127.0.0.1:8000/snippets/.api   # Browseable API suffix
+    curl http://127.0.0.1:8000/snippets/.api   # Browsable API suffix
 
 Similarly, we can control the format of the request that we send, using the `Content-Type` header.
 
@@ -160,9 +160,9 @@ Now go and open the API in a web browser, by visiting [http://127.0.0.1:8000/sni
 
 Because the API chooses the content type of the response based on the client request, it will, by default, return an HTML-formatted representation of the resource when that resource is requested by a web browser. This allows for the API to return a fully web-browsable HTML representation.
 
-Having a web-browseable API is a huge usability win, and makes developing and using your API much easier.  It also dramatically lowers the barrier-to-entry for other developers wanting to inspect and work with your API.
+Having a web-browsable API is a huge usability win, and makes developing and using your API much easier.  It also dramatically lowers the barrier-to-entry for other developers wanting to inspect and work with your API.
 
-See the [browsable api][browseable-api] topic for more information about the browsable API feature and how to customize it.
+See the [browsable api][browsable-api] topic for more information about the browsable API feature and how to customize it.
 
 ## What's next?
 
@@ -170,6 +170,6 @@ In [tutorial part 3][tut-3], we'll start using class based views, and see how ge
 
 [json-url]: http://example.com/api/items/4.json
 [devserver]: http://127.0.0.1:8000/snippets/
-[browseable-api]: ../topics/browsable-api.md
+[browsable-api]: ../topics/browsable-api.md
 [tut-1]: 1-serialization.md
 [tut-3]: 3-class-based-views.md

docs/tutorial/3-class-based-views.md

@@ -92,8 +92,8 @@ Let's take a look at how we can compose our views by using the mixin classes.
 
     class SnippetList(mixins.ListModelMixin,
                       mixins.CreateModelMixin,
-                      generics.MultipleObjectAPIView):
-        model = Snippet
+                      generics.GenericAPIView):
+        queryset = Snippet.objects.all()
         serializer_class = SnippetSerializer
 
         def get(self, request, *args, **kwargs):
@@ -102,15 +102,15 @@ Let's take a look at how we can compose our views by using the mixin classes.
         def post(self, request, *args, **kwargs):
             return self.create(request, *args, **kwargs)
 
-We'll take a moment to examine exactly what's happening here. We're building our view using `MultipleObjectAPIView`, and adding in `ListModelMixin` and `CreateModelMixin`.
+We'll take a moment to examine exactly what's happening here. We're building our view using `GenericAPIView`, and adding in `ListModelMixin` and `CreateModelMixin`.
 
 The base class provides the core functionality, and the mixin classes provide the `.list()` and `.create()` actions.  We're then explicitly binding the `get` and `post` methods to the appropriate actions.  Simple enough stuff so far.
 
     class SnippetDetail(mixins.RetrieveModelMixin,
                         mixins.UpdateModelMixin,
                         mixins.DestroyModelMixin,
-                        generics.SingleObjectAPIView):
-        model = Snippet
+                        generics.GenericAPIView):
+        queryset = Snippet.objects.all()
         serializer_class = SnippetSerializer
 
         def get(self, request, *args, **kwargs):
@@ -122,7 +122,7 @@ The base class provides the core functionality, and the mixin classes provide th
         def delete(self, request, *args, **kwargs):
             return self.destroy(request, *args, **kwargs)
 
-Pretty similar.  This time we're using the `SingleObjectAPIView` class to provide the core functionality, and adding in mixins to provide the `.retrieve()`, `.update()` and `.destroy()` actions.
+Pretty similar.  Again we're using the `GenericAPIView` class to provide the core functionality, and adding in mixins to provide the `.retrieve()`, `.update()` and `.destroy()` actions.
 
 ## Using generic class based views
 
@@ -134,12 +134,12 @@ Using the mixin classes we've rewritten the views to use slightly less code than
 
 
     class SnippetList(generics.ListCreateAPIView):
-        model = Snippet
+        queryset = Snippet.objects.all()
         serializer_class = SnippetSerializer
 
 
     class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
-        model = Snippet
+        queryset = Snippet.objects.all()
         serializer_class = SnippetSerializer
 
 Wow, that's pretty concise.  We've gotten a huge amount for free, and our code looks like good, clean, idiomatic Django.

docs/tutorial/4-authentication-and-permissions.md

@@ -68,12 +68,12 @@ Because `'snippets'` is a *reverse* relationship on the User model, it will not
 We'll also add a couple of views.  We'd like to just use read-only views for the user representations, so we'll use the `ListAPIView` and `RetrieveAPIView` generic class based views.
 
     class UserList(generics.ListAPIView):
-        model = User
+        queryset = User.objects.all()
         serializer_class = UserSerializer
     
     
     class UserDetail(generics.RetrieveAPIView):
-        model = User
+        queryset = User.objects.all()
         serializer_class = UserSerializer
 
 Finally we need to add those views into the API, by referencing them from the URL conf.
@@ -118,17 +118,17 @@ Then, add the following property to **both** the `SnippetList` and `SnippetDetai
 
     permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
 
-## Adding login to the Browseable API
+## Adding login to the Browsable API
 
-If you open a browser and navigate to the browseable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user.
+If you open a browser and navigate to the browsable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user.
 
-We can add a login view for use with the browseable API, by editing our URLconf once more.
+We can add a login view for use with the browsable API, by editing our URLconf once more.
 
 Add the following import at the top of the file:
 
     from django.conf.urls import include
 
-And, at the end of the file, add a pattern to include the login and logout views for the browseable API.
+And, at the end of the file, add a pattern to include the login and logout views for the browsable API.
 
     urlpatterns += patterns('',
         url(r'^api-auth/', include('rest_framework.urls',
@@ -143,7 +143,7 @@ Once you've created a few code snippets, navigate to the '/users/' endpoint, and
 
 ## Object level permissions
 
-Really we'd like all code snippets to be visible to anyone, but also make sure that only the user that created a code snippet is able update or delete it.
+Really we'd like all code snippets to be visible to anyone, but also make sure that only the user that created a code snippet is able to update or delete it.
 
 To do that we're going to need to create a custom permission.
 
@@ -179,7 +179,7 @@ Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions o
 
 ## Authenticating with the API
 
-Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets.  We havn't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`.
+Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets.  We haven't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`.
 
 When we interact with the API through the web browser, we can login, and the browser session will then provide the required authentication for the requests.
 

docs/tutorial/5-relationships-and-hyperlinked-apis.md

-# Tutorial 5 - Relationships & Hyperlinked APIs
+# Tutorial 5: Relationships & Hyperlinked APIs
 
 At the moment relationships within our API are represented by using primary keys.  In this part of the tutorial we'll improve the cohesion and discoverability of our API, by instead using hyperlinking for relationships. 
 
@@ -34,8 +34,8 @@ Instead of using a concrete generic view, we'll use the base class for represent
     from rest_framework import renderers
     from rest_framework.response import Response
 
-    class SnippetHighlight(generics.SingleObjectAPIView):
-        model = Snippet
+    class SnippetHighlight(generics.GenericAPIView):
+        queryset = Snippet.objects.all()
         renderer_classes = (renderers.StaticHTMLRenderer,)
     
         def get(self, request, *args, **kwargs):
@@ -143,34 +143,16 @@ We can change the default list style to use pagination, by modifying our `settin
         'PAGINATE_BY': 10
     }
 
-Note that settings in REST framework are all namespaced into a single dictionary setting, named 'REST_FRAMEWORK', which helps keep them well seperated from your other project settings.
+Note that settings in REST framework are all namespaced into a single dictionary setting, named 'REST_FRAMEWORK', which helps keep them well separated from your other project settings.
 
 We could also customize the pagination style if we needed too, but in this case we'll just stick with the default.
 
-## Reviewing our work
+## Browsing the API
 
-If we open a browser and navigate to the browseable API, you'll find that you can now work your way around the API simply by following links.
+If we open a browser and navigate to the browsable API, you'll find that you can now work your way around the API simply by following links.
 
 You'll also be able to see the 'highlight' links on the snippet instances, that will take you to the highlighted code HTML representations.
 
-We've now got a complete pastebin Web API, which is fully web browseable, and comes complete with authentication, per-object permissions, and multiple renderer formats.
+In [part 6][tut-6] of the tutorial we'll look at how we can use ViewSets and Routers to reduce the amount of code we need to build our API.
 
-We've walked through each step of the design process, and seen how if we need to customize anything we can gradually work our way down to simply using regular Django views.
-
-You can review the final [tutorial code][repo] on GitHub, or try out a live example in [the sandbox][sandbox]. 
-
-## Onwards and upwards
-
-We've reached the end of our tutorial.  If you want to get more involved in the REST framework project, here's a few places you can start:
-
-* Contribute on [GitHub][github] by reviewing and submitting issues, and making pull requests.
-* Join the [REST framework discussion group][group], and help build the community.
-* Follow [the author][twitter] on Twitter and say hi.
-
-**Now go build awesome things.**
-
-[repo]: https://github.com/tomchristie/rest-framework-tutorial
-[sandbox]: http://restframework.herokuapp.com/
-[github]: https://github.com/tomchristie/django-rest-framework
-[group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
-[twitter]: https://twitter.com/_tomchristie
+[tut-6]: 6-viewsets-and-routers.md

docs/tutorial/6-viewsets-and-routers.md

+# Tutorial 6 - ViewSets & Routers
+
+REST framework includes an abstraction for dealing with `ViewSets`, that allows the developer to concentrate on modeling the state and interactions of the API, and leave the URL construction to be handled automatically, based on common conventions.
+
+`ViewSet` classes are almost the same thing as `View` classes, except that they provide operations such as `read`, or `update`, and not method handlers such as `get` or `put`.
+
+A `ViewSet` class is only bound to a set of method handlers at the last moment, when it is instantiated into a set of views, typically by using a `Router` class which handles the complexities of defining the URL conf for you.
+
+## Refactoring to use ViewSets
+
+Let's take our current set of views, and refactor them into view sets.
+
+First of all let's refactor our `UserListView` and `UserDetailView` views into a single `UserViewSet`.  We can remove the two views, and replace then with a single class:
+
+    class UserViewSet(viewsets.ReadOnlyModelViewSet):
+        """
+        This viewset automatically provides `list` and `detail` actions.
+        """
+        queryset = User.objects.all()
+        serializer_class = UserSerializer
+
+Here we've used `ReadOnlyModelViewSet` class to automatically provide the default 'read-only' operations.  We're still setting the `queryset` and `serializer_class` attributes exactly as we did when we were using regular views, but we no longer need to provide the same information to two separate classes.
+
+Next we're going to replace the `SnippetList`, `SnippetDetail` and `SnippetHighlight` view classes.  We can remove the three views, and again replace them with a single class.
+
+    from rest_framework import viewsets
+    from rest_framework.decorators import link
+
+    class SnippetViewSet(viewsets.ModelViewSet):
+        """
+        This viewset automatically provides `list`, `create`, `retrieve`,
+        `update` and `destroy` actions.
+        
+        Additionally we also provide an extra `highlight` action. 
+        """
+        queryset = Snippet.objects.all()
+        serializer_class = SnippetSerializer
+        permission_classes = (permissions.IsAuthenticatedOrReadOnly,
+                              IsOwnerOrReadOnly,)
+
+        @link(renderer_classes=[renderers.StaticHTMLRenderer])
+        def highlight(self, request, *args, **kwargs):
+            snippet = self.get_object()
+            return Response(snippet.highlighted)
+
+        def pre_save(self, obj):
+            obj.owner = self.request.user
+
+This time we've used the `ModelViewSet` class in order to get the complete set of default read and write operations.
+
+Notice that we've also used the `@link` decorator to create a custom action, named `highlight`.  This decorator can be used to add any custom endpoints that don't fit into the standard `create`/`update`/`delete` style.
+
+Custom actions which use the `@link` decorator will respond to `GET` requests.  We could have instead used the `@action` decorator if we wanted an action that responded to `POST` requests.
+
+## Binding ViewSets to URLs explicitly
+
+The handler methods only get bound to the actions when we define the URLConf.
+To see what's going on under the hood let's first explicitly create a set of views from our ViewSets.
+
+In the `urls.py` file we bind our `ViewSet` classes into a set of concrete views.
+
+    from snippets.resources import SnippetResource, UserResource
+
+    snippet_list = SnippetViewSet.as_view({
+        'get': 'list',
+        'post': 'create'
+    })
+    snippet_detail = SnippetViewSet.as_view({
+        'get': 'retrieve',
+        'put': 'update',
+        'patch': 'partial_update',
+        'delete': 'destroy'
+    })
+    snippet_highlight = SnippetViewSet.as_view({
+        'get': 'highlight'
+    })
+    user_list = UserViewSet.as_view({
+        'get': 'list'
+    })
+    user_detail = UserViewSet.as_view({
+        'get': 'retrieve'
+    })
+
+Notice how we're creating multiple views from each `ViewSet` class, by binding the http methods to the required action for each view.
+
+Now that we've bound our resources into concrete views, that we can register the views with the URL conf as usual.
+
+    urlpatterns = format_suffix_patterns(patterns('snippets.views',
+        url(r'^$', 'api_root'),
+        url(r'^snippets/$', snippet_list, name='snippet-list'),
+        url(r'^snippets/(?P<pk>[0-9]+)/$', snippet_detail, name='snippet-detail'),
+        url(r'^snippets/(?P<pk>[0-9]+)/highlight/$', snippet_highlight, name='snippet-highlight'),
+        url(r'^users/$', user_list, name='user-list'),
+        url(r'^users/(?P<pk>[0-9]+)/$', user_detail, name='user-detail')
+    ))
+
+## Using Routers
+
+Because we're using `ViewSet` classes rather than `View` classes, we actually don't need to design the URL conf ourselves.  The conventions for wiring up resources into views and urls can be handled automatically, using a `Router` class.  All we need to do is register the appropriate view sets with a router, and let it do the rest.
+
+Here's our re-wired `urls.py` file.
+
+    from snippets import views
+    from rest_framework.routers import DefaultRouter
+
+    # Create a router and register our viewsets with it.
+    router = DefaultRouter()
+    router.register(r'snippets', views.SnippetViewSet)
+    router.register(r'users', views.UserViewSet)
+    
+    # The API URLs are now determined automatically by the router.
+    # Additionally, we include the login URLs for the browseable API.
+    urlpatterns = patterns('',
+        url(r'^', include(router.urls)),
+        url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
+    )
+
+Registering the viewsets with the router is similar to providing a urlpattern.  We include two arguments - the URL prefix for the views, and the viewset itself.
+
+The `DefaultRouter` class we're using also automatically creates the API root view for us, so we can now delete the `api_root` method from our `views` module.
+
+## Trade-offs between views vs viewsets
+
+Using viewsets can be a really useful abstraction.  It helps ensure that URL conventions will be consistent across your API, minimizes the amount of code you need to write, and allows you to concentrate on the interactions and representations your API provides rather than the specifics of the URL conf.
+
+That doesn't mean it's always the right approach to take.  There's a similar set of trade-offs to consider as when using class-based views instead of function based views.  Using viewsets is less explicit than building your views individually.
+
+## Reviewing our work
+
+With an incredibly small amount of code, we've now got a complete pastebin Web API, which is fully web browseable, and comes complete with authentication, per-object permissions, and multiple renderer formats.
+
+We've walked through each step of the design process, and seen how if we need to customize anything we can gradually work our way down to simply using regular Django views.
+
+You can review the final [tutorial code][repo] on GitHub, or try out a live example in [the sandbox][sandbox]. 
+
+## Onwards and upwards
+
+We've reached the end of our tutorial.  If you want to get more involved in the REST framework project, here's a few places you can start:
+
+* Contribute on [GitHub][github] by reviewing and submitting issues, and making pull requests.
+* Join the [REST framework discussion group][group], and help build the community.
+* Follow [the author][twitter] on Twitter and say hi.
+
+**Now go build awesome things.**
+
+
+[repo]: https://github.com/tomchristie/rest-framework-tutorial
+[sandbox]: http://restframework.herokuapp.com/
+[github]: https://github.com/tomchristie/django-rest-framework
+[group]: https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework
+[twitter]: https://twitter.com/_tomchristie

docs/tutorial/quickstart.md

@@ -8,7 +8,7 @@ Create a new Django project, and start a new app called `quickstart`.  Once you'
 
 First up we're going to define some serializers in `quickstart/serializers.py` that we'll use for our data representations.
 
-    from django.contrib.auth.models import User, Group, Permission
+    from django.contrib.auth.models import User, Group
     from rest_framework import serializers
     
     
@@ -19,109 +19,64 @@ First up we're going to define some serializers in `quickstart/serializers.py` t
     
     
     class GroupSerializer(serializers.HyperlinkedModelSerializer):
-        permissions = serializers.ManySlugRelatedField(
-            slug_field='codename',
-            queryset=Permission.objects.all()
-        )
-
         class Meta:
             model = Group
-            fields = ('url', 'name', 'permissions')
+            fields = ('url', 'name')
 
 Notice that we're using hyperlinked relations in this case, with `HyperlinkedModelSerializer`.  You can also use primary key and various other relationships, but hyperlinking is good RESTful design.
 
-We've also overridden the `permission` field on the `GroupSerializer`.  In this case we don't want to use a hyperlinked representation, but instead use the list of permission codenames associated with the group, so we've used a `ManySlugRelatedField`, using the `codename` field for the representation.
-
 ## Views
 
 Right, we'd better write some views then.  Open `quickstart/views.py` and get typing.
 
     from django.contrib.auth.models import User, Group
-    from rest_framework import generics
-    from rest_framework.decorators import api_view
-    from rest_framework.reverse import reverse
-    from rest_framework.response import Response
+    from rest_framework import viewsets
     from quickstart.serializers import UserSerializer, GroupSerializer
     
     
-    @api_view(['GET'])
-    def api_root(request, format=None):
-        """
-        The entry endpoint of our API.
-        """
-        return Response({
-            'users': reverse('user-list', request=request),
-            'groups': reverse('group-list', request=request),
-        })
-    
-    
-    class UserList(generics.ListCreateAPIView):
+    class UserViewSet(viewsets.ModelViewSet):
         """
-        API endpoint that represents a list of users.
+        API endpoint that allows users to be viewed or edited.
         """
-        model = User
+        queryset = User.objects.all()
         serializer_class = UserSerializer
     
     
-    class UserDetail(generics.RetrieveUpdateDestroyAPIView):
+    class GroupViewSet(viewsets.ModelViewSet):
         """
-        API endpoint that represents a single user.
-        """
-        model = User
-        serializer_class = UserSerializer
-    
-    
-    class GroupList(generics.ListCreateAPIView):
+        API endpoint that allows groups to be viewed or edited.
         """
-        API endpoint that represents a list of groups.
-        """
-        model = Group
+        queryset = Group.objects.all()
         serializer_class = GroupSerializer
 
+Rather that write multiple views we're grouping together all the common behavior into classes called `ViewSets`.
 
-    class GroupDetail(generics.RetrieveUpdateDestroyAPIView):
-        """
-        API endpoint that represents a single group.
-        """
-        model = Group
-        serializer_class = GroupSerializer
-
-Let's take a moment to look at what we've done here before we move on.  We have one function-based view representing the root of the API, and four class-based views which map to our database models, and specify which serializers should be used for representing that data.  Pretty simple stuff.
+We can easily break these down into individual views if we need to, but using viewsets keeps the view logic nicely organized as well as being very concise.
 
 ## URLs
 
-Okay, let's wire this baby up.  On to `quickstart/urls.py`...
+Okay, now let's wire up the API URLs.  On to `quickstart/urls.py`...
 
     from django.conf.urls import patterns, url, include
-    from rest_framework.urlpatterns import format_suffix_patterns
-    from quickstart.views import UserList, UserDetail, GroupList, GroupDetail
+    from rest_framework import routers
+    from quickstart import views
 
+    router = routers.DefaultRouter()
+    router.register(r'users', views.UserViewSet)
+    router.register(r'groups', views.GroupViewSet)
 
-    urlpatterns = patterns('quickstart.views',
-        url(r'^$', 'api_root'),
-        url(r'^users/$', UserList.as_view(), name='user-list'),
-        url(r'^users/(?P<pk>\d+)/$', UserDetail.as_view(), name='user-detail'),
-        url(r'^groups/$', GroupList.as_view(), name='group-list'),
-        url(r'^groups/(?P<pk>\d+)/$', GroupDetail.as_view(), name='group-detail'),
-    )
-
-    
-    # Format suffixes
-    urlpatterns = format_suffix_patterns(urlpatterns, allowed=['json', 'api'])
-
-
-    # Default login/logout views
-    urlpatterns += patterns('',
+    # Wire up our API using automatic URL routing.
+    # Additionally, we include login URLs for the browseable API.
+    urlpatterns = patterns('',
+        url(r'^', include(router.urls)),
         url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
     )
 
-There's a few things worth noting here.
-
-Firstly the names `user-detail` and `group-detail` are important.  We're using the default hyperlinked relationships without explicitly specifying the view names, so we need to use names of the style `{modelname}-detail` to represent the model instance views.
+Because we're using viewsets instead of views, we can automatically generate the URL conf for our API, by simply registering the viewsets with a router class.
 
-Secondly, we're modifying the urlpatterns using `format_suffix_patterns`, to append optional `.json` style suffixes to our URLs.
+Again, if we need more control over the API URLs we can simply drop down to using regular class based views, and writing the URL conf explicitly.
 
-Finally, we're including default login and logout views for use with the browsable API.  That's optional, but useful if your API requires authentication and you want to use the browseable API.
+Finally, we're including default login and logout views for use with the browsable API.  That's optional, but useful if your API requires authentication and you want to use the browsable API.
 
 ## Settings
 

mkdocs.py

@@ -37,6 +37,64 @@ page = open(os.path.join(docs_dir, 'template.html'), 'r').read()
 #         shutil.rmtree(target)
 #     shutil.copytree(source, target)
 
+
+# Hacky, but what the hell, it'll do the job
+path_list = [
+    'index.md',
+    'tutorial/quickstart.md',
+    'tutorial/1-serialization.md',
+    'tutorial/2-requests-and-responses.md',
+    'tutorial/3-class-based-views.md',
+    'tutorial/4-authentication-and-permissions.md',
+    'tutorial/5-relationships-and-hyperlinked-apis.md',
+    'tutorial/6-viewsets-and-routers.md',
+    'api-guide/requests.md',
+    'api-guide/responses.md',
+    'api-guide/views.md',
+    'api-guide/generic-views.md',
+    'api-guide/viewsets.md',
+    'api-guide/routers.md',
+    'api-guide/parsers.md',
+    'api-guide/renderers.md',
+    'api-guide/serializers.md',
+    'api-guide/fields.md',
+    'api-guide/relations.md',
+    'api-guide/authentication.md',
+    'api-guide/permissions.md',
+    'api-guide/throttling.md',
+    'api-guide/filtering.md',
+    'api-guide/pagination.md',
+    'api-guide/content-negotiation.md',
+    'api-guide/format-suffixes.md',
+    'api-guide/reverse.md',
+    'api-guide/exceptions.md',
+    'api-guide/status-codes.md',
+    'api-guide/settings.md',
+    'topics/ajax-csrf-cors.md',
+    'topics/browser-enhancements.md',
+    'topics/browsable-api.md',
+    'topics/rest-hypermedia-hateoas.md',
+    'topics/contributing.md',
+    'topics/rest-framework-2-announcement.md',
+    'topics/2.2-announcement.md',
+    'topics/2.3-announcement.md',
+    'topics/release-notes.md',
+    'topics/credits.md',
+]
+
+prev_url_map = {}
+next_url_map = {}
+for idx in range(len(path_list)):
+    path = path_list[idx]
+    rel = '../' * path.count('/')
+
+    if idx > 0:
+        prev_url_map[path] = rel + path_list[idx - 1][:-3] + suffix
+
+    if idx < len(path_list) - 1:
+        next_url_map[path] = rel + path_list[idx + 1][:-3] + suffix
+
+
 for (dirpath, dirnames, filenames) in os.walk(docs_dir):
     relative_dir = dirpath.replace(docs_dir, '').lstrip(os.path.sep)
     build_dir = os.path.join(html_dir, relative_dir)
@@ -46,6 +104,7 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir):
 
     for filename in filenames:
         path = os.path.join(dirpath, filename)
+        relative_path = os.path.join(relative_dir, filename)
 
         if not filename.endswith('.md'):
             if relative_dir:
@@ -57,25 +116,55 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir):
 
         toc = ''
         text = open(path, 'r').read().decode('utf-8')
+        main_title = None
+        description = 'Django, API, REST'
         for line in text.splitlines():
             if line.startswith('# '):
                 title = line[2:].strip()
                 template = main_header
+                description = description + ', ' + title
             elif line.startswith('## '):
                 title = line[3:].strip()
                 template = sub_header
             else:
                 continue
 
+            if not main_title:
+                main_title = title
             anchor = title.lower().replace(' ', '-').replace(':-', '-').replace("'", '').replace('?', '').replace('.', '')
             template = template.replace('{{ title }}', title)
             template = template.replace('{{ anchor }}', anchor)
             toc += template + '\n'
 
+        if filename == 'index.md':
+            main_title = 'Django REST framework - APIs made easy'
+        else:
+            main_title = 'Django REST framework - ' + main_title
+
+        prev_url = prev_url_map.get(relative_path)
+        next_url = next_url_map.get(relative_path)
+
         content = markdown.markdown(text, ['headerid'])
 
         output = page.replace('{{ content }}', content).replace('{{ toc }}', toc).replace('{{ base_url }}', base_url).replace('{{ suffix }}', suffix).replace('{{ index }}', index)
+        output = output.replace('{{ title }}', main_title)
+        output = output.replace('{{ description }}', description)
         output = output.replace('{{ page_id }}', filename[:-3])
+
+        if prev_url:
+            output = output.replace('{{ prev_url }}', prev_url)
+            output = output.replace('{{ prev_url_disabled }}', '')
+        else:
+            output = output.replace('{{ prev_url }}', '#')
+            output = output.replace('{{ prev_url_disabled }}', 'disabled')
+
+        if next_url:
+            output = output.replace('{{ next_url }}', next_url)
+            output = output.replace('{{ next_url_disabled }}', '')
+        else:
+            output = output.replace('{{ next_url }}', '#')
+            output = output.replace('{{ next_url_disabled }}', 'disabled')
+
         output = re.sub(r'a href="([^"]*)\.md"', r'a href="\1%s"' % suffix, output)
         output = re.sub(r'<pre><code>:::bash', r'<pre class="prettyprint lang-bsh">', output)
         output = re.sub(r'<pre>', r'<pre class="prettyprint lang-py">', output)

optionals.txt

@@ -2,3 +2,6 @@ markdown>=2.1.0
 PyYAML>=3.10
 defusedxml>=0.3
 django-filter>=0.5.4
+django-oauth-plus>=2.0
+oauth2>=1.5.211
+django-oauth2-provider>=0.2.3

rest_framework/__init__.py

-__version__ = '2.2.1'
+__version__ = '2.3.3'
 
 VERSION = __version__  # synonym
 
 # Header encoding (see RFC5987)
 HTTP_HEADER_ENCODING = 'iso-8859-1'
+
+# Default datetime input and output formats
+ISO_8601 = 'iso-8601'

rest_framework/authtoken/migrations/0001_initial.py

@@ -4,6 +4,8 @@ from south.db import db
 from south.v2 import SchemaMigration
 from django.db import models
 
+from rest_framework.settings import api_settings
+
 
 try:
     from django.contrib.auth import get_user_model
@@ -45,20 +47,7 @@ class Migration(SchemaMigration):
             'name': ('django.db.models.fields.CharField', [], {'max_length': '50'})
         },
         "%s.%s" % (User._meta.app_label, User._meta.module_name): {
-            'Meta': {'object_name': 'User'},
-            'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
-            'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}),
-            'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
-            'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}),
-            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
-            'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}),
-            'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
-            'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
-            'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
-            'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
-            'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}),
-            'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}),
-            'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'})
+            'Meta': {'object_name': User._meta.module_name},
         },
         'authtoken.token': {
             'Meta': {'object_name': 'Token'},

rest_framework/authtoken/models.py

@@ -2,6 +2,7 @@ import uuid
 import hmac
 from hashlib import sha1
 from rest_framework.compat import User
+from django.conf import settings
 from django.db import models
 
 
@@ -13,6 +14,14 @@ class Token(models.Model):
     user = models.OneToOneField(User, related_name='auth_token')
     created = models.DateTimeField(auto_now_add=True)
 
+    class Meta:
+        # Work around for a bug in Django:
+        # https://code.djangoproject.com/ticket/19422
+        #
+        # Also see corresponding ticket:
+        # https://github.com/tomchristie/django-rest-framework/issues/705
+        abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
+
     def save(self, *args, **kwargs):
         if not self.key:
             self.key = self.generate_key()

rest_framework/compat.py

@@ -6,6 +6,7 @@ versions of django/python, and compatibility wrappers around optional packages.
 from __future__ import unicode_literals
 
 import django
+from django.core.exceptions import ImproperlyConfigured
 
 # Try to import six from Django, fallback to included `six`.
 try:
@@ -87,9 +88,7 @@ else:
         raise ImportError("User model is not to be found.")
 
 
-# First implementation of Django class-based views did not include head method
-# in base View class - https://code.djangoproject.com/ticket/15668
-if django.VERSION >= (1, 4):
+if django.VERSION >= (1, 5):
     from django.views.generic import View
 else:
     from django.views.generic import View as _View
@@ -97,6 +96,8 @@ else:
     from django.utils.functional import update_wrapper
 
     class View(_View):
+        # 1.3 does not include head method in base View class
+        # See: https://code.djangoproject.com/ticket/15668
         @classonlymethod
         def as_view(cls, **initkwargs):
             """
@@ -126,11 +127,15 @@ else:
             update_wrapper(view, cls.dispatch, assigned=())
             return view
 
-# Taken from @markotibold's attempt at supporting PATCH.
-# https://github.com/markotibold/django-rest-framework/tree/patch
-http_method_names = set(View.http_method_names)
-http_method_names.add('patch')
-View.http_method_names = list(http_method_names)  # PATCH method is not implemented by Django
+        # _allowed_methods only present from 1.5 onwards
+        def _allowed_methods(self):
+            return [m.upper() for m in self.http_method_names if hasattr(self, m)]
+
+
+# PATCH method is not implemented by Django
+if 'patch' not in View.http_method_names:
+    View.http_method_names = View.http_method_names + ['patch']
+
 
 # PUT, DELETE do not require CSRF until 1.4.  They should.  Make it better.
 if django.VERSION >= (1, 4):
@@ -395,6 +400,41 @@ except ImportError:
             kw = dict((k, int(v)) for k, v in kw.iteritems() if v is not None)
             return datetime.datetime(**kw)
 
+
+# smart_urlquote is new on Django 1.4
+try:
+    from django.utils.html import smart_urlquote
+except ImportError:
+    import re
+    from django.utils.encoding import smart_str
+    try:
+        from urllib.parse import quote, urlsplit, urlunsplit
+    except ImportError:     # Python 2
+        from urllib import quote
+        from urlparse import urlsplit, urlunsplit
+
+    unquoted_percents_re = re.compile(r'%(?![0-9A-Fa-f]{2})')
+
+    def smart_urlquote(url):
+        "Quotes a URL if it isn't already quoted."
+        # Handle IDN before quoting.
+        scheme, netloc, path, query, fragment = urlsplit(url)
+        try:
+            netloc = netloc.encode('idna').decode('ascii')  # IDN -> ACE
+        except UnicodeError:  # invalid domain part
+            pass
+        else:
+            url = urlunsplit((scheme, netloc, path, query, fragment))
+
+        # An URL is considered unquoted if it contains no % characters or
+        # contains a % not followed by two hexadecimal digits. See #9655.
+        if '%' not in url or unquoted_percents_re.search(url):
+            # See http://bugs.python.org/issue2637
+            url = quote(smart_str(url), safe=b'!*\'();:@&=+$,/?#[]~')
+
+        return force_text(url)
+
+
 # Markdown is optional
 try:
     import markdown
@@ -426,3 +466,32 @@ try:
     import defusedxml.ElementTree as etree
 except ImportError:
     etree = None
+
+# OAuth is optional
+try:
+    # Note: The `oauth2` package actually provides oauth1.0a support.  Urg.
+    import oauth2 as oauth
+except ImportError:
+    oauth = None
+
+# OAuth is optional
+try:
+    import oauth_provider
+    from oauth_provider.store import store as oauth_provider_store
+except (ImportError, ImproperlyConfigured):
+    oauth_provider = None
+    oauth_provider_store = None
+
+# OAuth 2 support is optional
+try:
+    import provider.oauth2 as oauth2_provider
+    from provider.oauth2 import models as oauth2_provider_models
+    from provider.oauth2 import forms as oauth2_provider_forms
+    from provider import scope as oauth2_provider_scope
+    from provider import constants as oauth2_constants
+except ImportError:
+    oauth2_provider = None
+    oauth2_provider_models = None
+    oauth2_provider_forms = None
+    oauth2_provider_scope = None
+    oauth2_constants = None

rest_framework/decorators.py

+"""
+The most imporant decorator in this module is `@api_view`, which is used
+for writing function-based views with REST framework.
+
+There are also various decorators for setting the API policies on function
+based views, as well as the `@action` and `@link` decorators, which are
+used to annotate methods on viewsets that should be included by routers.
+"""
 from __future__ import unicode_literals
 from rest_framework.compat import six
 from rest_framework.views import APIView
@@ -97,3 +105,25 @@ def permission_classes(permission_classes):
         func.permission_classes = permission_classes
         return func
     return decorator
+
+
+def link(**kwargs):
+    """
+    Used to mark a method on a ViewSet that should be routed for GET requests.
+    """
+    def decorator(func):
+        func.bind_to_method = 'get'
+        func.kwargs = kwargs
+        return func
+    return decorator
+
+
+def action(**kwargs):
+    """
+    Used to mark a method on a ViewSet that should be routed for POST requests.
+    """
+    def decorator(func):
+        func.bind_to_method = 'post'
+        func.kwargs = kwargs
+        return func
+    return decorator

rest_framework/filters.py

+"""
+Provides generic filtering backends that can be used to filter the results
+returned by list views.
+"""
 from __future__ import unicode_literals
-from rest_framework.compat import django_filters
+from django.db import models
+from rest_framework.compat import django_filters, six
+from functools import reduce
+import operator
 
 FilterSet = django_filters and django_filters.FilterSet or None
 
@@ -25,36 +32,112 @@ class DjangoFilterBackend(BaseFilterBackend):
     def __init__(self):
         assert django_filters, 'Using DjangoFilterBackend, but django-filter is not installed'
 
-    def get_filter_class(self, view):
+    def get_filter_class(self, view, queryset=None):
         """
         Return the django-filters `FilterSet` used to filter the queryset.
         """
         filter_class = getattr(view, 'filter_class', None)
         filter_fields = getattr(view, 'filter_fields', None)
-        view_model = getattr(view, 'model', None)
 
         if filter_class:
             filter_model = filter_class.Meta.model
 
-            assert issubclass(filter_model, view_model), \
-                'FilterSet model %s does not match view model %s' % \
-                (filter_model, view_model)
+            assert issubclass(filter_model, queryset.model), \
+                'FilterSet model %s does not match queryset model %s' % \
+                (filter_model, queryset.model)
 
             return filter_class
 
         if filter_fields:
             class AutoFilterSet(self.default_filter_set):
                 class Meta:
-                    model = view_model
+                    model = queryset.model
                     fields = filter_fields
             return AutoFilterSet
 
         return None
 
     def filter_queryset(self, request, queryset, view):
-        filter_class = self.get_filter_class(view)
+        filter_class = self.get_filter_class(view, queryset)
 
         if filter_class:
-            return filter_class(request.QUERY_PARAMS, queryset=queryset)
+            return filter_class(request.QUERY_PARAMS, queryset=queryset).qs
+
+        return queryset
+
+
+class SearchFilter(BaseFilterBackend):
+    search_param = 'search'  # The URL query parameter used for the search.
+
+    def get_search_terms(self, request):
+        """
+        Search terms are set by a ?search=... query parameter,
+        and may be comma and/or whitespace delimited.
+        """
+        params = request.QUERY_PARAMS.get(self.search_param, '')
+        return params.replace(',', ' ').split()
+
+    def construct_search(self, field_name):
+        if field_name.startswith('^'):
+            return "%s__istartswith" % field_name[1:]
+        elif field_name.startswith('='):
+            return "%s__iexact" % field_name[1:]
+        elif field_name.startswith('@'):
+            return "%s__search" % field_name[1:]
+        else:
+            return "%s__icontains" % field_name
+
+    def filter_queryset(self, request, queryset, view):
+        search_fields = getattr(view, 'search_fields', None)
+
+        if not search_fields:
+            return queryset
+
+        orm_lookups = [self.construct_search(str(search_field))
+                       for search_field in search_fields]
+
+        for search_term in self.get_search_terms(request):
+            or_queries = [models.Q(**{orm_lookup: search_term})
+                          for orm_lookup in orm_lookups]
+            queryset = queryset.filter(reduce(operator.or_, or_queries))
+
+        return queryset
+
+
+class OrderingFilter(BaseFilterBackend):
+    ordering_param = 'ordering'  # The URL query parameter used for the ordering.
+
+    def get_ordering(self, request):
+        """
+        Search terms are set by a ?search=... query parameter,
+        and may be comma and/or whitespace delimited.
+        """
+        params = request.QUERY_PARAMS.get(self.ordering_param)
+        if params:
+            return [param.strip() for param in params.split(',')]
+
+    def get_default_ordering(self, view):
+        ordering = getattr(view, 'ordering', None)
+        if isinstance(ordering, six.string_types):
+            return (ordering,)
+        return ordering
+
+    def remove_invalid_fields(self, queryset, ordering):
+        field_names = [field.name for field in queryset.model._meta.fields]
+        return [term for term in ordering if term.lstrip('-') in field_names]
+
+    def filter_queryset(self, request, queryset, view):
+        ordering = self.get_ordering(request)
+
+        if ordering:
+            # Skip any incorrect parameters
+            ordering = self.remove_invalid_fields(queryset, ordering)
+
+        if not ordering:
+            # Use 'ordering' attribtue by default
+            ordering = self.get_default_ordering(view)
+
+        if ordering:
+            return queryset.order_by(*ordering)
 
         return queryset

rest_framework/mixins.py

@@ -10,9 +10,10 @@ from django.http import Http404
 from rest_framework import status
 from rest_framework.response import Response
 from rest_framework.request import clone_request
+import warnings
 
 
-def _get_validation_exclusions(obj, pk=None, slug_field=None):
+def _get_validation_exclusions(obj, pk=None, slug_field=None, lookup_field=None):
     """
     Given a model instance, and an optional pk and slug field,
     return the full list of all other field names on that model.
@@ -23,28 +24,32 @@ def _get_validation_exclusions(obj, pk=None, slug_field=None):
     include = []
 
     if pk:
+        # Pending deprecation
         pk_field = obj._meta.pk
         while pk_field.rel:
             pk_field = pk_field.rel.to._meta.pk
         include.append(pk_field.name)
 
     if slug_field:
+        # Pending deprecation
         include.append(slug_field)
 
+    if lookup_field and lookup_field != 'pk':
+        include.append(lookup_field)
+
     return [field.name for field in obj._meta.fields if field.name not in include]
 
 
 class CreateModelMixin(object):
     """
     Create a model instance.
-    Should be mixed in with any `GenericAPIView`.
     """
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.DATA, files=request.FILES)
 
         if serializer.is_valid():
             self.pre_save(serializer.object)
-            self.object = serializer.save()
+            self.object = serializer.save(force_insert=True)
             self.post_save(self.object, created=True)
             headers = self.get_success_headers(serializer.data)
             return Response(serializer.data, status=status.HTTP_201_CREATED,
@@ -62,28 +67,28 @@ class CreateModelMixin(object):
 class ListModelMixin(object):
     """
     List a queryset.
-    Should be mixed in with `MultipleObjectAPIView`.
     """
     empty_error = "Empty list and '%(class_name)s.allow_empty' is False."
 
     def list(self, request, *args, **kwargs):
-        queryset = self.get_queryset()
-        self.object_list = self.filter_queryset(queryset)
+        self.object_list = self.filter_queryset(self.get_queryset())
 
         # Default is to allow empty querysets.  This can be altered by setting
         # `.allow_empty = False`, to raise 404 errors on empty querysets.
-        allow_empty = self.get_allow_empty()
-        if not allow_empty and not self.object_list:
+        if not self.allow_empty and not self.object_list:
+            warnings.warn(
+                'The `allow_empty` parameter is due to be deprecated. '
+                'To use `allow_empty=False` style behavior, You should override '
+                '`get_queryset()` and explicitly raise a 404 on empty querysets.',
+                PendingDeprecationWarning
+            )
             class_name = self.__class__.__name__
             error_msg = self.empty_error % {'class_name': class_name}
             raise Http404(error_msg)
 
-        # Pagination size is set by the `.paginate_by` attribute,
-        # which may be `None` to disable pagination.
-        page_size = self.get_paginate_by(self.object_list)
-        if page_size:
-            packed = self.paginate_queryset(self.object_list, page_size)
-            paginator, page, queryset, is_paginated = packed
+        # Switch between paginated or standard style responses
+        page = self.paginate_queryset(self.object_list)
+        if page is not None:
             serializer = self.get_pagination_serializer(page)
         else:
             serializer = self.get_serializer(self.object_list, many=True)
@@ -94,7 +99,6 @@ class ListModelMixin(object):
 class RetrieveModelMixin(object):
     """
     Retrieve a model instance.
-    Should be mixed in with `SingleObjectAPIView`.
     """
     def retrieve(self, request, *args, **kwargs):
         self.object = self.get_object()
@@ -105,21 +109,28 @@ class RetrieveModelMixin(object):
 class UpdateModelMixin(object):
     """
     Update a model instance.
-    Should be mixed in with `SingleObjectAPIView`.
     """
-    def update(self, request, *args, **kwargs):
-        partial = kwargs.pop('partial', False)
-        self.object = None
+    def get_object_or_none(self):
         try:
-            self.object = self.get_object()
+            return self.get_object()
         except Http404:
             # If this is a PUT-as-create operation, we need to ensure that
             # we have relevant permissions, as if this was a POST request.
-            self.check_permissions(clone_request(request, 'POST'))
+            # This will either raise a PermissionDenied exception,
+            # or simply return None
+            self.check_permissions(clone_request(self.request, 'POST'))
+
+    def update(self, request, *args, **kwargs):
+        partial = kwargs.pop('partial', False)
+        self.object = self.get_object_or_none()
+
+        if self.object is None:
             created = True
+            save_kwargs = {'force_insert': True}
             success_status_code = status.HTTP_201_CREATED
         else:
             created = False
+            save_kwargs = {'force_update': True}
             success_status_code = status.HTTP_200_OK
 
         serializer = self.get_serializer(self.object, data=request.DATA,
@@ -127,20 +138,28 @@ class UpdateModelMixin(object):
 
         if serializer.is_valid():
             self.pre_save(serializer.object)
-            self.object = serializer.save()
+            self.object = serializer.save(**save_kwargs)
             self.post_save(self.object, created=created)
             return Response(serializer.data, status=success_status_code)
 
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
+    def partial_update(self, request, *args, **kwargs):
+        kwargs['partial'] = True
+        return self.update(request, *args, **kwargs)
+
     def pre_save(self, obj):
         """
         Set any attributes on the object that are implicit in the request.
         """
         # pk and/or slug attributes are implicit in the URL.
+        lookup = self.kwargs.get(self.lookup_field, None)
         pk = self.kwargs.get(self.pk_url_kwarg, None)
         slug = self.kwargs.get(self.slug_url_kwarg, None)
-        slug_field = slug and self.get_slug_field() or None
+        slug_field = slug and self.slug_field or None
+
+        if lookup:
+            setattr(obj, self.lookup_field, lookup)
 
         if pk:
             setattr(obj, 'pk', pk)
@@ -151,14 +170,13 @@ class UpdateModelMixin(object):
         # Ensure we clean the attributes so that we don't eg return integer
         # pk using a string representation, as provided by the url conf kwarg.
         if hasattr(obj, 'full_clean'):
-            exclude = _get_validation_exclusions(obj, pk, slug_field)
+            exclude = _get_validation_exclusions(obj, pk, slug_field, self.lookup_field)
             obj.full_clean(exclude)
 
 
 class DestroyModelMixin(object):
     """
     Destroy a model instance.
-    Should be mixed in with `SingleObjectAPIView`.
     """
     def destroy(self, request, *args, **kwargs):
         obj = self.get_object()

rest_framework/negotiation.py

+"""
+Content negotiation deals with selecting an appropriate renderer given the
+incoming request.  Typically this will be based on the request's Accept header.
+"""
 from __future__ import unicode_literals
 from django.http import Http404
 from rest_framework import exceptions

rest_framework/pagination.py

+"""
+Pagination serializers determine the structure of the output that should
+be used for paginated responses.
+"""
 from __future__ import unicode_literals
 from rest_framework import serializers
 from rest_framework.templatetags.rest_framework import replace_query_param
 
-# TODO: Support URLconf kwarg-style paging
-
 
 class NextPageField(serializers.Field):
     """

rest_framework/parsers.py

@@ -6,9 +6,10 @@ on the request, such as form content or json encoded data.
 """
 from __future__ import unicode_literals
 from django.conf import settings
+from django.core.files.uploadhandler import StopFutureHandlers
 from django.http import QueryDict
 from django.http.multipartparser import MultiPartParser as DjangoMultiPartParser
-from django.http.multipartparser import MultiPartParserError
+from django.http.multipartparser import MultiPartParserError, parse_header, ChunkIter
 from rest_framework.compat import yaml, etree
 from rest_framework.exceptions import ParseError
 from rest_framework.compat import six
@@ -205,3 +206,90 @@ class XMLParser(BaseParser):
             pass
 
         return value
+
+
+class FileUploadParser(BaseParser):
+    """
+    Parser for file upload data.
+    """
+    media_type = '*/*'
+
+    def parse(self, stream, media_type=None, parser_context=None):
+        """
+        Returns a DataAndFiles object.
+
+        `.data` will be None (we expect request body to be a file content).
+        `.files` will be a `QueryDict` containing one 'file' element.
+        """
+
+        parser_context = parser_context or {}
+        request = parser_context['request']
+        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
+        meta = request.META
+        upload_handlers = request.upload_handlers
+        filename = self.get_filename(stream, media_type, parser_context)
+
+        # Note that this code is extracted from Django's handling of
+        # file uploads in MultiPartParser.
+        content_type = meta.get('HTTP_CONTENT_TYPE',
+                                meta.get('CONTENT_TYPE', ''))
+        try:
+            content_length = int(meta.get('HTTP_CONTENT_LENGTH',
+                                          meta.get('CONTENT_LENGTH', 0)))
+        except (ValueError, TypeError):
+            content_length = None
+
+        # See if the handler will want to take care of the parsing.
+        for handler in upload_handlers:
+            result = handler.handle_raw_input(None,
+                                              meta,
+                                              content_length,
+                                              None,
+                                              encoding)
+            if result is not None:
+                return DataAndFiles(None, {'file': result[1]})
+
+        # This is the standard case.
+        possible_sizes = [x.chunk_size for x in upload_handlers if x.chunk_size]
+        chunk_size = min([2 ** 31 - 4] + possible_sizes)
+        chunks = ChunkIter(stream, chunk_size)
+        counters = [0] * len(upload_handlers)
+
+        for handler in upload_handlers:
+            try:
+                handler.new_file(None, filename, content_type,
+                                 content_length, encoding)
+            except StopFutureHandlers:
+                break
+
+        for chunk in chunks:
+            for i, handler in enumerate(upload_handlers):
+                chunk_length = len(chunk)
+                chunk = handler.receive_data_chunk(chunk, counters[i])
+                counters[i] += chunk_length
+                if chunk is None:
+                    break
+
+        for i, handler in enumerate(upload_handlers):
+            file_obj = handler.file_complete(counters[i])
+            if file_obj:
+                return DataAndFiles(None, {'file': file_obj})
+        raise ParseError("FileUpload parse error - "
+                         "none of upload handlers can handle the stream")
+
+    def get_filename(self, stream, media_type, parser_context):
+        """
+        Detects the uploaded file name. First searches a 'filename' url kwarg.
+        Then tries to parse Content-Disposition header.
+        """
+        try:
+            return parser_context['kwargs']['filename']
+        except KeyError:
+            pass
+
+        try:
+            meta = parser_context['request'].META
+            disposition = parse_header(meta['HTTP_CONTENT_DISPOSITION'])
+            return disposition[1]['filename']
+        except (AttributeError, KeyError):
+            pass

rest_framework/permissions.py

@@ -7,6 +7,8 @@ import warnings
 
 SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
 
+from rest_framework.compat import oauth2_provider_scope, oauth2_constants
+
 
 class BasePermission(object):
     """
@@ -23,10 +25,12 @@ class BasePermission(object):
         """
         Return `True` if permission is granted, `False` otherwise.
         """
-        if len(inspect.getargspec(self.has_permission)[0]) == 4:
-            warnings.warn('The `obj` argument in `has_permission` is due to be deprecated. '
+        if len(inspect.getargspec(self.has_permission).args) == 4:
+            warnings.warn(
+                'The `obj` argument in `has_permission` is deprecated. '
                 'Use `has_object_permission()` instead for object permissions.',
-                       PendingDeprecationWarning, stacklevel=2)
+                DeprecationWarning, stacklevel=2
+            )
             return self.has_permission(request, view, obj)
         return True
 
@@ -85,8 +89,8 @@ class DjangoModelPermissions(BasePermission):
     It ensures that the user is authenticated, and has the appropriate
     `add`/`change`/`delete` permissions on the model.
 
-    This permission will only be applied against view classes that
-    provide a `.model` attribute, such as the generic class-based views.
+    This permission can only be applied against view classes that
+    provide a `.model` or `.queryset` attribute.
     """
 
     # Map methods into required permission codes.
@@ -102,6 +106,8 @@ class DjangoModelPermissions(BasePermission):
         'DELETE': ['%(app_label)s.delete_%(model_name)s'],
     }
 
+    authenticated_users_only = True
+
     def get_required_permissions(self, method, model_cls):
         """
         Given a model and an HTTP method, return the list of permission
@@ -115,13 +121,54 @@ class DjangoModelPermissions(BasePermission):
 
     def has_permission(self, request, view):
         model_cls = getattr(view, 'model', None)
-        if not model_cls:
+        queryset = getattr(view, 'queryset', None)
+
+        if model_cls is None and queryset is not None:
+            model_cls = queryset.model
+
+        # Workaround to ensure DjangoModelPermissions are not applied
+        # to the root view when using DefaultRouter.
+        if model_cls is None and getattr(view, '_ignore_model_permissions'):
             return True
 
+        assert model_cls, ('Cannot apply DjangoModelPermissions on a view that'
+                           ' does not have `.model` or `.queryset` property.')
+
         perms = self.get_required_permissions(request.method, model_cls)
 
         if (request.user and
-            request.user.is_authenticated() and
+            (request.user.is_authenticated() or not self.authenticated_users_only) and
             request.user.has_perms(perms)):
             return True
         return False
+
+
+class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
+    """
+    Similar to DjangoModelPermissions, except that anonymous users are
+    allowed read-only access.
+    """
+    authenticated_users_only = False
+
+
+class TokenHasReadWriteScope(BasePermission):
+    """
+    The request is authenticated as a user and the token used has the right scope
+    """
+
+    def has_permission(self, request, view):
+        token = request.auth
+        read_only = request.method in SAFE_METHODS
+
+        if not token:
+            return False
+
+        if hasattr(token, 'resource'):  # OAuth 1
+            return read_only or not request.auth.resource.is_readonly
+        elif hasattr(token, 'scope'):  # OAuth 2
+            required = oauth2_constants.READ if read_only else oauth2_constants.WRITE
+            return oauth2_provider_scope.check(required, request.auth.scope)
+
+        assert False, ('TokenHasReadWriteScope requires either the'
+        '`OAuthAuthentication` or `OAuth2Authentication` authentication '
+        'class to be used.')

rest_framework/renderers.py

@@ -24,6 +24,7 @@ from rest_framework.settings import api_settings
 from rest_framework.request import clone_request
 from rest_framework.utils import encoders
 from rest_framework.utils.breadcrumbs import get_breadcrumbs
+from rest_framework.utils.formatting import get_view_name, get_view_description
 from rest_framework import exceptions, parsers, status, VERSION
 
 
@@ -57,7 +58,7 @@ class JSONRenderer(BaseRenderer):
             return ''
 
         # If 'indent' is provided in the context, then pretty print the result.
-        # E.g. If we're being called by the BrowseableAPIRenderer.
+        # E.g. If we're being called by the BrowsableAPIRenderer.
         renderer_context = renderer_context or {}
         indent = renderer_context.get('indent', None)
 
@@ -438,16 +439,13 @@ class BrowsableAPIRenderer(BaseRenderer):
         return GenericContentForm()
 
     def get_name(self, view):
-        try:
-            return view.get_name()
-        except AttributeError:
-            return smart_text(view.__class__.__name__)
+        return get_view_name(view.__class__, getattr(view, 'suffix', None))
 
     def get_description(self, view):
-        try:
-            return view.get_description(html=True)
-        except AttributeError:
-            return smart_text(view.__doc__ or '')
+        return get_view_description(view.__class__, html=True)
+
+    def get_breadcrumbs(self, request):
+        return get_breadcrumbs(request.path)
 
     def render(self, data, accepted_media_type=None, renderer_context=None):
         """
@@ -480,7 +478,7 @@ class BrowsableAPIRenderer(BaseRenderer):
 
         name = self.get_name(view)
         description = self.get_description(view)
-        breadcrumb_list = get_breadcrumbs(request.path)
+        breadcrumb_list = self.get_breadcrumbs(request)
 
         template = loader.get_template(self.template)
         context = RequestContext(request, {

rest_framework/request.py

 """
-The :mod:`request` module provides a :class:`Request` class used to wrap the standard `request`
-object received in all the views.
+The Request class is used as a wrapper around the standard request object.
 
 The wrapped request then offers a richer API, in particular :
 
     - content automatically parsed according to `Content-Type` header,
-      and available as :meth:`.DATA<Request.DATA>`
+      and available as `request.DATA`
     - full support of PUT method, including support for file uploads
     - form overloading of HTTP method, content type and content
 """
@@ -231,11 +230,17 @@ class Request(object):
         """
         self._content_type = self.META.get('HTTP_CONTENT_TYPE',
                                            self.META.get('CONTENT_TYPE', ''))
+
         self._perform_form_overloading()
-        # if the HTTP method was not overloaded, we take the raw HTTP method
+
         if not _hasattr(self, '_method'):
             self._method = self._request.method
 
+            if self._method == 'POST':
+                # Allow X-HTTP-METHOD-OVERRIDE header
+                self._method = self.META.get('HTTP_X_HTTP_METHOD_OVERRIDE',
+                                             self._method)
+
     def _load_stream(self):
         """
         Return the content body of the request, as a stream.

rest_framework/response.py

+"""
+The Response class in REST framework is similiar to HTTPResponse, except that
+it is initialized with unrendered data, instead of a pre-rendered string.
+
+The appropriate renderer is called during Django's template response rendering.
+"""
 from __future__ import unicode_literals
 from django.core.handlers.wsgi import STATUS_CODE_TEXT
 from django.template.response import SimpleTemplateResponse

rest_framework/routers.py

+"""
+Routers provide a convenient and consistent way of automatically
+determining the URL conf for your API.
+
+They are used by simply instantiating a Router class, and then registering
+all the required ViewSets with that router.
+
+For example, you might have a `urls.py` that looks something like this:
+
+    router = routers.DefaultRouter()
+    router.register('users', UserViewSet, 'user')
+    router.register('accounts', AccountViewSet, 'account')
+
+    urlpatterns = router.urls
+"""
+from __future__ import unicode_literals
+
+from collections import namedtuple
+from rest_framework import views
+from rest_framework.compat import patterns, url
+from rest_framework.decorators import api_view
+from rest_framework.response import Response
+from rest_framework.reverse import reverse
+from rest_framework.urlpatterns import format_suffix_patterns
+
+
+Route = namedtuple('Route', ['url', 'mapping', 'name', 'initkwargs'])
+
+
+def replace_methodname(format_string, methodname):
+    """
+    Partially format a format_string, swapping out any
+    '{methodname}' or '{methodnamehyphen}' components.
+    """
+    methodnamehyphen = methodname.replace('_', '-')
+    ret = format_string
+    ret = ret.replace('{methodname}', methodname)
+    ret = ret.replace('{methodnamehyphen}', methodnamehyphen)
+    return ret
+
+
+class BaseRouter(object):
+    def __init__(self):
+        self.registry = []
+
+    def register(self, prefix, viewset, base_name=None):
+        if base_name is None:
+            base_name = self.get_default_base_name(viewset)
+        self.registry.append((prefix, viewset, base_name))
+
+    def get_default_base_name(self, viewset):
+        """
+        If `base_name` is not specified, attempt to automatically determine
+        it from the viewset.
+        """
+        raise NotImplemented('get_default_base_name must be overridden')
+
+    def get_urls(self):
+        """
+        Return a list of URL patterns, given the registered viewsets.
+        """
+        raise NotImplemented('get_urls must be overridden')
+
+    @property
+    def urls(self):
+        if not hasattr(self, '_urls'):
+            self._urls = patterns('', *self.get_urls())
+        return self._urls
+
+
+class SimpleRouter(BaseRouter):
+    routes = [
+        # List route.
+        Route(
+            url=r'^{prefix}/$',
+            mapping={
+                'get': 'list',
+                'post': 'create'
+            },
+            name='{basename}-list',
+            initkwargs={'suffix': 'List'}
+        ),
+        # Detail route.
+        Route(
+            url=r'^{prefix}/{lookup}/$',
+            mapping={
+                'get': 'retrieve',
+                'put': 'update',
+                'patch': 'partial_update',
+                'delete': 'destroy'
+            },
+            name='{basename}-detail',
+            initkwargs={'suffix': 'Instance'}
+        ),
+        # Dynamically generated routes.
+        # Generated using @action or @link decorators on methods of the viewset.
+        Route(
+            url=r'^{prefix}/{lookup}/{methodname}/$',
+            mapping={
+                '{httpmethod}': '{methodname}',
+            },
+            name='{basename}-{methodnamehyphen}',
+            initkwargs={}
+        ),
+    ]
+
+    def get_default_base_name(self, viewset):
+        """
+        If `base_name` is not specified, attempt to automatically determine
+        it from the viewset.
+        """
+        model_cls = getattr(viewset, 'model', None)
+        queryset = getattr(viewset, 'queryset', None)
+        if model_cls is None and queryset is not None:
+            model_cls = queryset.model
+
+        assert model_cls, '`name` not argument not specified, and could ' \
+            'not automatically determine the name from the viewset, as ' \
+            'it does not have a `.model` or `.queryset` attribute.'
+
+        return model_cls._meta.object_name.lower()
+
+    def get_routes(self, viewset):
+        """
+        Augment `self.routes` with any dynamically generated routes.
+
+        Returns a list of the Route namedtuple.
+        """
+
+        # Determine any `@action` or `@link` decorated methods on the viewset
+        dynamic_routes = []
+        for methodname in dir(viewset):
+            attr = getattr(viewset, methodname)
+            httpmethod = getattr(attr, 'bind_to_method', None)
+            if httpmethod:
+                dynamic_routes.append((httpmethod, methodname))
+
+        ret = []
+        for route in self.routes:
+            if route.mapping == {'{httpmethod}': '{methodname}'}:
+                # Dynamic routes (@link or @action decorator)
+                for httpmethod, methodname in dynamic_routes:
+                    initkwargs = route.initkwargs.copy()
+                    initkwargs.update(getattr(viewset, methodname).kwargs)
+                    ret.append(Route(
+                        url=replace_methodname(route.url, methodname),
+                        mapping={httpmethod: methodname},
+                        name=replace_methodname(route.name, methodname),
+                        initkwargs=initkwargs,
+                    ))
+            else:
+                # Standard route
+                ret.append(route)
+
+        return ret
+
+    def get_method_map(self, viewset, method_map):
+        """
+        Given a viewset, and a mapping of http methods to actions,
+        return a new mapping which only includes any mappings that
+        are actually implemented by the viewset.
+        """
+        bound_methods = {}
+        for method, action in method_map.items():
+            if hasattr(viewset, action):
+                bound_methods[method] = action
+        return bound_methods
+
+    def get_lookup_regex(self, viewset):
+        """
+        Given a viewset, return the portion of URL regex that is used
+        to match against a single instance.
+        """
+        base_regex = '(?P<{lookup_field}>[^/]+)'
+        lookup_field = getattr(viewset, 'lookup_field', 'pk')
+        return base_regex.format(lookup_field=lookup_field)
+
+    def get_urls(self):
+        """
+        Use the registered viewsets to generate a list of URL patterns.
+        """
+        ret = []
+
+        for prefix, viewset, basename in self.registry:
+            lookup = self.get_lookup_regex(viewset)
+            routes = self.get_routes(viewset)
+
+            for route in routes:
+
+                # Only actions which actually exist on the viewset will be bound
+                mapping = self.get_method_map(viewset, route.mapping)
+                if not mapping:
+                    continue
+
+                # Build the url pattern
+                regex = route.url.format(prefix=prefix, lookup=lookup)
+                view = viewset.as_view(mapping, **route.initkwargs)
+                name = route.name.format(basename=basename)
+                ret.append(url(regex, view, name=name))
+
+        return ret
+
+
+class DefaultRouter(SimpleRouter):
+    """
+    The default router extends the SimpleRouter, but also adds in a default
+    API root view, and adds format suffix patterns to the URLs.
+    """
+    include_root_view = True
+    include_format_suffixes = True
+
+    def get_api_root_view(self):
+        """
+        Return a view to use as the API root.
+        """
+        api_root_dict = {}
+        list_name = self.routes[0].name
+        for prefix, viewset, basename in self.registry:
+            api_root_dict[prefix] = list_name.format(basename=basename)
+
+        class APIRoot(views.APIView):
+            _ignore_model_permissions = True
+
+            def get(self, request, format=None):
+                ret = {}
+                for key, url_name in api_root_dict.items():
+                    ret[key] = reverse(url_name, request=request, format=format)
+                return Response(ret)
+
+        return APIRoot.as_view()
+
+    def get_urls(self):
+        """
+        Generate the list of URL patterns, including a default root view
+        for the API, and appending `.json` style format suffixes.
+        """
+        urls = []
+
+        if self.include_root_view:
+            root_url = url(r'^$', self.get_api_root_view(), name='api-root')
+            urls.append(root_url)
+
+        default_urls = super(DefaultRouter, self).get_urls()
+        urls.extend(default_urls)
+
+        if self.include_format_suffixes:
+            urls = format_suffix_patterns(urls)
+
+        return urls

rest_framework/runtests/settings.py

@@ -97,9 +97,30 @@ INSTALLED_APPS = (
     # 'django.contrib.admindocs',
     'rest_framework',
     'rest_framework.authtoken',
-    'rest_framework.tests'
+    'rest_framework.tests',
 )
 
+# OAuth is optional and won't work if there is no oauth_provider & oauth2
+try:
+    import oauth_provider
+    import oauth2
+except ImportError:
+    pass
+else:
+    INSTALLED_APPS += (
+        'oauth_provider',
+    )
+
+try:
+    import provider
+except ImportError:
+    pass
+else:
+    INSTALLED_APPS += (
+        'provider',
+        'provider.oauth2',
+    )
+
 STATIC_URL = '/static/'
 
 PASSWORD_HASHERS = (

rest_framework/settings.py

@@ -18,14 +18,18 @@ REST framework settings, checking for user settings first, then falling
 back to the defaults.
 """
 from __future__ import unicode_literals
+
 from django.conf import settings
 from django.utils import importlib
+
+from rest_framework import ISO_8601
 from rest_framework.compat import six
 
 
 USER_SETTINGS = getattr(settings, 'REST_FRAMEWORK', None)
 
 DEFAULTS = {
+    # Base API policies
     'DEFAULT_RENDERER_CLASSES': (
         'rest_framework.renderers.JSONRenderer',
         'rest_framework.renderers.BrowsableAPIRenderer',
@@ -47,11 +51,15 @@ DEFAULTS = {
 
     'DEFAULT_CONTENT_NEGOTIATION_CLASS':
         'rest_framework.negotiation.DefaultContentNegotiation',
+
+    # Genric view behavior
     'DEFAULT_MODEL_SERIALIZER_CLASS':
         'rest_framework.serializers.ModelSerializer',
     'DEFAULT_PAGINATION_SERIALIZER_CLASS':
         'rest_framework.pagination.PaginationSerializer',
+    'DEFAULT_FILTER_BACKENDS': (),
 
+    # Throttling
     'DEFAULT_THROTTLE_RATES': {
         'user': None,
         'anon': None,
@@ -61,9 +69,6 @@ DEFAULTS = {
     'PAGINATE_BY': None,
     'PAGINATE_BY_PARAM': None,
 
-    # Filtering
-    'FILTER_BACKEND': None,
-
     # Authentication
     'UNAUTHENTICATED_USER': 'django.contrib.auth.models.AnonymousUser',
     'UNAUTHENTICATED_TOKEN': None,
@@ -76,6 +81,25 @@ DEFAULTS = {
     'URL_FORMAT_OVERRIDE': 'format',
 
     'FORMAT_SUFFIX_KWARG': 'format',
+
+    # Input and output formats
+    'DATE_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'DATE_FORMAT': None,
+
+    'DATETIME_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'DATETIME_FORMAT': None,
+
+    'TIME_INPUT_FORMATS': (
+        ISO_8601,
+    ),
+    'TIME_FORMAT': None,
+
+    # Pending deprecation
+    'FILTER_BACKEND': None,
 }
 
 
@@ -89,6 +113,7 @@ IMPORT_STRINGS = (
     'DEFAULT_CONTENT_NEGOTIATION_CLASS',
     'DEFAULT_MODEL_SERIALIZER_CLASS',
     'DEFAULT_PAGINATION_SERIALIZER_CLASS',
+    'DEFAULT_FILTER_BACKENDS',
     'FILTER_BACKEND',
     'UNAUTHENTICATED_USER',
     'UNAUTHENTICATED_TOKEN',

rest_framework/templates/rest_framework/base.html

@@ -115,7 +115,7 @@
             </div>
             <div class="response-info">
                 <pre class="prettyprint"><div class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% autoescape off %}
-{% for key, val in response.items %}<b>{{ key }}:</b> <span class="lit">{{ val|urlize_quoted_links }}</span>
+{% for key, val in response.items %}<b>{{ key }}:</b> <span class="lit">{{ val|break_long_headers|urlize_quoted_links }}</span>
 {% endfor %}
 </div>{{ content|urlize_quoted_links }}</pre>{% endautoescape %}
             </div>

rest_framework/templates/rest_framework/login.html

-{% load url from future %}
-{% load rest_framework %}
-<html>
+{% extends "rest_framework/login_base.html" %}
 
-    <head>
-        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap.min.css" %}"/>
-        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap-tweaks.css" %}"/>
-        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/default.css" %}"/>
-    </head>
-
-    <body class="container">
-
-<div class="container-fluid" style="margin-top: 30px">
-        <div class="row-fluid">
-         
-        <div class="well" style="width: 320px; margin-left: auto; margin-right: auto">
-            <div class="row-fluid">
-                <div>
-                    <h3 style="margin: 0 0 20px;">Django REST framework</h3>
-                </div>
-            </div><!-- /row fluid -->
-
-            <div class="row-fluid">
-                <div>
-                    <form action="{% url 'rest_framework:login' %}" class=" form-inline" method="post">
-                        {% csrf_token %}
-                        <div id="div_id_username" class="clearfix control-group">
-                            <div class="controls">
-                                <Label class="span4">Username:</label>
-                                <input style="height: 25px" type="text" name="username" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_username">
-                            </div>
-                        </div>
-                        <div id="div_id_password" class="clearfix control-group">
-                            <div class="controls">
-                                <Label class="span4">Password:</label>
-                                <input style="height: 25px" type="password" name="password" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_password">
-                            </div>
-                        </div>
-                        <input type="hidden" name="next" value="{{ next }}" />
-                        <div class="form-actions-no-box">
-                            <input type="submit" name="submit" value="Log in" class="btn btn-primary" id="submit-id-submit">
-                        </div>
-                    </form>
-                </div>
-            </div><!-- /row fluid -->
-        </div><!--/span-->
-
-        </div><!-- /.row-fluid -->
-    </div>
-
-        </div>
-    </body>
-</html>
+{# Override this template in your own templates directory to customize #}

rest_framework/templates/rest_framework/login_base.html

+{% load url from future %}
+{% load rest_framework %}
+<html>
+
+    <head>
+        {% block style %}
+        {% block bootstrap_theme %}<link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap.min.css" %}"/>{% endblock %}
+        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap-tweaks.css" %}"/>
+        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/default.css" %}"/>
+        {% endblock %}
+    </head>
+
+    <body class="container">
+
+        <div class="container-fluid" style="margin-top: 30px">
+            <div class="row-fluid">
+                <div class="well" style="width: 320px; margin-left: auto; margin-right: auto">
+                    <div class="row-fluid">
+                        <div>
+                            {% block branding %}<h3 style="margin: 0 0 20px;">Django REST framework</h3>{% endblock %}
+                        </div>
+                    </div><!-- /row fluid -->
+        
+                    <div class="row-fluid">
+                        <div>
+                            <form action="{% url 'rest_framework:login' %}" class=" form-inline" method="post">
+                                {% csrf_token %}
+                                <div id="div_id_username" class="clearfix control-group">
+                                    <div class="controls">
+                                        <Label class="span4">Username:</label>
+                                        <input style="height: 25px" type="text" name="username" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_username">
+                                    </div>
+                                </div>
+                                <div id="div_id_password" class="clearfix control-group">
+                                    <div class="controls">
+                                        <Label class="span4">Password:</label>
+                                        <input style="height: 25px" type="password" name="password" maxlength="100" autocapitalize="off" autocorrect="off" class="textinput textInput" id="id_password">
+                                    </div>
+                                </div>
+                                <input type="hidden" name="next" value="{{ next }}" />
+                                <div class="form-actions-no-box">
+                                    <input type="submit" name="submit" value="Log in" class="btn btn-primary" id="submit-id-submit">
+                                </div>
+                            </form>
+                        </div>
+                    </div><!-- /.row-fluid -->
+                </div><!--/.well-->
+            </div><!-- /.row-fluid -->
+        </div><!-- /.container-fluid -->
+    </body>
+</html>

rest_framework/templatetags/rest_framework.py

@@ -4,11 +4,8 @@ from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict
 from django.utils.html import escape
 from django.utils.safestring import SafeData, mark_safe
-from rest_framework.compat import urlparse
-from rest_framework.compat import force_text
-from rest_framework.compat import six
-import re
-import string
+from rest_framework.compat import urlparse, force_text, six, smart_urlquote
+import re, string
 
 register = template.Library()
 
@@ -112,22 +109,6 @@ def replace_query_param(url, key, val):
 class_re = re.compile(r'(?<=class=["\'])(.*)(?=["\'])')
 
 
-# Bunch of stuff cloned from urlize
-LEADING_PUNCTUATION = ['(', '<', '&lt;', '"', "'"]
-TRAILING_PUNCTUATION = ['.', ',', ')', '>', '\n', '&gt;', '"', "'"]
-DOTS = ['&middot;', '*', '\xe2\x80\xa2', '&#149;', '&bull;', '&#8226;']
-unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
-word_split_re = re.compile(r'(\s+)')
-punctuation_re = re.compile('^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % \
-    ('|'.join([re.escape(x) for x in LEADING_PUNCTUATION]),
-    '|'.join([re.escape(x) for x in TRAILING_PUNCTUATION])))
-simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
-link_target_attribute_re = re.compile(r'(<a [^>]*?)target=[^\s>]+')
-html_gunk_re = re.compile(r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE)
-hard_coded_bullets_re = re.compile(r'((?:<p>(?:%s).*?[a-zA-Z].*?</p>\s*)+)' % '|'.join([re.escape(x) for x in DOTS]), re.DOTALL)
-trailing_empty_content_re = re.compile(r'(?:<p>(?:&nbsp;|\s|<br \/>)*?</p>\s*)+\Z')
-
-
 # And the template tags themselves...
 
 @register.simple_tag
@@ -195,15 +176,25 @@ def add_class(value, css_class):
     return value
 
 
+# Bunch of stuff cloned from urlize
+TRAILING_PUNCTUATION = ['.', ',', ':', ';', '.)', '"', "'"]
+WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'),
+                        ('"', '"'), ("'", "'")]
+word_split_re = re.compile(r'(\s+)')
+simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
+simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE)
+simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
+
+
 @register.filter
 def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=True):
     """
     Converts any URLs in text into clickable links.
 
-    Works on http://, https://, www. links and links ending in .org, .net or
-    .com. Links can have trailing punctuation (periods, commas, close-parens)
-    and leading punctuation (opening parens) and it'll still do the right
-    thing.
+    Works on http://, https://, www. links, and also on links ending in one of
+    the original seven gTLDs (.com, .edu, .gov, .int, .mil, .net, and .org).
+    Links can have trailing punctuation (periods, commas, close-parens) and
+    leading punctuation (opening parens) and it'll still do the right thing.
 
     If trim_url_limit is not None, the URLs in link text longer than this limit
     will truncated to trim_url_limit-3 characters and appended with an elipsis.
@@ -216,24 +207,41 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
     trim_url = lambda x, limit=trim_url_limit: limit is not None and (len(x) > limit and ('%s...' % x[:max(0, limit - 3)])) or x
     safe_input = isinstance(text, SafeData)
     words = word_split_re.split(force_text(text))
-    nofollow_attr = nofollow and ' rel="nofollow"' or ''
     for i, word in enumerate(words):
         match = None
         if '.' in word or '@' in word or ':' in word:
-            match = punctuation_re.match(word)
-        if match:
-            lead, middle, trail = match.groups()
+            # Deal with punctuation.
+            lead, middle, trail = '', word, ''
+            for punctuation in TRAILING_PUNCTUATION:
+                if middle.endswith(punctuation):
+                    middle = middle[:-len(punctuation)]
+                    trail = punctuation + trail
+            for opening, closing in WRAPPING_PUNCTUATION:
+                if middle.startswith(opening):
+                    middle = middle[len(opening):]
+                    lead = lead + opening
+                # Keep parentheses at the end only if they're balanced.
+                if (middle.endswith(closing)
+                    and middle.count(closing) == middle.count(opening) + 1):
+                    middle = middle[:-len(closing)]
+                    trail = closing + trail
+
             # Make URL we want to point to.
             url = None
-            if middle.startswith('http://') or middle.startswith('https://'):
-                url = middle
-            elif middle.startswith('www.') or ('@' not in middle and \
-                    middle and middle[0] in string.ascii_letters + string.digits and \
-                    (middle.endswith('.org') or middle.endswith('.net') or middle.endswith('.com'))):
-                url = 'http://%s' % middle
-            elif '@' in middle and not ':' in middle and simple_email_re.match(middle):
-                url = 'mailto:%s' % middle
+            nofollow_attr = ' rel="nofollow"' if nofollow else ''
+            if simple_url_re.match(middle):
+                url = smart_urlquote(middle)
+            elif simple_url_2_re.match(middle):
+                url = smart_urlquote('http://%s' % middle)
+            elif not ':' in middle and simple_email_re.match(middle):
+                local, domain = middle.rsplit('@', 1)
+                try:
+                    domain = domain.encode('idna').decode('ascii')
+                except UnicodeError:
+                    continue
+                url = 'mailto:%s@%s' % (local, domain)
                 nofollow_attr = ''
+
             # Make link.
             if url:
                 trimmed = trim_url(middle)
@@ -251,4 +259,15 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
             words[i] = mark_safe(word)
         elif autoescape:
             words[i] = escape(word)
-    return mark_safe(''.join(words))
+    return ''.join(words)
+
+
+@register.filter
+def break_long_headers(header):
+    """
+    Breaks headers longer than 160 characters (~page length)
+    when possible (are comma separated)
+    """
+    if len(header) > 160 and ',' in header:
+        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+    return header

rest_framework/tests/description.py

@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.test import TestCase
 from rest_framework.views import APIView
 from rest_framework.compat import apply_markdown
+from rest_framework.utils.formatting import get_view_name, get_view_description
 
 # We check that docstrings get nicely un-indented.
 DESCRIPTION = """an example docstring
@@ -49,22 +50,16 @@ MARKED_DOWN_gte_21 = """<h2 id="an-example-docstring">an example docstring</h2>
 
 
 class TestViewNamesAndDescriptions(TestCase):
-    def test_resource_name_uses_classname_by_default(self):
-        """Ensure Resource names are based on the classname by default."""
+    def test_view_name_uses_class_name(self):
+        """
+        Ensure view names are based on the class name.
+        """
         class MockView(APIView):
             pass
-        self.assertEqual(MockView().get_name(), 'Mock')
+        self.assertEqual(get_view_name(MockView), 'Mock')
 
-    def test_resource_name_can_be_set_explicitly(self):
-        """Ensure Resource names can be set using the 'get_name' method."""
-        example = 'Some Other Name'
-        class MockView(APIView):
-            def get_name(self):
-                return example
-        self.assertEqual(MockView().get_name(), example)
-
-    def test_resource_description_uses_docstring_by_default(self):
-        """Ensure Resource names are based on the docstring by default."""
+    def test_view_description_uses_docstring(self):
+        """Ensure view descriptions are based on the docstring."""
         class MockView(APIView):
             """an example docstring
             ====================
@@ -81,44 +76,32 @@ class TestViewNamesAndDescriptions(TestCase):
 
             # hash style header #"""
 
-        self.assertEqual(MockView().get_description(), DESCRIPTION)
-
-    def test_resource_description_can_be_set_explicitly(self):
-        """Ensure Resource descriptions can be set using the 'get_description' method."""
-        example = 'Some other description'
-
-        class MockView(APIView):
-            """docstring"""
-            def get_description(self):
-                return example
-        self.assertEqual(MockView().get_description(), example)
+        self.assertEqual(get_view_description(MockView), DESCRIPTION)
 
-    def test_resource_description_supports_unicode(self):
+    def test_view_description_supports_unicode(self):
+        """
+        Unicode in docstrings should be respected.
+        """
 
         class MockView(APIView):
             """Проверка"""
             pass
 
-        self.assertEqual(MockView().get_description(), "Проверка")
-
-
-    def test_resource_description_does_not_require_docstring(self):
-        """Ensure that empty docstrings do not affect the Resource's description if it has been set using the 'get_description' method."""
-        example = 'Some other description'
-
-        class MockView(APIView):
-            def get_description(self):
-                return example
-        self.assertEqual(MockView().get_description(), example)
+        self.assertEqual(get_view_description(MockView), "Проверка")
 
-    def test_resource_description_can_be_empty(self):
-        """Ensure that if a resource has no doctring or 'description' class attribute, then it's description is the empty string."""
+    def test_view_description_can_be_empty(self):
+        """
+        Ensure that if a view has no docstring,
+        then it's description is the empty string.
+        """
         class MockView(APIView):
             pass
-        self.assertEqual(MockView().get_description(), '')
+        self.assertEqual(get_view_description(MockView), '')
 
     def test_markdown(self):
-        """Ensure markdown to HTML works as expected"""
+        """
+        Ensure markdown to HTML works as expected.
+        """
         if apply_markdown:
             gte_21_match = apply_markdown(DESCRIPTION) == MARKED_DOWN_gte_21
             lt_21_match = apply_markdown(DESCRIPTION) == MARKED_DOWN_lt_21

rest_framework/tests/filterset.py

-from __future__ import unicode_literals
-import datetime
-from decimal import Decimal
-from django.test import TestCase
-from django.test.client import RequestFactory
-from django.utils import unittest
-from rest_framework import generics, status, filters
-from rest_framework.compat import django_filters
-from rest_framework.tests.models import FilterableItem, BasicModel
-
-factory = RequestFactory()
-
-
-if django_filters:
-    # Basic filter on a list view.
-    class FilterFieldsRootView(generics.ListCreateAPIView):
-        model = FilterableItem
-        filter_fields = ['decimal', 'date']
-        filter_backend = filters.DjangoFilterBackend
-
-    # These class are used to test a filter class.
-    class SeveralFieldsFilter(django_filters.FilterSet):
-        text = django_filters.CharFilter(lookup_type='icontains')
-        decimal = django_filters.NumberFilter(lookup_type='lt')
-        date = django_filters.DateFilter(lookup_type='gt')
-
-        class Meta:
-            model = FilterableItem
-            fields = ['text', 'decimal', 'date']
-
-    class FilterClassRootView(generics.ListCreateAPIView):
-        model = FilterableItem
-        filter_class = SeveralFieldsFilter
-        filter_backend = filters.DjangoFilterBackend
-
-    # These classes are used to test a misconfigured filter class.
-    class MisconfiguredFilter(django_filters.FilterSet):
-        text = django_filters.CharFilter(lookup_type='icontains')
-
-        class Meta:
-            model = BasicModel
-            fields = ['text']
-
-    class IncorrectlyConfiguredRootView(generics.ListCreateAPIView):
-        model = FilterableItem
-        filter_class = MisconfiguredFilter
-        filter_backend = filters.DjangoFilterBackend
-
-
-class IntegrationTestFiltering(TestCase):
-    """
-    Integration tests for filtered list views.
-    """
-
-    def setUp(self):
-        """
-        Create 10 FilterableItem instances.
-        """
-        base_data = ('a', Decimal('0.25'), datetime.date(2012, 10, 8))
-        for i in range(10):
-            text = chr(i + ord(base_data[0])) * 3  # Produces string 'aaa', 'bbb', etc.
-            decimal = base_data[1] + i
-            date = base_data[2] - datetime.timedelta(days=i * 2)
-            FilterableItem(text=text, decimal=decimal, date=date).save()
-
-        self.objects = FilterableItem.objects
-        self.data = [
-        {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
-        for obj in self.objects.all()
-        ]
-
-    @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_get_filtered_fields_root_view(self):
-        """
-        GET requests to paginated ListCreateAPIView should return paginated results.
-        """
-        view = FilterFieldsRootView.as_view()
-
-        # Basic test with no filter.
-        request = factory.get('/')
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data, self.data)
-
-        # Tests that the decimal filter works.
-        search_decimal = Decimal('2.25')
-        request = factory.get('/?decimal=%s' % search_decimal)
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['decimal'] == search_decimal]
-        self.assertEqual(response.data, expected_data)
-
-        # Tests that the date filter works.
-        search_date = datetime.date(2012, 9, 22)
-        request = factory.get('/?date=%s' % search_date)  # search_date str: '2012-09-22'
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] == search_date]
-        self.assertEqual(response.data, expected_data)
-
-    @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_get_filtered_class_root_view(self):
-        """
-        GET requests to filtered ListCreateAPIView that have a filter_class set
-        should return filtered results.
-        """
-        view = FilterClassRootView.as_view()
-
-        # Basic test with no filter.
-        request = factory.get('/')
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data, self.data)
-
-        # Tests that the decimal filter set with 'lt' in the filter class works.
-        search_decimal = Decimal('4.25')
-        request = factory.get('/?decimal=%s' % search_decimal)
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['decimal'] < search_decimal]
-        self.assertEqual(response.data, expected_data)
-
-        # Tests that the date filter set with 'gt' in the filter class works.
-        search_date = datetime.date(2012, 10, 2)
-        request = factory.get('/?date=%s' % search_date)  # search_date str: '2012-10-02'
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] > search_date]
-        self.assertEqual(response.data, expected_data)
-
-        # Tests that the text filter set with 'icontains' in the filter class works.
-        search_text = 'ff'
-        request = factory.get('/?text=%s' % search_text)
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if search_text in f['text'].lower()]
-        self.assertEqual(response.data, expected_data)
-
-        # Tests that multiple filters works.
-        search_decimal = Decimal('5.25')
-        search_date = datetime.date(2012, 10, 2)
-        request = factory.get('/?decimal=%s&date=%s' % (search_decimal, search_date))
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        expected_data = [f for f in self.data if f['date'] > search_date and
-                                                  f['decimal'] < search_decimal]
-        self.assertEqual(response.data, expected_data)
-
-    @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_incorrectly_configured_filter(self):
-        """
-        An error should be displayed when the filter class is misconfigured.
-        """
-        view = IncorrectlyConfiguredRootView.as_view()
-
-        request = factory.get('/')
-        self.assertRaises(AssertionError, view, request)
-
-    @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_unknown_filter(self):
-        """
-        GET requests with filters that aren't configured should return 200.
-        """
-        view = FilterFieldsRootView.as_view()
-
-        search_integer = 10
-        request = factory.get('/?integer=%s' % search_integer)
-        response = view(request).render()
-        self.assertEqual(response.status_code, status.HTTP_200_OK)

rest_framework/tests/hyperlinkedserializers.py

@@ -27,6 +27,14 @@ class PhotoSerializer(serializers.Serializer):
         return Photo(**attrs)
 
 
+class AlbumSerializer(serializers.ModelSerializer):
+    url = serializers.HyperlinkedIdentityField(view_name='album-detail', lookup_field='title')
+
+    class Meta:
+        model = Album
+        fields = ('title', 'url')
+
+
 class BasicList(generics.ListCreateAPIView):
     model = BasicModel
     model_serializer_class = serializers.HyperlinkedModelSerializer
@@ -73,6 +81,8 @@ class PhotoListCreate(generics.ListCreateAPIView):
 
 class AlbumDetail(generics.RetrieveAPIView):
     model = Album
+    serializer_class = AlbumSerializer
+    lookup_field = 'title'
 
 
 class OptionalRelationDetail(generics.RetrieveUpdateDestroyAPIView):
@@ -180,6 +190,36 @@ class TestManyToManyHyperlinkedView(TestCase):
         self.assertEqual(response.data, self.data[0])
 
 
+class TestHyperlinkedIdentityFieldLookup(TestCase):
+    urls = 'rest_framework.tests.hyperlinkedserializers'
+
+    def setUp(self):
+        """
+        Create 3 Album instances.
+        """
+        titles = ['foo', 'bar', 'baz']
+        for title in titles:
+            album = Album(title=title)
+            album.save()
+        self.detail_view = AlbumDetail.as_view()
+        self.data = {
+            'foo': {'title': 'foo', 'url': 'http://testserver/albums/foo/'},
+            'bar': {'title': 'bar', 'url': 'http://testserver/albums/bar/'},
+            'baz': {'title': 'baz', 'url': 'http://testserver/albums/baz/'}
+        }
+
+    def test_lookup_field(self):
+        """
+        GET requests to AlbumDetail view should return serialized Albums
+        with a url field keyed by `title`.
+        """
+        for album in Album.objects.all():
+            request = factory.get('/albums/{0}/'.format(album.title))
+            response = self.detail_view(request, title=album.title)
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+            self.assertEqual(response.data, self.data[album.title])
+
+
 class TestCreateWithForeignKeys(TestCase):
     urls = 'rest_framework.tests.hyperlinkedserializers'
 

rest_framework/tests/models.py

@@ -58,13 +58,6 @@ class ReadOnlyManyToManyModel(RESTFrameworkModel):
     rel = models.ManyToManyField(Anchor)
 
 
-# Model to test filtering.
-class FilterableItem(RESTFrameworkModel):
-    text = models.CharField(max_length=100)
-    decimal = models.DecimalField(max_digits=4, decimal_places=2)
-    date = models.DateField()
-
-
 # Model for regression test for #285
 
 class Comment(RESTFrameworkModel):

rest_framework/tests/multitable_inheritance.py

+from __future__ import unicode_literals
+from django.db import models
+from django.test import TestCase
+from rest_framework import serializers
+from rest_framework.tests.models import RESTFrameworkModel
+
+
+# Models
+class ParentModel(RESTFrameworkModel):
+    name1 = models.CharField(max_length=100)
+
+
+class ChildModel(ParentModel):
+    name2 = models.CharField(max_length=100)
+
+
+class AssociatedModel(RESTFrameworkModel):
+    ref = models.OneToOneField(ParentModel, primary_key=True)
+    name = models.CharField(max_length=100)
+
+
+# Serializers
+class DerivedModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ChildModel
+
+
+class AssociatedModelSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = AssociatedModel
+
+
+# Tests
+class IneritedModelSerializationTests(TestCase):
+
+    def test_multitable_inherited_model_fields_as_expected(self):
+        """
+        Assert that the parent pointer field is not included in the fields
+        serialized fields
+        """
+        child = ChildModel(name1='parent name', name2='child name')
+        serializer = DerivedModelSerializer(child)
+        self.assertEqual(set(serializer.data.keys()),
+                         set(['name1', 'name2', 'id']))
+
+    def test_onetoone_primary_key_model_fields_as_expected(self):
+        """
+        Assert that a model with a onetoone field that is the primary key is
+        not treated like a derived model
+        """
+        parent = ParentModel(name1='parent name')
+        associate = AssociatedModel(name='hello', ref=parent)
+        serializer = AssociatedModelSerializer(associate)
+        self.assertEqual(set(serializer.data.keys()),
+                         set(['name', 'ref']))
+
+    def test_data_is_valid_without_parent_ptr(self):
+        """
+        Assert that the pointer to the parent table is not a required field
+        for input data
+        """
+        data = {
+            'name1': 'parent name',
+            'name2': 'child name',
+        }
+        serializer = DerivedModelSerializer(data=data)
+        self.assertEqual(serializer.is_valid(), True)

rest_framework/tests/pagination.py

 from __future__ import unicode_literals
 import datetime
 from decimal import Decimal
+from django.db import models
 from django.core.paginator import Paginator
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.utils import unittest
 from rest_framework import generics, status, pagination, filters, serializers
 from rest_framework.compat import django_filters
-from rest_framework.tests.models import BasicModel, FilterableItem
+from rest_framework.tests.models import BasicModel
 
 factory = RequestFactory()
 
 
+class FilterableItem(models.Model):
+    text = models.CharField(max_length=100)
+    decimal = models.DecimalField(max_digits=4, decimal_places=2)
+    date = models.DateField()
+
+
 class RootView(generics.ListCreateAPIView):
     """
     Example description for OPTIONS.
@@ -20,21 +27,6 @@ class RootView(generics.ListCreateAPIView):
     paginate_by = 10
 
 
-if django_filters:
-    class DecimalFilter(django_filters.FilterSet):
-        decimal = django_filters.NumberFilter(lookup_type='lt')
-
-        class Meta:
-            model = FilterableItem
-            fields = ['text', 'decimal', 'date']
-
-    class FilterFieldsRootView(generics.ListCreateAPIView):
-        model = FilterableItem
-        paginate_by = 10
-        filter_class = DecimalFilter
-        filter_backend = filters.DjangoFilterBackend
-
-
 class DefaultPageSizeKwargView(generics.ListAPIView):
     """
     View for testing default paginate_by_param usage
@@ -73,6 +65,8 @@ class IntegrationTestPagination(TestCase):
         GET requests to paginated ListCreateAPIView should return paginated results.
         """
         request = factory.get('/')
+        # Note: Database queries are a `SELECT COUNT`, and `SELECT <fields>`
+        with self.assertNumQueries(2):
             response = self.view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 26)
@@ -81,6 +75,7 @@ class IntegrationTestPagination(TestCase):
         self.assertEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
+        with self.assertNumQueries(2):
             response = self.view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 26)
@@ -89,6 +84,7 @@ class IntegrationTestPagination(TestCase):
         self.assertNotEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
+        with self.assertNumQueries(2):
             response = self.view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 26)
@@ -115,17 +111,34 @@ class IntegrationTestPaginationAndFiltering(TestCase):
             {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
             for obj in self.objects.all()
         ]
-        self.view = FilterFieldsRootView.as_view()
 
     @unittest.skipUnless(django_filters, 'django-filters not installed')
-    def test_get_paginated_filtered_root_view(self):
+    def test_get_django_filter_paginated_filtered_root_view(self):
         """
         GET requests to paginated filtered ListCreateAPIView should return
         paginated results. The next and previous links should preserve the
         filtered parameters.
         """
+        class DecimalFilter(django_filters.FilterSet):
+            decimal = django_filters.NumberFilter(lookup_type='lt')
+
+            class Meta:
+                model = FilterableItem
+                fields = ['text', 'decimal', 'date']
+
+        class FilterFieldsRootView(generics.ListCreateAPIView):
+            model = FilterableItem
+            paginate_by = 10
+            filter_class = DecimalFilter
+            filter_backends = (filters.DjangoFilterBackend,)
+
+        view = FilterFieldsRootView.as_view()
+
+        EXPECTED_NUM_QUERIES = 2
+
         request = factory.get('/?decimal=15.20')
-        response = self.view(request).render()
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 15)
         self.assertEqual(response.data['results'], self.data[:10])
@@ -133,7 +146,8 @@ class IntegrationTestPaginationAndFiltering(TestCase):
         self.assertEqual(response.data['previous'], None)
 
         request = factory.get(response.data['next'])
-        response = self.view(request).render()
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 15)
         self.assertEqual(response.data['results'], self.data[10:15])
@@ -141,7 +155,53 @@ class IntegrationTestPaginationAndFiltering(TestCase):
         self.assertNotEqual(response.data['previous'], None)
 
         request = factory.get(response.data['previous'])
-        response = self.view(request).render()
+        with self.assertNumQueries(EXPECTED_NUM_QUERIES):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
+
+    def test_get_basic_paginated_filtered_root_view(self):
+        """
+        Same as `test_get_django_filter_paginated_filtered_root_view`,
+        except using a custom filter backend instead of the django-filter
+        backend,
+        """
+
+        class DecimalFilterBackend(filters.BaseFilterBackend):
+            def filter_queryset(self, request, queryset, view):
+                return queryset.filter(decimal__lt=Decimal(request.GET['decimal']))
+
+        class BasicFilterFieldsRootView(generics.ListCreateAPIView):
+            model = FilterableItem
+            paginate_by = 10
+            filter_backends = (DecimalFilterBackend,)
+
+        view = BasicFilterFieldsRootView.as_view()
+
+        request = factory.get('/?decimal=15.20')
+        with self.assertNumQueries(2):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[:10])
+        self.assertNotEqual(response.data['next'], None)
+        self.assertEqual(response.data['previous'], None)
+
+        request = factory.get(response.data['next'])
+        with self.assertNumQueries(2):
+            response = view(request).render()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data['count'], 15)
+        self.assertEqual(response.data['results'], self.data[10:15])
+        self.assertEqual(response.data['next'], None)
+        self.assertNotEqual(response.data['previous'], None)
+
+        request = factory.get(response.data['previous'])
+        with self.assertNumQueries(2):
+            response = view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['count'], 15)
         self.assertEqual(response.data['results'], self.data[:10])