Merge branch 'master' into dj5

Author: auvipy

docs/api-guide/validators.md

@@ -173,11 +173,9 @@ If you want the date field to be entirely hidden from the user, then use `Hidden
 # Advanced field defaults
 
 Validators that are applied across multiple fields in the serializer can sometimes require a field input that should not be provided by the API client, but that *is* available as input to the validator.
+For this purposes use `HiddenField`. This field will be present in `validated_data` but *will not* be used in the serializer output representation.
 
-Two patterns that you may want to use for this sort of validation include:
-
-* Using `HiddenField`. This field will be present in `validated_data` but *will not* be used in the serializer output representation.
-* Using a standard field with `read_only=True`, but that also includes a `default=…` argument. This field *will* be used in the serializer output representation, but cannot be set directly by the user.
+**Note:** Using a `read_only=True` field is excluded from writable fields so it won't use a `default=…` argument. Look [3.8 announcement](https://www.django-rest-framework.org/community/3.8-announcement/#altered-the-behaviour-of-read_only-plus-default-on-field).
 
 REST framework includes a couple of defaults that may be useful in this context.
 
@@ -189,7 +187,7 @@ A default class that can be used to represent the current user. In order to use
         default=serializers.CurrentUserDefault()
     )
 
-#### CreateOnlyDefault
+#### CreateOnlyDefault
 
 A default class that can be used to *only set a default argument during create operations*. During updates the field is omitted.
 

docs/api-guide/viewsets.md

@@ -311,7 +311,7 @@ You may need to provide custom `ViewSet` classes that do not have the full set o
 
 To create a base viewset class that provides `create`, `list` and `retrieve` operations, inherit from `GenericViewSet`, and mixin the required actions:
 
-    from rest_framework import mixins
+    from rest_framework import mixins, viewsets
 
     class CreateListRetrieveViewSet(mixins.CreateModelMixin,
                                     mixins.ListModelMixin,

docs/community/3.14-announcement.md

@@ -28,10 +28,10 @@ Our requirements are now:
 * Python 3.6+
 * Django 4.1, 4.0, 3.2, 3.1, 3.0
 
-## `raise_exceptions` argument for `is_valid` is now keyword-only.
+## `raise_exception` argument for `is_valid` is now keyword-only.
 
 Calling `serializer_instance.is_valid(True)` is no longer acceptable syntax.
-If you'd like to use the `raise_exceptions` argument, you must use it as a
+If you'd like to use the `raise_exception` argument, you must use it as a
 keyword argument.
 
 See Pull Request [#7952](https://github.com/encode/django-rest-framework/pull/7952) for more details.

docs/community/third-party-packages.md

@@ -154,8 +154,8 @@ To submit new content, [open an issue][drf-create-issue] or [create a pull reque
 
 ### Customization
 
-* [rest-framework-redesign][rest-framework-redesign] - A package for customizing the API using Bootstrap 5.
-* [rest-framework-material][rest-framework-material] - Material design for Django REST Framework API.
+* [drf-redesign][drf-redesign] - A project that gives a fresh look to the browse-able API using Bootstrap 5.
+* [drf-material][drf-material] - A project that gives a sleek and elegant look to the browsable API using Material Design.
 
 [cite]: http://www.software-ecosystems.com/Software_Ecosystems/Ecosystems.html
 [cookiecutter]: https://github.com/jpadilla/cookiecutter-django-rest-framework
@@ -248,5 +248,5 @@ To submit new content, [open an issue][drf-create-issue] or [create a pull reque
 [django-requestlogs]: https://github.com/Raekkeri/django-requestlogs
 [drf-standardized-errors]: https://github.com/ghazi-git/drf-standardized-errors
 [drf-api-action]: https://github.com/Ori-Roza/drf-api-action
-[rest-framework-redesign]: https://github.com/youzarsiph/rest-framework-redesign
-[rest-framework-material]: https://github.com/youzarsiph/rest-framework-material
+[drf-redesign]: https://github.com/youzarsiph/drf-redesign
+[drf-material]: https://github.com/youzarsiph/drf-material

rest_framework/templates/rest_framework/admin.html

@@ -42,7 +42,7 @@
                 <ul class="nav navbar-nav pull-right">
                   {% block userlinks %}
                     {% if user.is_authenticated %}
-                      {% optional_logout request user %}
+                      {% optional_logout request user csrf_token %}
                     {% else %}
                       {% optional_login request %}
                     {% endif %}

rest_framework/templates/rest_framework/base.html

@@ -46,7 +46,7 @@
             <ul class="nav navbar-nav pull-right">
               {% block userlinks %}
                 {% if user.is_authenticated %}
-                  {% optional_logout request user %}
+                  {% optional_logout request user csrf_token %}
                 {% else %}
                   {% optional_login request %}
                 {% endif %}

rest_framework/templatetags/rest_framework.py

@@ -119,7 +119,7 @@ def optional_docs_login(request):
 
 
 @register.simple_tag
-def optional_logout(request, user):
+def optional_logout(request, user, csrf_token):
     """
     Include a logout snippet if REST framework's logout view is in the URLconf.
     """
@@ -135,11 +135,16 @@ def optional_logout(request, user):
             <b class="caret"></b>
         </a>
         <ul class="dropdown-menu">
-            <li><a href='{href}?next={next}'>Log out</a></li>
+            <form id="logoutForm" method="post" action="{href}?next={next}">
+                <input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}">
+            </form>
+            <li>
+                <a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a>
+            </li>
         </ul>
     </li>"""
-    snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path))
-
+    snippet = format_html(snippet, user=escape(user), href=logout_url,
+                          next=escape(request.path), csrf_token=csrf_token)
     return mark_safe(snippet)
 
 

rest_framework/validators.py

@@ -160,10 +160,19 @@ def __call__(self, attrs, serializer):
         queryset = self.exclude_current_instance(attrs, queryset, serializer.instance)
 
         # Ignore validation if any field is None
-        checked_values = [
-            value for field, value in attrs.items() if field in self.fields
-        ]
-        if None not in checked_values and qs_exists(queryset):
+        if serializer.instance is None:
+            checked_values = [
+                value for field, value in attrs.items() if field in self.fields
+            ]
+        else:
+            # Ignore validation if all field values are unchanged
+            checked_values = [
+                value
+                for field, value in attrs.items()
+                if field in self.fields and value != getattr(serializer.instance, field)
+            ]
+
+        if checked_values and None not in checked_values and qs_exists(queryset):
             field_names = ', '.join(self.fields)
             message = self.message.format(field_names=field_names)
             raise ValidationError(message, code='unique')

tests/browsable_api/test_browsable_api.py

@@ -65,6 +65,12 @@ def test_login_shown_when_logged_out(self):
         content = response.content.decode()
         assert '>Log in<' in content
 
+    def test_dropdown_contains_logout_form(self):
+        self.client.login(username=self.username, password=self.password)
+        response = self.client.get('/')
+        content = response.content.decode()
+        assert '<form id="logoutForm" method="post" action="/auth/logout/?next=/">' in content
+
 
 @override_settings(ROOT_URLCONF='tests.browsable_api.no_auth_urls')
 class NoDropdownWithoutAuthTests(TestCase):

tests/test_validators.py

@@ -1,6 +1,6 @@
 import datetime
 import re
-from unittest.mock import MagicMock
+from unittest.mock import MagicMock, patch
 
 import pytest
 from django import VERSION as django_version
@@ -453,6 +453,22 @@ def test_do_not_ignore_validation_for_null_fields(self):
         serializer = NullUniquenessTogetherSerializer(data=data)
         assert not serializer.is_valid()
 
+    def test_ignore_validation_for_unchanged_fields(self):
+        """
+        If all fields in the unique together constraint are unchanged,
+        then the instance should skip uniqueness validation.
+        """
+        instance = UniquenessTogetherModel.objects.create(
+            race_name="Paris Marathon", position=1
+        )
+        data = {"race_name": "Paris Marathon", "position": 1}
+        serializer = UniquenessTogetherSerializer(data=data, instance=instance)
+        with patch(
+            "rest_framework.validators.qs_exists"
+        ) as mock:
+            assert serializer.is_valid()
+            assert not mock.called
+
     def test_filter_queryset_do_not_skip_existing_attribute(self):
         """
         filter_queryset should add value from existing instance attribute