I've a model, and one of it's field refers to an overrided User instance (changed in Django settings).
When I'm performing a POST from my client, the route ends up here at the create method:
class CatView(ModelViewSet):
authentication_classes = (authentication.TokenAuthentication,)
permission_classes = (permissions.IsAuthenticated,)
serializer_class = CatListSerializer
def get_queryset(self):
return Cat.objects.filter(owner=self.request.user).order_by('id')
'''
def list(self, request, format=None):
serializer = CatGetSerializer(Cat.objects.filter(owner=request.user), context={'request': request}, many=True)
return Response(serializer.data)
'''
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
def create(self, request, *args, **kwargs):
serializer = CatPutSerializer(data=request.data)
if serializer.is_valid():
serializer.create(serializer.data)
return Response(serializer.data, status=HTTP_201_CREATED)
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
When using a PUT to do a partial update on my model, it works fine. But creating one just doesn't work. I manually inject the user instance into the serializer and asks it to create the object. Then... nothing. No exception raises, it returns the proper data, but the object is not in my database, not being saved.
What's the issue here?
EDIT:
When I'm adding the owner field to the CatPutSerializer, it opens security issues since I don't know how to prevent this to be changed as I don't want the client to send me which user to assign. And when I'm duplicating the serializer to be used on POST only requests, it says it misses the owner field...
Here's the CatPutSerializer:
class CatPutSerializer(serializers.ModelSerializer):
class Meta:
model = Cat
fields = ('name', 'weight', 'sterilized', 'image', 'tag', 'dob', 'race', 'gender')
UPDATE:
As suggested, I'm now doing as follows :
def create(self, request, *args, **kwargs):
pdb.set_trace()
serializer = CatPutSerializer(data=request.data)
if serializer.is_valid():
serializer.save(owner=self.request.user)
return Response(serializer.data, status=HTTP_201_CREATED)
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
Though removed the perform_create overriding.
SOLUTION:
After further investigation, it doesn't seem related to drf but to Django / PostgreSQL itself, so I checked to Django model save method, and it seems that my custom image processing prevented from new objects to be created... Changed it and now works.
You seem to be overriding both create and perform_create. If you look at the code for CreateModelMixin which the ModelViewSet inherits from you will notice that create calls perform_create, which calls serializer.save(). You don't call perform_create in your create method; you seem to be calling serializer.create(...). If you are overriding create, simply do this:
def create(self, request, *args, **kwargs):
serializer = CatPutSerializer(data=request.data)
if serializer.is_valid():
serializer.save(owner=self.request.user)
return Response(serializer.data, status=HTTP_201_CREATED)
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
Related
I am using DRF & token authentication system to deal with the API. Whenever I send the data from the client it sends two of three required fields: title and name. But created_by is given by request.user in the backend.
So I need the following, that of course does not work as expected:
class DefaultViewSet(viewsets.ModelViewSet):
"""
API endpoint
"""
queryset = Default.objects.all().order_by('-updated_at')
serializer_class = DefaultSerializer
permission_classes = [permissions.IsAuthenticated]
filterset_fields = ['created_by', 'title', 'name']
def create(self, request, *args, **kwargs):
request.data['created_by'] = request.user.id
super().create(request, *args, **kwargs)
Since I can't change request.data object I should completely override create method. Therefore there is no easy way to do the previous stuff, right? or there is?
You should override perform_create method which calls the save method of the serializer and send additional keyword arguments as the docs says:
def perform_create(self, serializer):
request = serializer.context['request']
serializer.save(created_by=request.user.id)
The original method does:
def perform_create(self, serializer):
serializer.save()
I just managed to handle it in the create() function by using this example in the documentation:
def create(self, request, *args, **kwargs):
serializer = DefaultSerializer(data=request.data, context={'request': request})
if not serializer.is_valid():
return Response(serializer.errors, status=400)
serializer.save(created_by=request.user)
return Response({
'data': serializer.data
})
I think add it to your serializer class is better
created_by = serializers.HiddenField(default=serializers.CurrentUserDefault())
I am a beginner to django rest-framework and trying to create new record using POST method in ListAPIView.
Here's my serializer:
from scheme.models import ProjectScheme, ProjectSchemeMaster
from rest_framework import serializers
class SchemeDetailSerializer(serializers.ModelSerializer):
class Meta:
model = ProjectScheme
fields = ('id', 'name', 'parent_scheme_id', 'rule', 'created_on', 'created_by', 'updated_on','updated_by')
depth=1
And view:
class ProjectSchemeList(ListAPIView):
"""
List all Schemes
"""
serializer_class = SchemeDetailSerializer
# pagination_class = ProjectLimitOffsetPagination
def get_queryset(self, *args, **kwargs):
comp_logger.info('invoked scheme list all')
schemes = ProjectScheme.objects.all().order_by('-id')
return schemes
def post(self, request, *args, **kwargs):
if serializer_class.is_valid():
serializer_class.save()
return Response(serializer_class.data, status=status.HTTP_201_CREATED)
return Response(serializer_class.errors, status=status.HTTP_400_BAD_REQUEST)
I get this error:
NameError at /scheme/schemes/
name 'serializer_class' is not defined
How do I pass request data to serializer_class?
Created functioanlity is included by default in CreateAPIView generic view, or if you want to provide list and create functionality, you can use ListCreateAPIView which provides both. More details on DRF's generic views here.
class ProjectSchemeList(ListCreateAPIView):
serializer_class = SchemeDetailSerializer
def get_queryset(self, *args, **kwargs):
comp_logger.info('invoked scheme list all')
schemes = ProjectScheme.objects.all().order_by('-id')
return schemes
With this definition, you won't need to manually write a post method.
If you want to manually define a post methdod, you can investiage how it is written in generic CreateAPIView and copy it, it's slighly different from how you want to write it. Finally, following is your version of the post method with errors fixed:
class ProjectSchemeList(ListAPIView):
serializer_class = SchemeDetailSerializer
def get_queryset(self, *args, **kwargs):
comp_logger.info('invoked scheme list all')
schemes = ProjectScheme.objects.all().order_by('-id')
return schemes
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
Notice how we use self.serializer_class(data=request.data) instead of just serializer_class
I have a view with a custom action which should have a custom permission "IsRightUser". However, the has_object_permission of it is never called, even though I try to access the object with self.get_object() in my view.
class MyView(mixins.ListModelMixin, viewsets.GenericViewSet):
serializer_class = MySerializer
lookup_field = 'uuid'
queryset = MyObject.objects.all()
#action(methods=['get'], detail=True)
#permission_classes([IsRightUser])
def groups(self, request, uuid=None):
# prints [<class 'rest_framework.permissions.IsAuthenticated'>]
print(self.permission_classes)
my_object = self.get_object()
groups = Group.objects.filter(my_object=my_object)
serializer = MySerializer(groups, many=True)
return Response(serializer.data)
Here you can see my custom permission which is never called.
class IsRightUser(BasePermission):
def has_object_permission(self, request, view, obj):
# never called
return True
When I use permission_classes = [IsRightUser] in my view (i.e. directly underneath the lookup_field) it works (unfortunately this is not feasible for me).
Any help is very much appreciated.
You should pass permission classes as action argument directly:
#action(methods=['get'], detail=True, permission_classes=[IsRightUser])
def groups(self, request, uuid=None):
# prints [<class 'rest_framework.permissions.IsAuthenticated'>]
print(self.permission_classes)
my_object = self.get_object()
groups = Group.objects.filter(my_object=my_object)
serializer = MySerializer(groups, many=True)
return Response(serializer.data)
The first decorator perfectly works as soon as you define a default DEFAULT_AUTHENTICATION_CLASSES into settings.py under REST_FRAMEWORK for instance.
I know this has been discussed and it's basic but I can't find what is wrong with it. I've pulled up my old projects (which works!) and corresponded to what I did. It never reaches to update in serializer, and I'm at lost why.
I dont know what else I'm missing.
Error:
{"last_name":["This field may not be null."],"pass…
null."],"email":["This field may not be null."]}, status: 400
frontend patch('api/getprofile')
django/DRF serializer:
class UserSerializer(serializers.ModelSerializer):
first_name = serializers.CharField()
last_name = serializers.CharField()
email = serializers.EmailField()
password = serializers.CharField(style={'input_type': 'password'})
class Meta:
model = User
fields = '__all__'
def create(self, validated_data):
user = User.objects.create(
username=validated_data.get('username'),
email=validated_data.get('email'),
password=validated_data.get('password')
)
user.set_password(validated_data.get('password'))
user.save()
return user
def update(self, instance, validated_data):
#print instance <-- if never gets here... is update not update
for key, value in validated_data.items():
if value:
print value
setattr(instance, key, value)
instance.save()
return instance
views.py
class UserRetrieveUpdateAPIView(generics.RetrieveUpdateAPIView):
serializer_class = UserSerializer
permission_classes = (IsAuthenticated, )
queryset = User.objects.all()
def get_object(self):
return self.request.user
def update(self, request, *args, **kwargs):
serializer = UserSerializer(data=request.data, partial=True)
serializer.is_valid(raise_exception=True)
self.perform_update(serializer)
instance = serializer.instance
return Response(UserSerializer(instance=instance).data, status=status.HTTP_200_OK)
The only implementation that you may need to provide for your APIView is the get_object method.
From the source for mixins.UpdateMixins, update (for HTTP PUT requests) and partial_update are implemented as you have it.
The override for the mixins.UpdateMixins.update you provide allows partial updates on HTTP PUT requests and misses passing the model instance to the serializer for the update. i.e.
serializer = UserSerializer(self.get_object(), data=request.data, partial=True)
I however suggest to not perform the override for mixins.UpdateMixins.update in the current manner.
Use the standard handling of the HTTP requests implemented in mixins.UpdateMixins and only provide your implementation for .get_object().
You do this already with UserRetrieveUpdateAPIView.get_object().
I have a serializer for user profiles in Django Rest:
class UserProfileSerializer(serializers.ModelSerializer):
......................
......................
status = serializers.SerializerMethodField()
def get_status(self, obj):
user = self.context['request'].user
if obj.user.userprofile in user.followed_userprofiles_set.all():
return "following"
else:
return "notfollowing"
class Meta:
model = UserProfile
fields = (...., 'status',...)
And I have two views that use this serializer:
class Followers(APIView):
def get(self, request, format=None):
#user who follow current user
users = request.user.userprofile.followers.all()
userprofiles= UserProfile.objects.filter(user__in=users)
serializer = UserProfileSerializer(userprofiles, many=True)
return Response(serializer.data)
and
class Friends(mixins.ListModelMixin, generics.GenericAPIView):
queryset = UserProfile.objects.all()
serializer_class = UserProfileSerializer
permission_classes = (permissions.IsAuthenticated,)
def get(self, request, *args, **kwargs):
return self.list(request, *args, **kwargs)
def get_queryset(self):
.................
.................
return queryset
One view is using APIView and other is using genericAPIView. When i request from genericAPIView, its working properly. But when i request from APIView, its giving me key error. How to retrieve the current user inside serializer method when APIView is used?
Since you are manually instantiating the UserProfileSerializer in your APIView class without passing the context, KeyError exception gets raised.
You should pass the request in context parameter when instantiating the UserProfileSerializer in your APIView.
class Followers(APIView):
def get(self, request, format=None):
#user who follow current user
users = request.user.userprofile.followers.all()
userprofiles= UserProfile.objects.filter(user__in=users)
context = {'request':request} # prepare serializer context
serializer = UserProfileSerializer(userprofiles, many=True, context=context) # pass context
return Response(serializer.data)