wsvincent / restapiswithdjango Goto Github PK

This isn't an error in the book (which pins examples to specific Django/DRF versions), but I thought I'd report it here in case it's helpful to anybody else. While following along with the examples, I simply installed the latest versions of Django (3.1.2) and DRF (3.12.0). When I got to the drf_yasg examples in Chapter 9, this resulted in the following error:

ImportError: Could not import 'drf_yasg.generators.OpenAPISchemaGenerator' for API setting
'DEFAULT_GENERATOR_CLASS'. ImportError: cannot import name 'URLPattern' from 'rest_framework.compat' (/home/evadeflow/.virtualenvs/django-for-apis-5-7UNjQH/lib/python3.9/site-
packages/rest_framework/compat.py).

A Google search led me to axnsan12/drf-yasg#641, and the following workaround:

diff --git a/ch9-schemas-and-documentation/config/settings.py b/ch9-schemas-and-documentation/config/settings.py
index 2afe6ec..3f0a482 100644
--- a/ch9-schemas-and-documentation/config/settings.py
+++ b/ch9-schemas-and-documentation/config/settings.py
@@ -47,7 +47,7 @@ INSTALLED_APPS = [
     'allauth.socialaccount',
     'dj_rest_auth',
     'dj_rest_auth.registration',
-    'drf_yasg', # new
+    'drf_yasg2', # new
 
     # Local
     'posts',
diff --git a/ch9-schemas-and-documentation/config/urls.py b/ch9-schemas-and-documentation/config/urls.py
index 17c4a93..1576f7e 100644
--- a/ch9-schemas-and-documentation/config/urls.py
+++ b/ch9-schemas-and-documentation/config/urls.py
@@ -1,8 +1,8 @@
 from django.contrib import admin
 from django.urls import include, path
 from rest_framework import permissions # new
-from drf_yasg.views import get_schema_view # new
-from drf_yasg import openapi # new
+from drf_yasg2.views import get_schema_view # new
+from drf_yasg2 import openapi # new
 
 schema_view = get_schema_view( # new
    openapi.Info(

With that change in place, I ran:

$ pip uninstall drf_yasg
$ pip install drf_yasg2

and I was able to access both the Swagger and ReDoc endpoints.

NOTE: I do not have any insight into the current status of drf_yasg, or whether drf_yasg2 is now the recommended replacement—officially or otherwise. I just wanted to see the example work, and using the drf_yasg2 fork allowed me to do that. YMMV, etc...

Hi,
In ch8-blog-user-auth/django_project/settings.py file, "django.template.context_processors.request", is duplicate.
Thanks.

Original command in book is git commit -m "add schema and documentation".
Should be fixed to git commit -m "altered to viewsets and routers", because chapter is about ViewSets and Routers.

The API endpoint /api/v1/<int:pk> returns the serialized Post object with author equal to the User.id, i.e.,

{
    "id": 1,
    "author": 1,
    "title": "Test Post 1",
    "body": "This is the first post!",
    "created_at": "2020-09-22T22:30:03.173687Z"
}

It would be more useful to return User.username for author. This would simplify rendering the data on the frontend. For example:

{
    "id": 1,
    "author": "terrytesterson",
    "title": "Test Post 1",
    "body": "This is the first post!",
    "created_at": "2020-09-22T22:30:03.173687Z"
}

Hi William, I'm loving the book and got through chapter 6. After I've gone through the permissions - IsAuthorOrReadOnly, my testuser retains access to the posts and is able to delete. I've gone over the chapter again to review it and just can't figure it out. Is there something glaringly obvious that I've messed up?

Not maintained by anyone.

Hello, as mentioned in this link: https://stackoverflow.com/questions/76093862/dj-rest-auth-registration-return-http-204-no-content I got the same problem in Chapter 8: User Authentication when doing the registration of a user.

REST_AUTH = {
'SESSION_LOGIN': False
}

solved the issue. I hope it helps, great book !

After logging in as, say, testuser1, I'm able to add a new post as the admin user. (I thought perhaps I mistyped something that introduced this behavior, but... it's the same when I run the code directly from this repo.)

It's probably not reasonable (outside of the admin interface) to allow one user to impersonate another. How would I go about closing this loophole?

Looks like two authorization paths were accidentally removed from blog_project/urls.py. Because two endpoints were not available:
api/v1/rest-auth/
api/v1/rest-auth/registration/

These paths were absent:
path('api/v1/rest-auth/', include('rest_auth.urls')),
path('api/v1/rest-auth/registration/', include('rest_auth.registration.urls')),

After completing the book, I was exploring various states of the API while logged in and logged out. I found that in my completed version of the Blog API project, the Post List API view (localhost:8000/api/v1) is accessible when logged out. The endpoint is 200 OK and you can create a new post for any existing user.

I found this strange, since that functionality is explicitly removed in Chapter 6:

We no longer see our Post List page. Instead we are greeted with an unfriendly HTTP 403 Forbidden status code since we are not logged in. And there are no forms in the browsable API to edit the data since we don’t have permission. (citation: page 106 in my PDF)

I get 403 after completing Chapter 7. It's also what I get in the sections of Chapter 8 that come before implementing viewsets and routers (starting on page 151 in my PDF). But by the end of Chapter 8, the response at /api/v1 is 200.

To test whether this is something I had accidentally done, I downloaded a clean copy of the repo. I checked each chapter individually in its own virtual environment. I found the same behaviors as described above. I also took a git branch of a clean copy of the Chapter 7 source and worked through Chapter 8 up to page 151. Endpoint api/v1 is still 403 at that point.

As this seems like something one wouldn't want available on a blog site, I thought I'd point it out. 😄

I've reviewed the code that you add in Chapter 8 after page 151, and I'm afraid I don't understand the relationships among the permissions and the viewset/router implementations well enough to offer a suggestion for a fix. But I'd love to better understand what's going on here.