Merge master

16 files changed, 203 insertions, 10 deletions

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index f30b16ed..7caeac1e 100755
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -404,4 +404,4 @@ The [Django OAuth2 Consumer][doac] library from [Rediker Software][rediker] is a
 [oauthlib]: https://github.com/idan/oauthlib
 [doac]: https://github.com/Rediker-Software/doac
 [rediker]: https://github.com/Rediker-Software
-[doac-rest-framework]: https://github.com/Rediker-Software/doac/blob/master/docs/markdown/integrations.md#
+[doac-rest-framework]: https://github.com/Rediker-Software/doac/blob/master/docs/integrations.md#
diff --git a/docs/api-guide/exceptions.md b/docs/api-guide/exceptions.md
index 8b3e50f1..0c48783a 100644
--- a/docs/api-guide/exceptions.md
+++ b/docs/api-guide/exceptions.md
@@ -28,11 +28,54 @@ For example, the following request:
 Might receive an error response indicating that the `DELETE` method is not allowed on that resource:
 
     HTTP/1.1 405 Method Not Allowed
-    Content-Type: application/json; charset=utf-8
+    Content-Type: application/json
     Content-Length: 42
-    
+
     {"detail": "Method 'DELETE' not allowed."}
 
+## Custom exception handling
+
+You can implement custom exception handling by creating a handler function that converts exceptions raised in your API views into response objects.  This allows you to control the style of error responses used by your API.
+
+The function must take a single argument, which is the exception to be handled, and should either return a `Response` object, or return `None` if the exception cannot be handled.  If the handler returns `None` then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response.
+
+For example, you might want to ensure that all error responses include the HTTP status code in the body of the response, like so:
+
+    HTTP/1.1 405 Method Not Allowed
+    Content-Type: application/json
+    Content-Length: 62
+
+    {"status_code": 405, "detail": "Method 'DELETE' not allowed."}
+
+In order to alter the style of the response, you could write the following custom exception handler:
+
+    from rest_framework.views import exception_handler
+
+    def custom_exception_handler(exc):
+        # Call REST framework's default exception handler first,
+        # to get the standard error response.
+        response = exception_handler(exc)
+
+        # Now add the HTTP status code to the response.
+        if response is not None:
+            response.data['status_code'] = response.status_code
+
+        return response
+
+The exception handler must also be configured in your settings, using the `EXCEPTION_HANDLER` setting key. For example:
+
+    REST_FRAMEWORK = {
+        'EXCEPTION_HANDLER': 'my_project.my_app.utils.custom_exception_handler'
+    }
+
+If not specified, the `'EXCEPTION_HANDLER'` setting defaults to the standard exception handler provided by REST framework:
+
+    REST_FRAMEWORK = {
+        'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler'
+    }
+
+Note that the exception handler will only be called for responses generated by raised exceptions.  It will not be used for any responses returned directly by the view, such as the `HTTP_400_BAD_REQUEST` responses that are returned by the generic views when serializer validation fails.
+
 ---
 
 # API Reference
diff --git a/docs/api-guide/filtering.md b/docs/api-guide/filtering.md
index 649462da..859e8d52 100644
--- a/docs/api-guide/filtering.md
+++ b/docs/api-guide/filtering.md
@@ -257,6 +257,49 @@ The `ordering` attribute may be either a string or a list/tuple of strings.
 
 ---
 
+## DjangoObjectPermissionsFilter
+
+The `DjangoObjectPermissionsFilter` is intended to be used together with the [`django-guardian`][guardian] package, with custom `'view'` permissions added.  The filter will ensure that querysets only returns objects for which the user has the appropriate view permission.
+
+This filter class must be used with views that provide either a `queryset` or a `model` attribute.
+
+If you're using `DjangoObjectPermissionsFilter`, you'll probably also want to add an appropriate object permissions class, to ensure that users can only operate on instances if they have the appropriate object permissions.  The easiest way to do this is to subclass `DjangoObjectPermissions` and add `'view'` permissions to the `perms_map` attribute.
+
+A complete example using both `DjangoObjectPermissionsFilter` and `DjangoObjectPermissions` might look something like this.
+
+**permissions.py**:
+
+    class CustomObjectPermissions(permissions.DjangoObjectPermissions):
+		"""
+		Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
+		"""
+        perms_map = {
+            'GET': ['%(app_label)s.view_%(model_name)s'],
+            'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
+            'HEAD': ['%(app_label)s.view_%(model_name)s'],
+            'POST': ['%(app_label)s.add_%(model_name)s'],
+            'PUT': ['%(app_label)s.change_%(model_name)s'],
+            'PATCH': ['%(app_label)s.change_%(model_name)s'],
+            'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+        }
+
+**views.py**:
+
+    class EventViewSet(viewsets.ModelViewSet):
+    	"""
+    	Viewset that only lists events if user has 'view' permissions, and only
+    	allows operations on individual events if user has appropriate 'view', 'add',
+    	'change' or 'delete' permissions.
+		"""
+        queryset = Event.objects.all()
+        serializer = EventSerializer
+        filter_backends = (filters.DjangoObjectPermissionsFilter,)
+        permission_classes = (myapp.permissions.CustomObjectPermissions,)
+
+For more information on adding `'view'` permissions for models, see the [relevant section][view-permissions] of the `django-guardian` documentation, and [this blogpost][view-permissions-blogpost].
+
+---
+
 # Custom generic filtering
 
 You can also provide your own generic filtering backend, or write an installable app for other developers to use.
@@ -281,5 +324,8 @@ We could achieve the same behavior by overriding `get_queryset()` on the views,
 [cite]: https://docs.djangoproject.com/en/dev/topics/db/queries/#retrieving-specific-objects-with-filters
 [django-filter]: https://github.com/alex/django-filter
 [django-filter-docs]: https://django-filter.readthedocs.org/en/latest/index.html
+[guardian]: http://pythonhosted.org/django-guardian/
+[view-permissions]: http://pythonhosted.org/django-guardian/userguide/assign.html
+[view-permissions-blogpost]: http://blog.nyaruka.com/adding-a-view-permission-to-django-models
 [nullbooleanselect]: https://github.com/django/django/blob/master/django/forms/widgets.py
 [search-django-admin]: https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.search_fields
diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md
index 7185b6b6..dc0076df 100755
--- a/docs/api-guide/generic-views.md
+++ b/docs/api-guide/generic-views.md
@@ -69,7 +69,7 @@ The following attributes control the basic view behavior.
 
 **Shortcuts**:
 
-* `model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes, although using the explicit style is generally preferred.  If used instead of `serializer_class`, then then `DEFAULT_MODEL_SERIALIZER_CLASS` setting will determine the base serializer class.
+* `model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes, although using the explicit style is generally preferred.  If used instead of `serializer_class`, then then `DEFAULT_MODEL_SERIALIZER_CLASS` setting will determine the base serializer class.  Note that `model` is only ever used for generating a default queryset or serializer class - the `queryset` and `serializer_class` attributes are always preferred if provided.
 
 **Pagination**:
 
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md
index a7bf1555..871de84e 100644
--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@@ -120,7 +120,21 @@ To use custom model permissions, override `DjangoModelPermissions` and set the `
 
 ## DjangoModelPermissionsOrAnonReadOnly
 
-Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have  read-only access to the API.
+Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
+
+## DjangoObjectPermissions
+
+This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models.  In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian].
+
+When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned.
+
+* `POST` requests require the user to have the `add` permission on the model instance.
+* `PUT` and `PATCH` requests require the user to have the `change` permission on the model instance.
+* `DELETE` requests require the user to have the `delete` permission on the model instance.
+
+Note that `DjangoObjectPermissions` **does not** require the `django-guardian` package, and should support other object-level backends equally well.
+
+As with `DjangoModelPermissions` you can use custom model permissions by overriding `DjangoModelPermissions` and setting the `.perms_map` property.  Refer to the source code for details.  Note that if you add a custom `view` permission for `GET`, `HEAD` and `OPTIONS` requests, you'll probably also want to consider adding the `DjangoObjectPermissionsFilter` class to ensure that list endpoints only return results including objects for which the user has appropriate view permissions.
 
 ## TokenHasReadWriteScope
 
@@ -220,7 +234,9 @@ The [Composed Permissions][composed-permissions] package provides a simple way t
 [authentication]: authentication.md
 [throttling]: throttling.md
 [contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions
+[objectpermissions]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#handling-object-permissions
 [guardian]: https://github.com/lukaszb/django-guardian
+[get_objects_for_user]: http://pythonhosted.org/django-guardian/api/guardian.shortcuts.html#get-objects-for-user
 [django-oauth-plus]: http://code.larlet.fr/django-oauth-plus
 [django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
 [2.2-announcement]: ../topics/2.2-announcement.md
diff --git a/docs/api-guide/relations.md b/docs/api-guide/relations.md
index 15ba9a3a..5ec4b22f 100644
--- a/docs/api-guide/relations.md
+++ b/docs/api-guide/relations.md
@@ -421,7 +421,7 @@ For example, if all your object URLs used both a account and a slug in the the U
         def get_object(self, queryset, view_name, view_args, view_kwargs):
             account = view_kwargs['account']
             slug = view_kwargs['slug']
-            return queryset.get(account=account, slug=sug)
+            return queryset.get(account=account, slug=slug)
 
 ---
 
diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
index 5d7e2ac8..a3cd1d6a 100644
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -250,7 +250,7 @@ This allows you to write views that update or create multiple items when a `PUT`
     serializer = BookSerializer(queryset, data=data, many=True)
     serializer.is_valid()
     # True
-    serialize.save()  # `.save()` will be called on each updated or newly created instance.
+    serializer.save()  # `.save()` will be called on each updated or newly created instance.
 
 By default bulk updates will be limited to updating instances that already exist in the provided queryset.
 
diff --git a/docs/api-guide/settings.md b/docs/api-guide/settings.md
index 542e8c5f..13f96f9a 100644
--- a/docs/api-guide/settings.md
+++ b/docs/api-guide/settings.md
@@ -25,7 +25,7 @@ If you need to access the values of REST framework's API settings in your projec
 you should use the `api_settings` object.  For example.
 
     from rest_framework.settings import api_settings
-    
+
     print api_settings.DEFAULT_AUTHENTICATION_CLASSES
 
 The `api_settings` object will check for any user-defined settings, and otherwise fall back to the default values.  Any setting that uses string import paths to refer to a class will automatically import and return the referenced class, instead of the string literal.
@@ -339,6 +339,20 @@ Default: `'rest_framework.views.get_view_description'`
 
 ## Miscellaneous settings
 
+#### EXCEPTION_HANDLER
+
+A string representing the function that should be used when returning a response for any given exception.  If the function returns `None`, a 500 error will be raised.
+
+This setting can be changed to support error responses other than the default `{"detail": "Failure..."}` responses.  For example, you can use it to provide API responses like `{"errors": [{"message": "Failure...", "code": ""} ...]}`.
+
+This should be a function with the following signature:
+
+    exception_handler(exc)
+
+* `exc`: The exception.
+
+Default: `'rest_framework.views.exception_handler'`
+
 #### FORMAT_SUFFIX_KWARG
 
 The name of a parameter in the URL conf that may be used to provide a format suffix.
diff --git a/docs/api-guide/viewsets.md b/docs/api-guide/viewsets.md
index 6498e177..a5359e99 100644
--- a/docs/api-guide/viewsets.md
+++ b/docs/api-guide/viewsets.md
@@ -23,7 +23,7 @@ Let's define a simple viewset that can be used to list or retrieve all the users
     from django.shortcuts import get_object_or_404
     from myapps.serializers import UserSerializer
     from rest_framework import viewsets
-    from rest_framewor.responses import Response
+    from rest_framework.response import Response
 
     class UserViewSet(viewsets.ViewSet):
         """
diff --git a/docs/index.md b/docs/index.md
index e0a2e911..bb2129f6 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -42,6 +42,7 @@ The following packages are optional:
 * [django-filter][django-filter] (0.5.4+) - Filtering support.
 * [django-oauth-plus][django-oauth-plus] (2.0+) and [oauth2][oauth2] (1.5.211+) - OAuth 1.0a support.
 * [django-oauth2-provider][django-oauth2-provider] (0.2.3+) - OAuth 2.0 support.
+* [django-guardian][django-guardian] (1.1.1+) - Object level permissions support.
 
 **Note**: The `oauth2` Python package is badly misnamed, and actually provides OAuth 1.0a support.  Also note that packages required for both OAuth 1.0a, and OAuth 2.0 are not yet Python 3 compatible.
 
@@ -250,6 +251,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 [oauth2]: https://github.com/simplegeo/python-oauth2
 [django-oauth-plus]: https://bitbucket.org/david/django-oauth-plus/wiki/Home
 [django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
+[django-guardian]: https://github.com/lukaszb/django-guardian
 [0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X
 [image]: img/quickstart.png
 [index]: .
diff --git a/docs/topics/browsable-api.md b/docs/topics/browsable-api.md
index b2c78f3c..e32db695 100644
--- a/docs/topics/browsable-api.md
+++ b/docs/topics/browsable-api.md
@@ -115,6 +115,7 @@ The context that's available to the template:
 * `name`                : The name of the resource
 * `post_form`           : A form instance for use by the POST form (if allowed)
 * `put_form`            : A form instance for use by the PUT form (if allowed)
+* `display_edit_forms`  : A boolean indicating whether or not POST, PUT and PATCH forms will be displayed
 * `request`             : The request object
 * `response`            : The response object
 * `version`             : The version of Django REST Framework
@@ -122,6 +123,8 @@ The context that's available to the template:
 * `FORMAT_PARAM`        : The view can accept a format override
 * `METHOD_PARAM`        : The view can accept a method override
 
+You can override the `BrowsableAPIRenderer.get_context()` method to customise the context that gets passed to the template.
+
 #### Not using base.html
 
 For more advanced customization, such as not having a Bootstrap basis or tighter integration with the rest of your site, you can simply choose not to have `api.html` extend `base.html`.  Then the page content and capabilities are entirely up to you.
diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index b2d3d5d2..4483f170 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -166,6 +166,9 @@ The following people have helped make REST framework great.
 * Alexander Akhmetov - [alexander-akhmetov]
 * Andrey Antukh - [niwibe]
 * Mathieu Pillard - [diox]
+* Edmond Wong - [edmondwong]
+* Ben Reilly - [bwreilly]
+* Tai Lee - [mrmachine]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -368,3 +371,6 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [alexander-akhmetov]: https://github.com/alexander-akhmetov
 [niwibe]: https://github.com/niwibe
 [diox]: https://github.com/diox
+[edmondwong]: https://github.com/edmondwong
+[bwreilly]: https://github.com/bwreilly
+[mrmachine]: https://github.com/mrmachine
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 5e3aa2f0..a3f3ed3c 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -48,6 +48,20 @@ You can determine your currently installed version using `pip freeze`:
 * Added `MAX_PAGINATE_BY` setting and `max_paginate_by` generic view attribute.
 * Added `cache` attribute to throttles to allow overriding of default cache.
 * Bugfix: `?page_size=0` query parameter now falls back to default page size for view, instead of always turning pagination off.
+* Added JSON renderer support for numpy scalars.
+* Added `get_context` hook in `BrowsableAPIRenderer`.
+
+### 2.3.8
+
+**Date**: 11th September 2013
+
+* Added `DjangoObjectPermissions`, and `DjangoObjectPermissionsFilter`.
+* Support customizable exception handling, using the `EXCEPTION_HANDLER` setting.
+* Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
+* Added `MAX_PAGINATE_BY` setting and `max_paginate_by` generic view attribute.
+* Added `cache` attribute to throttles to allow overriding of default cache.
+* 'Raw data' tab in browsable API now contains pre-populated data.
+* 'Raw data' and 'HTML form' tab preference in browseable API now saved between page views.
 * Bugfix: `required=True` argument fixed for boolean serializer fields.
 * Bugfix: `client.force_authenticate(None)` should also clear session info if it exists.
 * Bugfix: Client sending emptry string instead of file now clears `FileField`.
diff --git a/docs/topics/writable-nested-serializers.md b/docs/topics/writable-nested-serializers.md
new file mode 100644
index 00000000..66ea7815
--- /dev/null
+++ b/docs/topics/writable-nested-serializers.md
@@ -0,0 +1,47 @@
+> To save HTTP requests, it may be convenient to send related documents along with the request.
+>
+> — [JSON API specification for Ember Data][cite].
+
+# Writable nested serializers
+
+Although flat data structures serve to properly delineate between the individual entities in your service, there are cases where it may be more appropriate or convenient to use nested data structures.
+
+Nested data structures are easy enough to work with if they're read-only - simply nest your serializer classes and you're good to go.  However, there are a few more subtleties to using writable nested serializers, due to the dependancies between the various model instances, and the need to save or delete multiple instances in a single action.
+
+## One-to-many data structures 
+
+*Example of a **read-only** nested serializer.  Nothing complex to worry about here.*
+
+	class ToDoItemSerializer(serializers.ModelSerializer):
+	    class Meta:
+	        model = ToDoItem
+	        fields = ('text', 'is_completed')
+	
+	class ToDoListSerializer(serializers.ModelSerializer):
+	    items = ToDoItemSerializer(many=True, read_only=True)
+	
+	    class Meta:
+	        model = ToDoList
+	        fields = ('title', 'items')
+
+Some example output from our serializer.
+
+    {
+        'title': 'Leaving party preperations',
+        'items': {
+            {'text': 'Compile playlist', 'is_completed': True},
+            {'text': 'Send invites', 'is_completed': False},
+            {'text': 'Clean house', 'is_completed': False}            
+        }
+    }
+
+Let's take a look at updating our nested one-to-many data structure.
+
+### Validation errors
+
+### Adding and removing items
+
+### Making PATCH requests
+
+
+[cite]: http://jsonapi.org/format/#url-based-json-api
\ No newline at end of file
diff --git a/docs/tutorial/6-viewsets-and-routers.md b/docs/tutorial/6-viewsets-and-routers.md
index 29c53162..3b9fd7d4 100644
--- a/docs/tutorial/6-viewsets-and-routers.md
+++ b/docs/tutorial/6-viewsets-and-routers.md
@@ -61,6 +61,7 @@ To see what's going on under the hood let's first explicitly create a set of vie
 In the `urls.py` file we bind our `ViewSet` classes into a set of concrete views.
 
     from snippets.views import SnippetViewSet, UserViewSet
+    from rest_framework import renderers
 
     snippet_list = SnippetViewSet.as_view({
         'get': 'list',
@@ -101,6 +102,7 @@ Because we're using `ViewSet` classes rather than `View` classes, we actually do
 
 Here's our re-wired `urls.py` file.
 
+    from django.conf.urls import patterns, url, include
     from snippets import views
     from rest_framework.routers import DefaultRouter
 
diff --git a/docs/tutorial/quickstart.md b/docs/tutorial/quickstart.md
index f15e75c0..06eec3c4 100644
--- a/docs/tutorial/quickstart.md
+++ b/docs/tutorial/quickstart.md
@@ -12,7 +12,7 @@ Create a new Django project named `tutorial`, then start a new app called `quick
 
     # Create a virtualenv to isolate our package dependencies locally
     virtualenv env
-    source env/bin/activate
+    source env/bin/activate  # On Windows use `env\Scripts\activate`
 
     # Install Django and Django REST framework into the virtualenv
     pip install django