From 6111dcef5216ff12fb9353bb8c7d71b021634513 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 22 Mar 2013 22:58:04 +0000
Subject: Update release notes

---
 docs/topics/release-notes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index f506c610..935bd905 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -42,6 +42,7 @@ You can determine your currently installed version using `pip freeze`:
 
 ### Master
 
+* Serializers now support bulk create and bulk update operations.
 * Regression fix: Date and time fields return date/time objects by default.  Fixes regressions caused by 2.2.2.  See [#743][743] for more details.
 * Bugfix: Fix 500 error is OAuth not attempted with OAuthAuthentication class installed.
 * `Serializer.save()` now supports arbitrary keyword args which are passed through to the object `.save()` method.  Mixins use `force_insert` and `force_update` where appropriate, resulting in one less database query.
-- 
cgit v1.2.3


From dab158e1fd827285032e331c10acc60e9719ace3 Mon Sep 17 00:00:00 2001
From: Sitong Peng
Date: Mon, 25 Mar 2013 09:27:12 -0700
Subject: Tiny typo

---
 docs/tutorial/4-authentication-and-permissions.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/tutorial/4-authentication-and-permissions.md b/docs/tutorial/4-authentication-and-permissions.md
index 3ee755a2..878672bb 100644
--- a/docs/tutorial/4-authentication-and-permissions.md
+++ b/docs/tutorial/4-authentication-and-permissions.md
@@ -179,7 +179,7 @@ Now, if you open a browser again, you find that the 'DELETE' and 'PUT' actions o
 
 ## Authenticating with the API
 
-Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets.  We havn't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`.
+Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets.  We haven't set up any [authentication classes][authentication], so the defaults are currently applied, which are `SessionAuthentication` and `BasicAuthentication`.
 
 When we interact with the API through the web browser, we can login, and the browser session will then provide the required authentication for the requests.
 
-- 
cgit v1.2.3


From dca24cd91488af62152b7e711cd6869b2d60c0ec Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 25 Mar 2013 16:44:36 +0000
Subject: Added @stoneg for typo fix #754. Thank you!

---
 docs/topics/credits.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index b533daa9..7dd9cd2c 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -112,6 +112,7 @@ The following people have helped make REST framework great.
 * Bouke Haarsma - [bouke]
 * Pierre Dulac - [dulaccc]
 * Dave Kuhn - [kuhnza]
+* Sitong Peng - [stoneg]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -258,3 +259,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [bouke]: https://github.com/bouke
 [dulaccc]: https://github.com/dulaccc
 [kuhnza]: https://github.com/kuhnza
+[stoneg]: https://github.com/stoneg
-- 
cgit v1.2.3


From 7eefcf7e53f2bc37733a601041f23d354c7729f5 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 25 Mar 2013 20:26:34 +0000
Subject: Bulk update, allow_add_remove flag

---
 docs/api-guide/serializers.md                  | 10 ++++----
 rest_framework/serializers.py                  | 16 +++++++-----
 rest_framework/tests/serializer_bulk_update.py | 34 ++++++++++++++++++++++----
 3 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
index 42e81cad..aaff760e 100644
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -242,17 +242,17 @@ This allows you to write views that update or create multiple items when a `PUT`
     # True
     serialize.save()  # `.save()` will be called on each updated or newly created instance.
 
-Bulk updates will update any instances that already exist, and create new instances for data items that do not have a corresponding instance.
+By default bulk updates will be limited to updating instances that already exist in the provided queryset.
 
-When performing a bulk update you may want any items that are not present in the incoming data to be deleted.  To do so, pass `allow_delete=True` to the serializer.
+When performing a bulk update you may want to allow new items to be created, and missing items to be deleted.  To do so, pass `allow_add_remove=True` to the serializer.
 
-    serializer = BookSerializer(queryset, data=data, many=True, allow_delete=True)
+    serializer = BookSerializer(queryset, data=data, many=True, allow_add_remove=True)
     serializer.is_valid()
     # True
-    serializer.save()  # `.save()` will be called on each updated or newly created instance.
+    serializer.save()  # `.save()` will be called on updated or newly created instances.
                        # `.delete()` will be called on any other items in the `queryset`.
 
-Passing `allow_delete=True` ensures that any update operations will completely overwrite the existing queryset, rather than simply updating any objects found in the incoming data. 
+Passing `allow_delete=True` ensures that any update operations will completely overwrite the existing queryset, rather than simply updating existing objects. 
 
 #### How identity is determined when performing bulk updates
 
diff --git a/rest_framework/serializers.py b/rest_framework/serializers.py
index 6aca2f57..1b2b0821 100644
--- a/rest_framework/serializers.py
+++ b/rest_framework/serializers.py
@@ -130,14 +130,14 @@ class BaseSerializer(WritableField):
 
     def __init__(self, instance=None, data=None, files=None,
                  context=None, partial=False, many=None,
-                 allow_delete=False, **kwargs):
+                 allow_add_remove=False, **kwargs):
         super(BaseSerializer, self).__init__(**kwargs)
         self.opts = self._options_class(self.Meta)
         self.parent = None
         self.root = None
         self.partial = partial
         self.many = many
-        self.allow_delete = allow_delete
+        self.allow_add_remove = allow_add_remove
 
         self.context = context or {}
 
@@ -154,8 +154,8 @@ class BaseSerializer(WritableField):
         if many and instance is not None and not hasattr(instance, '__iter__'):
             raise ValueError('instance should be a queryset or other iterable with many=True')
 
-        if allow_delete and not many:
-            raise ValueError('allow_delete should only be used for bulk updates, but you have not set many=True')
+        if allow_add_remove and not many:
+            raise ValueError('allow_add_remove should only be used for bulk updates, but you have not set many=True')
 
     #####
     # Methods to determine which fields to use when (de)serializing objects.
@@ -448,6 +448,10 @@ class BaseSerializer(WritableField):
                             # Determine which object we're updating
                             identity = self.get_identity(item)
                             self.object = identity_to_objects.pop(identity, None)
+                            if self.object is None and not self.allow_add_remove:
+                                ret.append(None)
+                                errors.append({'non_field_errors': ['Cannot create a new item, only existing items may be updated.']})
+                                continue
 
                         ret.append(self.from_native(item, None))
                         errors.append(self._errors)
@@ -457,7 +461,7 @@ class BaseSerializer(WritableField):
 
                     self._errors = any(errors) and errors or []
                 else:
-                    self._errors = {'non_field_errors': ['Expected a list of items']}
+                    self._errors = {'non_field_errors': ['Expected a list of items.']}
             else:
                 ret = self.from_native(data, files)
 
@@ -508,7 +512,7 @@ class BaseSerializer(WritableField):
         else:
             self.save_object(self.object, **kwargs)
 
-        if self.allow_delete and self._deleted:
+        if self.allow_add_remove and self._deleted:
             [self.delete_object(item) for item in self._deleted]
 
         return self.object
diff --git a/rest_framework/tests/serializer_bulk_update.py b/rest_framework/tests/serializer_bulk_update.py
index afc1a1a9..8b0ded1a 100644
--- a/rest_framework/tests/serializer_bulk_update.py
+++ b/rest_framework/tests/serializer_bulk_update.py
@@ -98,7 +98,7 @@ class BulkCreateSerializerTests(TestCase):
         serializer = self.BookSerializer(data=data, many=True)
         self.assertEqual(serializer.is_valid(), False)
 
-        expected_errors = {'non_field_errors': ['Expected a list of items']}
+        expected_errors = {'non_field_errors': ['Expected a list of items.']}
 
         self.assertEqual(serializer.errors, expected_errors)
 
@@ -115,7 +115,7 @@ class BulkCreateSerializerTests(TestCase):
         serializer = self.BookSerializer(data=data, many=True)
         self.assertEqual(serializer.is_valid(), False)
 
-        expected_errors = {'non_field_errors': ['Expected a list of items']}
+        expected_errors = {'non_field_errors': ['Expected a list of items.']}
 
         self.assertEqual(serializer.errors, expected_errors)
 
@@ -201,11 +201,12 @@ class BulkUpdateSerializerTests(TestCase):
                 'author': 'Haruki Murakami'
             }
         ]
-        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_delete=True)
+        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_add_remove=True)
         self.assertEqual(serializer.is_valid(), True)
         self.assertEqual(serializer.data, data)
         serializer.save()
         new_data = self.BookSerializer(self.books(), many=True).data
+
         self.assertEqual(data, new_data)
 
     def test_bulk_update_and_create(self):
@@ -223,13 +224,36 @@ class BulkUpdateSerializerTests(TestCase):
                 'author': 'Haruki Murakami'
             }
         ]
-        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_delete=True)
+        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_add_remove=True)
         self.assertEqual(serializer.is_valid(), True)
         self.assertEqual(serializer.data, data)
         serializer.save()
         new_data = self.BookSerializer(self.books(), many=True).data
         self.assertEqual(data, new_data)
 
+    def test_bulk_update_invalid_create(self):
+        """
+        Bulk update serialization without allow_add_remove may not create items.
+        """
+        data = [
+            {
+                'id': 0,
+                'title': 'The electric kool-aid acid test',
+                'author': 'Tom Wolfe'
+            }, {
+                'id': 3,
+                'title': 'Kafka on the shore',
+                'author': 'Haruki Murakami'
+            }
+        ]
+        expected_errors = [
+            {},
+            {'non_field_errors': ['Cannot create a new item, only existing items may be updated.']}
+        ]
+        serializer = self.BookSerializer(self.books(), data=data, many=True)
+        self.assertEqual(serializer.is_valid(), False)
+        self.assertEqual(serializer.errors, expected_errors)
+
     def test_bulk_update_error(self):
         """
         Incorrect bulk update serialization should return error data.
@@ -249,6 +273,6 @@ class BulkUpdateSerializerTests(TestCase):
             {},
             {'id': ['Enter a whole number.']}
         ]
-        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_delete=True)
+        serializer = self.BookSerializer(self.books(), data=data, many=True, allow_add_remove=True)
         self.assertEqual(serializer.is_valid(), False)
         self.assertEqual(serializer.errors, expected_errors)
-- 
cgit v1.2.3


From 8387cb5d1655e4d29cf8bca1919038091427e584 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 25 Mar 2013 20:28:17 +0000
Subject: Docs fix

---
 docs/api-guide/serializers.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
index aaff760e..dfa0cace 100644
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -252,7 +252,7 @@ When performing a bulk update you may want to allow new items to be created, and
     serializer.save()  # `.save()` will be called on updated or newly created instances.
                        # `.delete()` will be called on any other items in the `queryset`.
 
-Passing `allow_delete=True` ensures that any update operations will completely overwrite the existing queryset, rather than simply updating existing objects. 
+Passing `allow_add_remove=True` ensures that any update operations will completely overwrite the existing queryset, rather than simply updating existing objects. 
 
 #### How identity is determined when performing bulk updates
 
-- 
cgit v1.2.3


From 92c929094c88125ea4a2fd359ec99d2b4114f081 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 26 Mar 2013 07:48:53 +0000
Subject: Version 2.2.5

---
 docs/api-guide/fields.md      | 7 ++++++-
 docs/api-guide/serializers.md | 2 +-
 docs/topics/release-notes.md  | 5 ++++-
 rest_framework/__init__.py    | 2 +-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/docs/api-guide/fields.md b/docs/api-guide/fields.md
index 02876936..42f89f46 100644
--- a/docs/api-guide/fields.md
+++ b/docs/api-guide/fields.md
@@ -197,12 +197,16 @@ If you want to override this behavior, you'll need to declare the `DateTimeField
         class Meta:
             model = Comment
 
+Note that by default, datetime representations are deteremined by the renderer in use, although this can be explicitly overridden as detailed below.
+
+In the case of JSON this means the default datetime representation uses the [ECMA 262 date time string specification][ecma262].  This is a subset of ISO 8601 which uses millisecond precision, and includes the 'Z' suffix for the UTC timezone, for example: `2013-01-29T12:34:56.123Z`.
+
 **Signature:** `DateTimeField(format=None, input_formats=None)`
 
 * `format` - A string representing the output format.  If not specified, this defaults to `None`, which indicates that python `datetime` objects should be returned by `to_native`.  In this case the datetime encoding will be determined by the renderer. 
 * `input_formats` - A list of strings representing the input formats which may be used to parse the date. If not specified, the `DATETIME_INPUT_FORMATS` setting will be used, which defaults to `['iso-8601']`.
 
-DateTime format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000'`)
+DateTime format strings may either be [python strftime formats][strftime] which explicitly specifiy the format, or the special string `'iso-8601'`, which indicates that [ISO 8601][iso8601] style datetimes should be used. (eg `'2013-01-29T12:34:56.000000Z'`)
 
 ## DateField
 
@@ -318,5 +322,6 @@ As an example, let's create a field that can be used represent the class name of
 
 [cite]: https://docs.djangoproject.com/en/dev/ref/forms/api/#django.forms.Form.cleaned_data
 [FILE_UPLOAD_HANDLERS]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-FILE_UPLOAD_HANDLERS
+[ecma262]: http://ecma-international.org/ecma-262/5.1/#sec-15.9.1.15
 [strftime]: http://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
 [iso8601]: http://www.w3.org/TR/NOTE-datetime
diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
index dfa0cace..1a3c3431 100644
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -256,7 +256,7 @@ Passing `allow_add_remove=True` ensures that any update operations will complete
 
 #### How identity is determined when performing bulk updates
 
-Performing a bulk update is slightly more complicated than performing a bulk creation, because the serializer needs a way of determining how the items in the incoming data should be matched against the existing object instances.
+Performing a bulk update is slightly more complicated than performing a bulk creation, because the serializer needs a way to determine how the items in the incoming data should be matched against the existing object instances.
 
 By default the serializer class will use the `id` key on the incoming data to determine the canonical identity of an object.  If you need to change this behavior you should override the `get_identity` method on the `Serializer` class.  For example:
 
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index f506c610..e63aee49 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,8 +40,11 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.2.x series
 
-### Master
+### 2.2.5
 
+**Date**: 26th March 2013
+
+* Serializer support for bulk create and bulk update operations.
 * Regression fix: Date and time fields return date/time objects by default.  Fixes regressions caused by 2.2.2.  See [#743][743] for more details.
 * Bugfix: Fix 500 error is OAuth not attempted with OAuthAuthentication class installed.
 * `Serializer.save()` now supports arbitrary keyword args which are passed through to the object `.save()` method.  Mixins use `force_insert` and `force_update` where appropriate, resulting in one less database query.
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index cf005636..c86403d8 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -1,4 +1,4 @@
-__version__ = '2.2.4'
+__version__ = '2.2.5'
 
 VERSION = __version__  # synonym
 
-- 
cgit v1.2.3


From f1b8fee4f1e0ea2503d4e0453bdc3049edaa2598 Mon Sep 17 00:00:00 2001
From: Fernando Rocha
Date: Wed, 27 Mar 2013 14:05:46 -0300
Subject: client credentials should be optional (fix #759)

client credentials should only be required on token
request

Signed-off-by: Fernando Rocha <fernandogrd@gmail.com>
---
 rest_framework/authentication.py       | 32 ++++++++++++++++++--------------
 rest_framework/tests/authentication.py | 12 ++++++++++++
 2 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index 8f4ec536..f4626a2e 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -2,14 +2,16 @@
 Provides a set of pluggable authentication policies.
 """
 from __future__ import unicode_literals
+import base64
+from datetime import datetime
+
 from django.contrib.auth import authenticate
 from django.core.exceptions import ImproperlyConfigured
 from rest_framework import exceptions, HTTP_HEADER_ENCODING
 from rest_framework.compat import CsrfViewMiddleware
 from rest_framework.compat import oauth, oauth_provider, oauth_provider_store
-from rest_framework.compat import oauth2_provider, oauth2_provider_forms, oauth2_provider_backends
+from rest_framework.compat import oauth2_provider, oauth2_provider_forms
 from rest_framework.authtoken.models import Token
-import base64
 
 
 def get_authorization_header(request):
@@ -314,22 +316,24 @@ class OAuth2Authentication(BaseAuthentication):
         """
         Authenticate the request, given the access token.
         """
+        client = None
 
         # Authenticate the client
-        oauth2_client_form = oauth2_provider_forms.ClientAuthForm(request.REQUEST)
-        if not oauth2_client_form.is_valid():
-            raise exceptions.AuthenticationFailed('Client could not be validated')
-        client = oauth2_client_form.cleaned_data.get('client')
-
-        # Retrieve the `OAuth2AccessToken` instance from the access_token
-        auth_backend = oauth2_provider_backends.AccessTokenBackend()
-        token = auth_backend.authenticate(access_token, client)
-        if token is None:
-            raise exceptions.AuthenticationFailed('Invalid token')
+        if 'client_id' in request.REQUEST:
+            oauth2_client_form = oauth2_provider_forms.ClientAuthForm(request.REQUEST)
+            if not oauth2_client_form.is_valid():
+                raise exceptions.AuthenticationFailed('Client could not be validated')
+            client = oauth2_client_form.cleaned_data.get('client')
 
-        user = token.user
+        try:
+            token = oauth2_provider.models.AccessToken.objects.select_related('user')
+            if client is not None:
+                token = token.filter(client=client)
+            token = token.get(token=access_token, expires__gt=datetime.now())
+        except oauth2_provider.models.AccessToken.DoesNotExist:
+            raise exceptions.AuthenticationFailed('Invalid token')
 
-        if not user.is_active:
+        if not token.user.is_active:
             msg = 'User inactive or deleted: %s' % user.username
             raise exceptions.AuthenticationFailed(msg)
 
diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py
index b663ca48..375b19bd 100644
--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@@ -516,6 +516,18 @@ class OAuth2Tests(TestCase):
         response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
 
+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_passing_auth_without_client_params(self):
+        """
+        Ensure GETing form over OAuth without client credentials
+
+        Regression test for issue #759:
+        https://github.com/tomchristie/django-rest-framework/issues/759
+        """
+        auth = self._create_authorization_header()
+        response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_post_form_passing_auth(self):
         """Ensure POSTing form over OAuth with correct credentials passes and does not require CSRF"""
-- 
cgit v1.2.3


From 5f48b4a77e0a767694a32310a6368cd32b9a924c Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Wed, 27 Mar 2013 22:43:41 +0100
Subject: Refactored urlize_quoted_links code, now based on Django 1.5 urlize

---
 rest_framework/templatetags/rest_framework.py | 79 +++++++++++++++------------
 1 file changed, 45 insertions(+), 34 deletions(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index c21ddcd7..50e485db 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -2,7 +2,7 @@ from __future__ import unicode_literals, absolute_import
 from django import template
 from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict
-from django.utils.html import escape
+from django.utils.html import escape, smart_urlquote
 from django.utils.safestring import SafeData, mark_safe
 from rest_framework.compat import urlparse
 from rest_framework.compat import force_text
@@ -112,22 +112,6 @@ def replace_query_param(url, key, val):
 class_re = re.compile(r'(?<=class=["\'])(.*)(?=["\'])')
 
 
-# Bunch of stuff cloned from urlize
-LEADING_PUNCTUATION = ['(', '<', '&lt;', '"', "'"]
-TRAILING_PUNCTUATION = ['.', ',', ')', '>', '\n', '&gt;', '"', "'"]
-DOTS = ['&middot;', '*', '\xe2\x80\xa2', '&#149;', '&bull;', '&#8226;']
-unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
-word_split_re = re.compile(r'(\s+)')
-punctuation_re = re.compile('^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % \
-    ('|'.join([re.escape(x) for x in LEADING_PUNCTUATION]),
-    '|'.join([re.escape(x) for x in TRAILING_PUNCTUATION])))
-simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
-link_target_attribute_re = re.compile(r'(<a [^>]*?)target=[^\s>]+')
-html_gunk_re = re.compile(r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE)
-hard_coded_bullets_re = re.compile(r'((?:<p>(?:%s).*?[a-zA-Z].*?</p>\s*)+)' % '|'.join([re.escape(x) for x in DOTS]), re.DOTALL)
-trailing_empty_content_re = re.compile(r'(?:<p>(?:&nbsp;|\s|<br \/>)*?</p>\s*)+\Z')
-
-
 # And the template tags themselves...
 
 @register.simple_tag
@@ -195,15 +179,25 @@ def add_class(value, css_class):
     return value
 
 
+# Bunch of stuff cloned from urlize
+TRAILING_PUNCTUATION = ['.', ',', ':', ';', '.)']
+WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'),
+                        ('"', '"'), ("'", "'")]
+word_split_re = re.compile(r'(\s+)')
+simple_url_re = re.compile(r'^https?://\w', re.IGNORECASE)
+simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE)
+simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
+
+
 @register.filter
 def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=True):
     """
     Converts any URLs in text into clickable links.
 
-    Works on http://, https://, www. links and links ending in .org, .net or
-    .com. Links can have trailing punctuation (periods, commas, close-parens)
-    and leading punctuation (opening parens) and it'll still do the right
-    thing.
+    Works on http://, https://, www. links, and also on links ending in one of
+    the original seven gTLDs (.com, .edu, .gov, .int, .mil, .net, and .org).
+    Links can have trailing punctuation (periods, commas, close-parens) and
+    leading punctuation (opening parens) and it'll still do the right thing.
 
     If trim_url_limit is not None, the URLs in link text longer than this limit
     will truncated to trim_url_limit-3 characters and appended with an elipsis.
@@ -216,24 +210,41 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
     trim_url = lambda x, limit=trim_url_limit: limit is not None and (len(x) > limit and ('%s...' % x[:max(0, limit - 3)])) or x
     safe_input = isinstance(text, SafeData)
     words = word_split_re.split(force_text(text))
-    nofollow_attr = nofollow and ' rel="nofollow"' or ''
     for i, word in enumerate(words):
         match = None
         if '.' in word or '@' in word or ':' in word:
-            match = punctuation_re.match(word)
-        if match:
-            lead, middle, trail = match.groups()
+            # Deal with punctuation.
+            lead, middle, trail = '', word, ''
+            for punctuation in TRAILING_PUNCTUATION:
+                if middle.endswith(punctuation):
+                    middle = middle[:-len(punctuation)]
+                    trail = punctuation + trail
+            for opening, closing in WRAPPING_PUNCTUATION:
+                if middle.startswith(opening):
+                    middle = middle[len(opening):]
+                    lead = lead + opening
+                # Keep parentheses at the end only if they're balanced.
+                if (middle.endswith(closing)
+                    and middle.count(closing) == middle.count(opening) + 1):
+                    middle = middle[:-len(closing)]
+                    trail = closing + trail
+
             # Make URL we want to point to.
             url = None
-            if middle.startswith('http://') or middle.startswith('https://'):
-                url = middle
-            elif middle.startswith('www.') or ('@' not in middle and \
-                    middle and middle[0] in string.ascii_letters + string.digits and \
-                    (middle.endswith('.org') or middle.endswith('.net') or middle.endswith('.com'))):
-                url = 'http://%s' % middle
-            elif '@' in middle and not ':' in middle and simple_email_re.match(middle):
-                url = 'mailto:%s' % middle
+            nofollow_attr = ' rel="nofollow"' if nofollow else ''
+            if simple_url_re.match(middle):
+                url = smart_urlquote(middle)
+            elif simple_url_2_re.match(middle):
+                url = smart_urlquote('http://%s' % middle)
+            elif not ':' in middle and simple_email_re.match(middle):
+                local, domain = middle.rsplit('@', 1)
+                try:
+                    domain = domain.encode('idna').decode('ascii')
+                except UnicodeError:
+                    continue
+                url = 'mailto:%s@%s' % (local, domain)
                 nofollow_attr = ''
+
             # Make link.
             if url:
                 trimmed = trim_url(middle)
@@ -251,4 +262,4 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
             words[i] = mark_safe(word)
         elif autoescape:
             words[i] = escape(word)
-    return mark_safe(''.join(words))
+    return ''.join(words)
-- 
cgit v1.2.3


From 2c0363ddaec22ac54385f7e0c2e1401ed3ff0879 Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Wed, 27 Mar 2013 22:58:11 +0100
Subject: Added quotes to TRAILING_PUNCTUATION used by urlize_quoted_links

---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 50e485db..78a3a9a1 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -180,7 +180,7 @@ def add_class(value, css_class):
 
 
 # Bunch of stuff cloned from urlize
-TRAILING_PUNCTUATION = ['.', ',', ':', ';', '.)']
+TRAILING_PUNCTUATION = ['.', ',', ':', ';', '.)', '"', "'"]
 WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'),
                         ('"', '"'), ("'", "'")]
 word_split_re = re.compile(r'(\s+)')
-- 
cgit v1.2.3


From b2cea84fae4f721e8eb6432b3d1bab1309e21a00 Mon Sep 17 00:00:00 2001
From: Fernando Rocha
Date: Wed, 27 Mar 2013 19:00:36 -0300
Subject: Complete remove of client checks from oauth2

Signed-off-by: Fernando Rocha <fernandogrd@gmail.com>
---
 docs/api-guide/authentication.md       |  2 +-
 rest_framework/authentication.py       | 12 ++----------
 rest_framework/tests/authentication.py |  9 ---------
 3 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index 541c6575..f1dd6f5f 100644
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -294,7 +294,7 @@ The only thing needed to make the `OAuth2Authentication` class work is to insert
 
 The command line to test the authentication looks like:
 
-    curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/?client_id=YOUR_CLIENT_ID\&client_secret=YOUR_CLIENT_SECRET
+    curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/
 
 ---
 
diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index f4626a2e..145d4295 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -316,19 +316,11 @@ class OAuth2Authentication(BaseAuthentication):
         """
         Authenticate the request, given the access token.
         """
-        client = None
-
-        # Authenticate the client
-        if 'client_id' in request.REQUEST:
-            oauth2_client_form = oauth2_provider_forms.ClientAuthForm(request.REQUEST)
-            if not oauth2_client_form.is_valid():
-                raise exceptions.AuthenticationFailed('Client could not be validated')
-            client = oauth2_client_form.cleaned_data.get('client')
 
         try:
             token = oauth2_provider.models.AccessToken.objects.select_related('user')
-            if client is not None:
-                token = token.filter(client=client)
+            # TODO: Change to timezone aware datetime when oauth2_provider add
+            # support to it.
             token = token.get(token=access_token, expires__gt=datetime.now())
         except oauth2_provider.models.AccessToken.DoesNotExist:
             raise exceptions.AuthenticationFailed('Invalid token')
diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py
index 375b19bd..629db422 100644
--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@@ -499,15 +499,6 @@ class OAuth2Tests(TestCase):
         response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
 
-    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
-    def test_get_form_with_wrong_client_data_failing_auth(self):
-        """Ensure GETing form over OAuth with incorrect client credentials fails"""
-        auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        params['client_id'] += 'a'
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 401)
-
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_get_form_passing_auth(self):
         """Ensure GETing form over OAuth with correct client credentials succeed"""
-- 
cgit v1.2.3


From 8ec60a22e1c14792b7021ff9b4e940e16528788a Mon Sep 17 00:00:00 2001
From: Pierre Dulac
Date: Thu, 28 Mar 2013 00:57:23 +0100
Subject: Remove client credentials from all OAuth 2 tests

---
 rest_framework/tests/authentication.py | 45 ++++++++--------------------------
 1 file changed, 10 insertions(+), 35 deletions(-)

diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py
index 629db422..8e6d3e51 100644
--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@@ -466,17 +466,13 @@ class OAuth2Tests(TestCase):
     def _create_authorization_header(self, token=None):
         return "Bearer {0}".format(token or self.access_token.token)
 
-    def _client_credentials_params(self):
-        return {'client_id': self.CLIENT_ID, 'client_secret': self.CLIENT_SECRET}
-
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_get_form_with_wrong_authorization_header_token_type_failing(self):
         """Ensure that a wrong token type lead to the correct HTTP error status code"""
         auth = "Wrong token-type-obsviously"
         response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
-        params = self._client_credentials_params()
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
@@ -485,8 +481,7 @@ class OAuth2Tests(TestCase):
         auth = "Bearer wrong token format"
         response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
-        params = self._client_credentials_params()
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
@@ -495,27 +490,13 @@ class OAuth2Tests(TestCase):
         auth = "Bearer wrong-token"
         response = self.csrf_client.get('/oauth2-test/', {}, HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
-        params = self._client_credentials_params()
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_get_form_passing_auth(self):
         """Ensure GETing form over OAuth with correct client credentials succeed"""
         auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 200)
-
-    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
-    def test_get_form_passing_auth_without_client_params(self):
-        """
-        Ensure GETing form over OAuth without client credentials
-
-        Regression test for issue #759:
-        https://github.com/tomchristie/django-rest-framework/issues/759
-        """
-        auth = self._create_authorization_header()
         response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
 
@@ -523,8 +504,7 @@ class OAuth2Tests(TestCase):
     def test_post_form_passing_auth(self):
         """Ensure POSTing form over OAuth with correct credentials passes and does not require CSRF"""
         auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
@@ -532,16 +512,14 @@ class OAuth2Tests(TestCase):
         """Ensure POSTing when there is no OAuth access token in db fails"""
         self.access_token.delete()
         auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_post_form_with_refresh_token_failing_auth(self):
         """Ensure POSTing with refresh token instead of access token fails"""
         auth = self._create_authorization_header(token=self.refresh_token.token)
-        params = self._client_credentials_params()
-        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
@@ -550,8 +528,7 @@ class OAuth2Tests(TestCase):
         self.access_token.expires = datetime.datetime.now() - datetime.timedelta(seconds=10)  # 10 seconds late
         self.access_token.save()
         auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        response = self.csrf_client.post('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-test/', HTTP_AUTHORIZATION=auth)
         self.assertIn(response.status_code, (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN))
         self.assertIn('Invalid token', response.content)
 
@@ -562,10 +539,9 @@ class OAuth2Tests(TestCase):
         read_only_access_token.scope = oauth2_provider_scope.SCOPE_NAME_DICT['read']
         read_only_access_token.save()
         auth = self._create_authorization_header(token=read_only_access_token.token)
-        params = self._client_credentials_params()
-        response = self.csrf_client.get('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.get('/oauth2-with-scope-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
-        response = self.csrf_client.post('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-with-scope-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
@@ -575,6 +551,5 @@ class OAuth2Tests(TestCase):
         read_write_access_token.scope = oauth2_provider_scope.SCOPE_NAME_DICT['write']
         read_write_access_token.save()
         auth = self._create_authorization_header(token=read_write_access_token.token)
-        params = self._client_credentials_params()
-        response = self.csrf_client.post('/oauth2-with-scope-test/', params, HTTP_AUTHORIZATION=auth)
+        response = self.csrf_client.post('/oauth2-with-scope-test/', HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
-- 
cgit v1.2.3


From fa61b2b2f10bf07e3cb87ca947ce7f0ca51a2ede Mon Sep 17 00:00:00 2001
From: Pierre Dulac
Date: Thu, 28 Mar 2013 01:05:51 +0100
Subject: Remove oauth2-provider backends reference from compat.py

---
 rest_framework/compat.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/rest_framework/compat.py b/rest_framework/compat.py
index 7b2ef738..c3e423e8 100644
--- a/rest_framework/compat.py
+++ b/rest_framework/compat.py
@@ -445,14 +445,12 @@ except ImportError:
 # OAuth 2 support is optional
 try:
     import provider.oauth2 as oauth2_provider
-    from provider.oauth2 import backends as oauth2_provider_backends
     from provider.oauth2 import models as oauth2_provider_models
     from provider.oauth2 import forms as oauth2_provider_forms
     from provider import scope as oauth2_provider_scope
     from provider import constants as oauth2_constants
 except ImportError:
     oauth2_provider = None
-    oauth2_provider_backends = None
     oauth2_provider_models = None
     oauth2_provider_forms = None
     oauth2_provider_scope = None
-- 
cgit v1.2.3


From b10663e02408404844aca4b362aa24df816aca98 Mon Sep 17 00:00:00 2001
From: Kevin Stone
Date: Wed, 27 Mar 2013 17:55:36 -0700
Subject: Fixed DjangoFilterBackend not returning a query set.

Fixed bug unveiled in #682.

Signed-off-by: Kevin Stone <kevinastone@gmail.com>
---
 rest_framework/filters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index 6fea46fa..413fa0d2 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -55,6 +55,6 @@ class DjangoFilterBackend(BaseFilterBackend):
         filter_class = self.get_filter_class(view)
 
         if filter_class:
-            return filter_class(request.QUERY_PARAMS, queryset=queryset)
+            return filter_class(request.QUERY_PARAMS, queryset=queryset).qs
 
         return queryset
-- 
cgit v1.2.3


From d4df617f8c1980c1d5f1b91a6b9928185c4c4dce Mon Sep 17 00:00:00 2001
From: Kevin Stone
Date: Wed, 27 Mar 2013 18:29:50 -0700
Subject: Added unit test for failing DjangoFilterBackend on SingleObjectMixin
 that was resolved in b10663e02408404844aca4b362aa24df816aca98

Signed-off-by: Kevin Stone <kevinastone@gmail.com>
---
 rest_framework/tests/filterset.py | 75 +++++++++++++++++++++++++++++++++++----
 1 file changed, 69 insertions(+), 6 deletions(-)

diff --git a/rest_framework/tests/filterset.py b/rest_framework/tests/filterset.py
index 238da56e..1a71558c 100644
--- a/rest_framework/tests/filterset.py
+++ b/rest_framework/tests/filterset.py
@@ -1,11 +1,12 @@
 from __future__ import unicode_literals
 import datetime
 from decimal import Decimal
+from django.core.urlresolvers import reverse
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.utils import unittest
 from rest_framework import generics, status, filters
-from rest_framework.compat import django_filters
+from rest_framework.compat import django_filters, patterns, url
 from rest_framework.tests.models import FilterableItem, BasicModel
 
 factory = RequestFactory()
@@ -46,12 +47,21 @@ if django_filters:
         filter_class = MisconfiguredFilter
         filter_backend = filters.DjangoFilterBackend
 
+    class FilterClassDetailView(generics.RetrieveAPIView):
+        model = FilterableItem
+        filter_class = SeveralFieldsFilter
+        filter_backend = filters.DjangoFilterBackend
+
+    urlpatterns = patterns('',
+        url(r'^(?P<pk>\d+)/$', FilterClassDetailView.as_view(), name='detail-view'),
+        url(r'^$', FilterClassRootView.as_view(), name='root-view'),
+    )
 
-class IntegrationTestFiltering(TestCase):
-    """
-    Integration tests for filtered list views.
-    """
 
+class CommonFilteringTestCase(TestCase):
+    def _serialize_object(self, obj):
+        return {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
+    
     def setUp(self):
         """
         Create 10 FilterableItem instances.
@@ -65,10 +75,16 @@ class IntegrationTestFiltering(TestCase):
 
         self.objects = FilterableItem.objects
         self.data = [
-            {'id': obj.id, 'text': obj.text, 'decimal': obj.decimal, 'date': obj.date}
+            self._serialize_object(obj)
             for obj in self.objects.all()
         ]
 
+
+class IntegrationTestFiltering(CommonFilteringTestCase):
+    """
+    Integration tests for filtered list views.
+    """
+
     @unittest.skipUnless(django_filters, 'django-filters not installed')
     def test_get_filtered_fields_root_view(self):
         """
@@ -167,3 +183,50 @@ class IntegrationTestFiltering(TestCase):
         request = factory.get('/?integer=%s' % search_integer)
         response = view(request).render()
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+class IntegrationTestDetailFiltering(CommonFilteringTestCase):
+    """
+    Integration tests for filtered detail views.
+    """
+    urls = 'rest_framework.tests.filterset'
+    
+    def _get_url(self, item):
+        return reverse('detail-view', kwargs=dict(pk=item.pk))
+
+    @unittest.skipUnless(django_filters, 'django-filters not installed')
+    def test_get_filtered_detail_view(self):
+        """
+        GET requests to filtered RetrieveAPIView that have a filter_class set
+        should return filtered results.
+        """
+        item = self.objects.all()[0]
+        data = self._serialize_object(item)
+
+        # Basic test with no filter.
+        response = self.client.get(self._get_url(item))
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, data)
+
+        # Tests that the decimal filter set that should fail.
+        search_decimal = Decimal('4.25')
+        high_item = self.objects.filter(decimal__gt=search_decimal)[0]
+        response = self.client.get('{url}?decimal={param}'.format(url=self._get_url(high_item), param=search_decimal))
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+        # Tests that the decimal filter set that should succeed.
+        search_decimal = Decimal('4.25')
+        low_item = self.objects.filter(decimal__lt=search_decimal)[0]
+        low_item_data = self._serialize_object(low_item)
+        response = self.client.get('{url}?decimal={param}'.format(url=self._get_url(low_item), param=search_decimal))
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, low_item_data)
+        
+        # Tests that multiple filters works.
+        search_decimal = Decimal('5.25')
+        search_date = datetime.date(2012, 10, 2)
+        valid_item = self.objects.filter(decimal__lt=search_decimal, date__gt=search_date)[0]
+        valid_item_data = self._serialize_object(valid_item)
+        response = self.client.get('{url}?decimal={decimal}&date={date}'.format(url=self._get_url(valid_item), decimal=search_decimal, date=search_date))
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, valid_item_data)
-- 
cgit v1.2.3


From 3774ba3ed2af918563eb6ed945cc13aa7fa2345a Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 28 Mar 2013 12:01:08 +0100
Subject: Added force_text to compat

---
 rest_framework/compat.py                      | 31 +++++++++++++++++++++++++++
 rest_framework/templatetags/rest_framework.py |  3 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/rest_framework/compat.py b/rest_framework/compat.py
index 7b2ef738..f0bb9c08 100644
--- a/rest_framework/compat.py
+++ b/rest_framework/compat.py
@@ -395,6 +395,37 @@ except ImportError:
             kw = dict((k, int(v)) for k, v in kw.iteritems() if v is not None)
             return datetime.datetime(**kw)
 
+
+# smart_urlquote is new on Django 1.4
+try:
+    from django.utils.html import smart_urlquote
+except ImportError:
+    try:
+        from urllib.parse import quote, urlsplit, urlunsplit
+    except ImportError:     # Python 2
+        from urllib import quote
+        from urlparse import urlsplit, urlunsplit
+
+    def smart_urlquote(url):
+        "Quotes a URL if it isn't already quoted."
+        # Handle IDN before quoting.
+        scheme, netloc, path, query, fragment = urlsplit(url)
+        try:
+            netloc = netloc.encode('idna').decode('ascii') # IDN -> ACE
+        except UnicodeError: # invalid domain part
+            pass
+        else:
+            url = urlunsplit((scheme, netloc, path, query, fragment))
+
+        # An URL is considered unquoted if it contains no % characters or
+        # contains a % not followed by two hexadecimal digits. See #9655.
+        if '%' not in url or unquoted_percents_re.search(url):
+            # See http://bugs.python.org/issue2637
+            url = quote(force_bytes(url), safe=b'!*\'();:@&=+$,/?#[]~')
+
+        return force_text(url)
+
+
 # Markdown is optional
 try:
     import markdown
diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 78a3a9a1..33bae241 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -2,11 +2,12 @@ from __future__ import unicode_literals, absolute_import
 from django import template
 from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict
-from django.utils.html import escape, smart_urlquote
+from django.utils.html import escape
 from django.utils.safestring import SafeData, mark_safe
 from rest_framework.compat import urlparse
 from rest_framework.compat import force_text
 from rest_framework.compat import six
+from rest_framework.compat import smart_urlquote
 import re
 import string
 
-- 
cgit v1.2.3


From 9c32f048b51ec6852236363932f0ab0dcc7473ac Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 28 Mar 2013 12:01:47 +0100
Subject: Cleaned imports on templatetags/rest_framework module

---
 rest_framework/templatetags/rest_framework.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 33bae241..b6ab2de3 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -4,12 +4,8 @@ from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict
 from django.utils.html import escape
 from django.utils.safestring import SafeData, mark_safe
-from rest_framework.compat import urlparse
-from rest_framework.compat import force_text
-from rest_framework.compat import six
-from rest_framework.compat import smart_urlquote
-import re
-import string
+from rest_framework.compat import urlparse, force_text, six, smart_urlquote
+import re, string
 
 register = template.Library()
 
-- 
cgit v1.2.3


From fb105d138cdcb178ed08c6616c0c25f4a03fb2e1 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Mar 2013 14:54:25 +0000
Subject: Minor tweak

---
 docs/topics/contributing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/topics/contributing.md b/docs/topics/contributing.md
index a13f4461..1d1fe892 100644
--- a/docs/topics/contributing.md
+++ b/docs/topics/contributing.md
@@ -18,7 +18,7 @@ When answering questions make sure to help future contributors find their way ar
 
 # Issues
 
-Usage questions should be directed to the [discussion group][google-group].  Feature requests, bug reports and other issues should be raised on the GitHub [issue tracker][issues].
+It's really helpful if you make sure you address issues to the correct channel.  Usage questions should be directed to the [discussion group][google-group].  Feature requests, bug reports and other issues should be raised on the GitHub [issue tracker][issues].
 
 Some tips on good issue reporting:
 
-- 
cgit v1.2.3


From d243538547982781635e01d9b6e74afbbd628e16 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Mar 2013 14:54:42 +0000
Subject: Note on using curl with token auth

---
 docs/api-guide/authentication.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index 541c6575..757b8673 100644
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -119,6 +119,8 @@ To use the `TokenAuthentication` scheme, include `rest_framework.authtoken` in y
         ...
         'rest_framework.authtoken'
     )
+    
+Make sure to run `manage.py syncdb` after changing your settings.
 
 You'll also need to create tokens for your users.
 
@@ -140,6 +142,10 @@ Unauthenticated responses that are denied permission will result in an `HTTP 401
 
     WWW-Authenticate: Token
 
+The `curl` command line tool may be useful for testing token authenticated APIs.  For example:
+
+    curl -X GET http://127.0.0.1:8000/api/example/ -H 'Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b'
+
 ---
 
 **Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only.
-- 
cgit v1.2.3


From 69cbafc64f65a23b4ed4c652a8965873a18929a0 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Mar 2013 15:58:53 +0000
Subject: Add search and next/prev

---
 docs/css/default.css | 11 ++++++++
 docs/template.html   | 31 ++++++++++++++++++++++
 mkdocs.py            | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 116 insertions(+), 1 deletion(-)

diff --git a/docs/css/default.css b/docs/css/default.css
index c160b63d..173d70e0 100644
--- a/docs/css/default.css
+++ b/docs/css/default.css
@@ -277,3 +277,14 @@ footer a {
 footer a:hover {
   color: gray;
 }
+
+.btn-inverse {
+  background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#606060), to(#404040)) !important;
+  background-image: -webkit-linear-gradient(top, #606060, #404040) !important;
+}
+
+.modal-open .modal,.btn:focus{outline:none;}
+
+@media (max-width: 650px) {
+  .repo-link.btn-inverse {display: none;}
+}
diff --git a/docs/template.html b/docs/template.html
index 3e0f29aa..7e929762 100644
--- a/docs/template.html
+++ b/docs/template.html
@@ -41,6 +41,9 @@
       <div class="navbar-inner">
         <div class="container-fluid">
             <a class="repo-link btn btn-primary btn-small" href="https://github.com/tomchristie/django-rest-framework/tree/master">GitHub</a>
+            <a class="repo-link btn btn-inverse btn-small {{ next_url_disabled }}" href="{{ next_url }}">Next <i class="icon-arrow-right icon-white"></i></a>
+            <a class="repo-link btn btn-inverse btn-small {{ prev_url_disabled }}" href="{{ prev_url }}"><i class="icon-arrow-left icon-white"></i> Previous</a>
+            <a class="repo-link btn btn-inverse btn-small" href="#searchModal" data-toggle="modal"><i class="icon-search icon-white"></i> Search</a>
           <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
@@ -118,6 +121,34 @@
 
     <div class="body-content">
       <div class="container-fluid">
+
+<!-- Search Modal -->
+<div id="searchModal" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
+  <div class="modal-header">
+    <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+    <h3 id="myModalLabel">Documentation search</h3>
+  </div>
+  <div class="modal-body">
+    <!-- Custom google search -->
+    <script>
+      (function() {
+        var cx = '015016005043623903336:rxraeohqk6w';
+        var gcse = document.createElement('script');
+        gcse.type = 'text/javascript';
+        gcse.async = true;
+        gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
+            '//www.google.com/cse/cse.js?cx=' + cx;
+        var s = document.getElementsByTagName('script')[0];
+        s.parentNode.insertBefore(gcse, s);
+      })();
+    </script>
+    <gcse:search></gcse:search>
+  </div>
+  <div class="modal-footer">
+    <button class="btn" data-dismiss="modal" aria-hidden="true">Close</button>
+  </div>
+</div>
+
         <div class="row-fluid">
 
           <div class="span3">
diff --git a/mkdocs.py b/mkdocs.py
index f6c89e04..dadb17d2 100755
--- a/mkdocs.py
+++ b/mkdocs.py
@@ -37,6 +37,60 @@ page = open(os.path.join(docs_dir, 'template.html'), 'r').read()
 #         shutil.rmtree(target)
 #     shutil.copytree(source, target)
 
+
+# Hacky, but what the hell, it'll do the job
+path_list = [
+    'index.md',
+    'tutorial/quickstart.md',
+    'tutorial/1-serialization.md',
+    'tutorial/2-requests-and-responses.md',
+    'tutorial/3-class-based-views.md',
+    'tutorial/4-authentication-and-permissions.md',
+    'tutorial/5-relationships-and-hyperlinked-apis.md',
+    'api-guide/requests.md',
+    'api-guide/responses.md',
+    'api-guide/views.md',
+    'api-guide/generic-views.md',
+    'api-guide/parsers.md',
+    'api-guide/renderers.md',
+    'api-guide/serializers.md',
+    'api-guide/fields.md',
+    'api-guide/relations.md',
+    'api-guide/authentication.md',
+    'api-guide/permissions.md',
+    'api-guide/throttling.md',
+    'api-guide/filtering.md',
+    'api-guide/pagination.md',
+    'api-guide/content-negotiation.md',
+    'api-guide/format-suffixes.md',
+    'api-guide/reverse.md',
+    'api-guide/exceptions.md',
+    'api-guide/status-codes.md',
+    'api-guide/settings.md',
+    'topics/ajax-csrf-cors.md',
+    'topics/browser-enhancements.md',
+    'topics/browsable-api.md',
+    'topics/rest-hypermedia-hateoas.md',
+    'topics/contributing.md',
+    'topics/rest-framework-2-announcement.md',
+    'topics/2.2-announcement.md',
+    'topics/release-notes.md',
+    'topics/credits.md',
+]
+
+prev_url_map = {}
+next_url_map = {}
+for idx in range(len(path_list)):
+    path = path_list[idx]
+    rel = '../' * path.count('/')
+
+    if idx > 0:
+        prev_url_map[path] = rel + path_list[idx - 1][:-3] + suffix
+
+    if idx < len(path_list) - 1:
+        next_url_map[path] = rel + path_list[idx + 1][:-3] + suffix
+
+
 for (dirpath, dirnames, filenames) in os.walk(docs_dir):
     relative_dir = dirpath.replace(docs_dir, '').lstrip(os.path.sep)
     build_dir = os.path.join(html_dir, relative_dir)
@@ -46,6 +100,7 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir):
 
     for filename in filenames:
         path = os.path.join(dirpath, filename)
+        relative_path = os.path.join(relative_dir, filename)
 
         if not filename.endswith('.md'):
             if relative_dir:
@@ -78,16 +133,34 @@ for (dirpath, dirnames, filenames) in os.walk(docs_dir):
             toc += template + '\n'
 
         if filename == 'index.md':
-            main_title = 'Django REST framework - APIs made easy'
+            main_title = 'Django REST framework - Web Browseable APIs'
         else:
             main_title = 'Django REST framework - ' + main_title
 
+        prev_url = prev_url_map.get(relative_path)
+        next_url = next_url_map.get(relative_path)
+
         content = markdown.markdown(text, ['headerid'])
 
         output = page.replace('{{ content }}', content).replace('{{ toc }}', toc).replace('{{ base_url }}', base_url).replace('{{ suffix }}', suffix).replace('{{ index }}', index)
         output = output.replace('{{ title }}', main_title)
         output = output.replace('{{ description }}', description)
         output = output.replace('{{ page_id }}', filename[:-3])
+
+        if prev_url:
+            output = output.replace('{{ prev_url }}', prev_url)
+            output = output.replace('{{ prev_url_disabled }}', '')
+        else:
+            output = output.replace('{{ prev_url }}', '#')
+            output = output.replace('{{ prev_url_disabled }}', 'disabled')
+
+        if next_url:
+            output = output.replace('{{ next_url }}', next_url)
+            output = output.replace('{{ next_url_disabled }}', '')
+        else:
+            output = output.replace('{{ next_url }}', '#')
+            output = output.replace('{{ next_url_disabled }}', 'disabled')
+
         output = re.sub(r'a href="([^"]*)\.md"', r'a href="\1%s"' % suffix, output)
         output = re.sub(r'<pre><code>:::bash', r'<pre class="prettyprint lang-bsh">', output)
         output = re.sub(r'<pre>', r'<pre class="prettyprint lang-py">', output)
-- 
cgit v1.2.3


From ea33511260c65ed339d0a418a1c0e8aeaf3966d3 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Mar 2013 16:02:20 +0000
Subject: Change strapline

---
 docs/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 5357536d..1d47f497 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -9,9 +9,9 @@
 
 # Django REST framework
 
-**Web APIs for Django, made easy.**
+**Awesome web-browseable Web APIs for Django.**
 
-Django REST framework is a flexible, powerful library that makes it incredibly easy to build Web APIs.  It is designed as a modular and easy to customize architecture, based on Django's class based views.
+Django REST framework is a flexible, powerful Web API toolkit.  It is designed as a modular and easy to customize architecture, based on Django's class based views.
 
 APIs built using REST framework are fully self-describing and web browseable - a huge useability win for your developers.  It also supports a wide range of media types, authentication and permission policies out of the box.
 
-- 
cgit v1.2.3


From 4531ded061831a9cf402c6c5d84e42f31bc025ad Mon Sep 17 00:00:00 2001
From: Kevin Stone
Date: Thu, 28 Mar 2013 18:48:48 -0700
Subject: Removed pagination regression special case for Django<1.4.   Having
 DjangoFilterBackend return an actual query set fixes this issue.

Signed-off-by: Kevin Stone <kevinastone@gmail.com>
---
 rest_framework/tests/pagination.py | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/rest_framework/tests/pagination.py b/rest_framework/tests/pagination.py
index d2c9b051..6b8ef02f 100644
--- a/rest_framework/tests/pagination.py
+++ b/rest_framework/tests/pagination.py
@@ -129,16 +129,6 @@ class IntegrationTestPaginationAndFiltering(TestCase):
         view = FilterFieldsRootView.as_view()
 
         EXPECTED_NUM_QUERIES = 2
-        if django.VERSION < (1, 4):
-            # On Django 1.3 we need to use django-filter 0.5.4
-            #
-            # The filter objects there don't expose a `.count()` method,
-            # which means we only make a single query *but* it's a single
-            # query across *all* of the queryset, instead of a COUNT and then
-            # a SELECT with a LIMIT.
-            #
-            # Although this is fewer queries, it's actually a regression.
-            EXPECTED_NUM_QUERIES = 1
 
         request = factory.get('/?decimal=15.20')
         with self.assertNumQueries(EXPECTED_NUM_QUERIES):
-- 
cgit v1.2.3


From 89f3c1f8c4cd8466cf8108b5ca042750c0064dfb Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 29 Mar 2013 13:44:50 +0000
Subject: Update release-notes.md

---
 docs/topics/release-notes.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index e63aee49..6551c1af 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,6 +40,12 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.2.x series
 
+### Master
+
+* OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
+* URL hyperlinking in browseable API no handles more cases correctly.
+* Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
+
 ### 2.2.5
 
 **Date**: 26th March 2013
-- 
cgit v1.2.3


From 2e06f5c832479c8802f8bd8654fba5597ee228cc Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 29 Mar 2013 17:26:58 +0000
Subject: Fix typo

---
 docs/topics/release-notes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 6551c1af..62c31358 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -43,7 +43,7 @@ You can determine your currently installed version using `pip freeze`:
 ### Master
 
 * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
-* URL hyperlinking in browseable API no handles more cases correctly.
+* URL hyperlinking in browseable API now handles more cases correctly.
 * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
 
 ### 2.2.5
-- 
cgit v1.2.3


From c4eda3a653ada3110dd6c128f176b15071cb8cfe Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Sat, 30 Mar 2013 15:39:25 +0000
Subject: Tweak strapline

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 1d47f497..4c2720c8 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -9,7 +9,7 @@
 
 # Django REST framework
 
-**Awesome web-browseable Web APIs for Django.**
+**Awesome web-browseable Web APIs.**
 
 Django REST framework is a flexible, powerful Web API toolkit.  It is designed as a modular and easy to customize architecture, based on Django's class based views.
 
-- 
cgit v1.2.3


From 33ce7dfac4c9279ad6035d520a421cc7d77ffae5 Mon Sep 17 00:00:00 2001
From: Victor Shih
Date: Sat, 30 Mar 2013 20:28:27 -0700
Subject: Spelling/grammar fixes.

---
 docs/api-guide/generic-views.md | 2 +-
 docs/api-guide/serializers.md   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 docs/api-guide/generic-views.md
 mode change 100644 => 100755 docs/api-guide/serializers.md

diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md
old mode 100644
new mode 100755
index 20f1be63..cef9a9d4
--- a/docs/api-guide/generic-views.md
+++ b/docs/api-guide/generic-views.md
@@ -200,7 +200,7 @@ Should be mixed in with any [GenericAPIView].
 
 Provides a `.retrieve(request, *args, **kwargs)` method, that implements returning an existing model instance in a response.
 
-If an object can be retrieve this returns a `200 OK` response, with a serialized representation of the object as the body of the response.  Otherwise it will return a `404 Not Found`.
+If an object can be retrieved this returns a `200 OK` response, with a serialized representation of the object as the body of the response.  Otherwise it will return a `404 Not Found`.
 
 Should be mixed in with [SingleObjectAPIView].
 
diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
old mode 100644
new mode 100755
index 1a3c3431..2797b5f5
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -353,7 +353,7 @@ The `depth` option should be set to an integer value that indicates the depth of
 
 ## Specifying which fields should be read-only 
 
-You may wish to specify multiple fields as read-only. Instead of adding each field explicitely with the `read_only=True` attribute, you may use the `read_only_fields` Meta option, like so:
+You may wish to specify multiple fields as read-only. Instead of adding each field explicitly with the `read_only=True` attribute, you may use the `read_only_fields` Meta option, like so:
 
     class AccountSerializer(serializers.ModelSerializer):
         class Meta:
-- 
cgit v1.2.3


From 7d7c03eb2464110c281ce35e5cc73f02c349068d Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 1 Apr 2013 17:09:36 +0200
Subject: Added @vshih for docs fixes in #769.  Thanks!

---
 docs/topics/credits.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index 7dd9cd2c..6edf347e 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -113,6 +113,7 @@ The following people have helped make REST framework great.
 * Pierre Dulac - [dulaccc]
 * Dave Kuhn - [kuhnza]
 * Sitong Peng - [stoneg]
+* Victor Shih - [vshih]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -260,3 +261,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [dulaccc]: https://github.com/dulaccc
 [kuhnza]: https://github.com/kuhnza
 [stoneg]: https://github.com/stoneg
+[vshih]: https://github.com/vshih
-- 
cgit v1.2.3


From 76d1c47905680fafa32596d1dda8d9ae20827acf Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Mon, 1 Apr 2013 20:15:05 +0200
Subject: Fixed IPv6 support for urlize_quoted_links

---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index b6ab2de3..1d7a499f 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -181,7 +181,7 @@ TRAILING_PUNCTUATION = ['.', ',', ':', ';', '.)', '"', "'"]
 WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'),
                         ('"', '"'), ("'", "'")]
 word_split_re = re.compile(r'(\s+)')
-simple_url_re = re.compile(r'^https?://\w', re.IGNORECASE)
+simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
 simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE)
 simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
 
-- 
cgit v1.2.3


From 889558365bb3947ab77f47207381d5ff6316fa4f Mon Sep 17 00:00:00 2001
From: J. Paul Reed
Date: Tue, 2 Apr 2013 01:41:31 -0700
Subject: Don't have the ModelSerializer trust deserialized objects to not have
 redefine bool()ean-ness.

If the model we're using the ModelSerializer for has redefined methods that act as a boolean (__bool__ or __len__), it may not return the object even though it is_valid(), and should.
---
 rest_framework/serializers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/serializers.py b/rest_framework/serializers.py
index 1b2b0821..e28bbe81 100644
--- a/rest_framework/serializers.py
+++ b/rest_framework/serializers.py
@@ -741,7 +741,7 @@ class ModelSerializer(Serializer):
         Override the default method to also include model field validation.
         """
         instance = super(ModelSerializer, self).from_native(data, files)
-        if instance:
+        if not self._errors:
             return self.full_clean(instance)
 
     def save_object(self, obj, **kwargs):
-- 
cgit v1.2.3


From 74fbd5ccc5b2aa2f0aab25ead5ffa36024079fcf Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 3 Apr 2013 09:20:36 +0100
Subject: Fix bug with inactive user accessing OAuth

---
 rest_framework/authentication.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index 145d4295..3e7e89e8 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -10,7 +10,7 @@ from django.core.exceptions import ImproperlyConfigured
 from rest_framework import exceptions, HTTP_HEADER_ENCODING
 from rest_framework.compat import CsrfViewMiddleware
 from rest_framework.compat import oauth, oauth_provider, oauth_provider_store
-from rest_framework.compat import oauth2_provider, oauth2_provider_forms
+from rest_framework.compat import oauth2_provider
 from rest_framework.authtoken.models import Token
 
 
@@ -325,11 +325,13 @@ class OAuth2Authentication(BaseAuthentication):
         except oauth2_provider.models.AccessToken.DoesNotExist:
             raise exceptions.AuthenticationFailed('Invalid token')
 
-        if not token.user.is_active:
+        user = token.user
+
+        if not user.is_active:
             msg = 'User inactive or deleted: %s' % user.username
             raise exceptions.AuthenticationFailed(msg)
 
-        return (token.user, token)
+        return (user, token)
 
     def authenticate_header(self, request):
         """
-- 
cgit v1.2.3


From 80d28de03477a8dab3832707ca4489c4b2e78e5d Mon Sep 17 00:00:00 2001
From: Atle Frenvik Sveen
Date: Wed, 3 Apr 2013 13:10:41 +0200
Subject: Fix the fact that InvalidConsumerError and InvalidTokenError wasn't
 imported correctly from oauth_provider

---
 rest_framework/authentication.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index 3e7e89e8..1eebb5b9 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -230,7 +230,7 @@ class OAuthAuthentication(BaseAuthentication):
         try:
             consumer_key = oauth_request.get_parameter('oauth_consumer_key')
             consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
-        except oauth_provider_store.InvalidConsumerError as err:
+        except oauth_provider.store.InvalidConsumerError as err:
             raise exceptions.AuthenticationFailed(err)
 
         if consumer.status != oauth_provider.consts.ACCEPTED:
@@ -240,7 +240,7 @@ class OAuthAuthentication(BaseAuthentication):
         try:
             token_param = oauth_request.get_parameter('oauth_token')
             token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
-        except oauth_provider_store.InvalidTokenError:
+        except oauth_provider.store.InvalidTokenError:
             msg = 'Invalid access token: %s' % oauth_request.get_parameter('oauth_token')
             raise exceptions.AuthenticationFailed(msg)
 
-- 
cgit v1.2.3


From afd64dc51ab9cc7603d82b5cdfa7ceebc49e9766 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 3 Apr 2013 13:50:26 +0200
Subject: Added @atlefren for bugfix in #776

---
 docs/topics/credits.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index 6edf347e..f6734f24 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -114,6 +114,7 @@ The following people have helped make REST framework great.
 * Dave Kuhn - [kuhnza]
 * Sitong Peng - [stoneg]
 * Victor Shih - [vshih]
+* Atle Frenvik Sveen - [atlefren]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -262,3 +263,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [kuhnza]: https://github.com/kuhnza
 [stoneg]: https://github.com/stoneg
 [vshih]: https://github.com/vshih
+[atlefren]: https://github.com/atlefren
-- 
cgit v1.2.3


From c39ef12de013525141f4bf8702baf828c38eefd7 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 3 Apr 2013 13:53:18 +0200
Subject: Update release-notes.md

---
 docs/topics/release-notes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 62c31358..eb93bf78 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -45,6 +45,7 @@ You can determine your currently installed version using `pip freeze`:
 * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
 * URL hyperlinking in browseable API now handles more cases correctly.
 * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
+* Bugfix: OAuth should fail hard when invalid token used.
 
 ### 2.2.5
 
-- 
cgit v1.2.3


From cd94cfc44185c3f1eb9075df1cc6c5df6e6aa1ce Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 3 Apr 2013 13:55:58 +0200
Subject: Added @preed for bugfix #772. Thanks!

---
 docs/topics/credits.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index f6734f24..da49e521 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -115,6 +115,7 @@ The following people have helped make REST framework great.
 * Sitong Peng - [stoneg]
 * Victor Shih - [vshih]
 * Atle Frenvik Sveen - [atlefren]
+* J. Paul Reed - [preed]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -264,3 +265,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [stoneg]: https://github.com/stoneg
 [vshih]: https://github.com/vshih
 [atlefren]: https://github.com/atlefren
+[preed]: https://github.com/preed
-- 
cgit v1.2.3


From df30b345b1166d5bb50a9d880fbbff90201372a4 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 3 Apr 2013 13:58:42 +0200
Subject: Update release-notes.md

---
 docs/topics/release-notes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index eb93bf78..7242dcce 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -46,6 +46,7 @@ You can determine your currently installed version using `pip freeze`:
 * URL hyperlinking in browseable API now handles more cases correctly.
 * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
 * Bugfix: OAuth should fail hard when invalid token used.
+* Bugfix: Fix serializer potentially returning `None` object for models that define `__bool__` or `__len__`. 
 
 ### 2.2.5
 
-- 
cgit v1.2.3


From 92b5db593953f03a17ca0fcee2b9ea91a29cb143 Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 4 Apr 2013 12:11:04 +0200
Subject: Added break_long_headers on templatetags and base template

---
 rest_framework/templates/rest_framework/base.html |  2 +-
 rest_framework/templatetags/rest_framework.py     | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
index 44633f5a..4410f285 100644
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -115,7 +115,7 @@
             </div>
             <div class="response-info">
                 <pre class="prettyprint"><div class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% autoescape off %}
-{% for key, val in response.items %}<b>{{ key }}:</b> <span class="lit">{{ val|urlize_quoted_links }}</span>
+{% for key, val in response.items %}<b>{{ key }}:</b> <span class="lit">{{ val|break_long_headers|urlize_quoted_links }}</span>
 {% endfor %}
 </div>{{ content|urlize_quoted_links }}</pre>{% endautoescape %}
             </div>
diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 1d7a499f..189e82f6 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -260,3 +260,14 @@ def urlize_quoted_links(text, trim_url_limit=None, nofollow=True, autoescape=Tru
         elif autoescape:
             words[i] = escape(word)
     return ''.join(words)
+
+
+@register.filter
+def break_long_headers(header):
+    """
+    Breaks headers longer than 160 characters (~page length)
+    when possible (are comma separated)
+    """
+    if len(header) > 160:
+        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+    return header
-- 
cgit v1.2.3


From b6c7730d7f31e84b5f120071ddf9c7ab08e4e7da Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 4 Apr 2013 14:01:47 +0200
Subject: Fixed comma detection in break_long_headers templatetag

---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 189e82f6..c86b6456 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -268,6 +268,6 @@ def break_long_headers(header):
     Breaks headers longer than 160 characters (~page length)
     when possible (are comma separated)
     """
-    if len(header) > 160:
+    if len(header) > 160 and ',' in header:
         header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
     return header
-- 
cgit v1.2.3


From e8978eaf6873ac4c651322fd386d8103a9d02c1f Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 4 Apr 2013 14:02:20 +0200
Subject: Added break_long_headers on the release notes

---
 docs/topics/release-notes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 7242dcce..2a181cc5 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -44,6 +44,7 @@ You can determine your currently installed version using `pip freeze`:
 
 * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
 * URL hyperlinking in browseable API now handles more cases correctly.
+* Long HTTP headers are broken in multiple lines when possible in browsable API.
 * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
 * Bugfix: OAuth should fail hard when invalid token used.
 * Bugfix: Fix serializer potentially returning `None` object for models that define `__bool__` or `__len__`. 
-- 
cgit v1.2.3


From 77ac2044294cb1dc40d715abd1bb63543beac95b Mon Sep 17 00:00:00 2001
From: glic3rinu
Date: Thu, 4 Apr 2013 14:07:56 +0200
Subject: Rephrased break_long_headers release notes line

---
 docs/topics/release-notes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 2a181cc5..609b4504 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -44,7 +44,7 @@ You can determine your currently installed version using `pip freeze`:
 
 * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
 * URL hyperlinking in browseable API now handles more cases correctly.
-* Long HTTP headers are broken in multiple lines when possible in browsable API.
+* Long HTTP headers in browsable API are broken in multiple lines when possible.
 * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views.
 * Bugfix: OAuth should fail hard when invalid token used.
 * Bugfix: Fix serializer potentially returning `None` object for models that define `__bool__` or `__len__`. 
-- 
cgit v1.2.3


From ad9aa23198bf1008651a778dd3f633570d4ee2d3 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 4 Apr 2013 21:51:41 +0100
Subject: Use consistent header style in tutorial part 5

---
 docs/tutorial/5-relationships-and-hyperlinked-apis.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/tutorial/5-relationships-and-hyperlinked-apis.md b/docs/tutorial/5-relationships-and-hyperlinked-apis.md
index a702a09d..27a10840 100644
--- a/docs/tutorial/5-relationships-and-hyperlinked-apis.md
+++ b/docs/tutorial/5-relationships-and-hyperlinked-apis.md
@@ -1,4 +1,4 @@
-# Tutorial 5 - Relationships & Hyperlinked APIs
+# Tutorial 5: Relationships & Hyperlinked APIs
 
 At the moment relationships within our API are represented by using primary keys.  In this part of the tutorial we'll improve the cohesion and discoverability of our API, by instead using hyperlinking for relationships. 
 
-- 
cgit v1.2.3


From c2280e34ece1867432c87a9654d31a708281b05a Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 4 Apr 2013 21:53:15 +0100
Subject: Version 2.2.6

---
 docs/topics/release-notes.md | 4 +++-
 rest_framework/__init__.py   | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 609b4504..d89bf80f 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,7 +40,9 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.2.x series
 
-### Master
+### 2.2.6
+
+**Date**: 4th April 2013
 
 * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token.
 * URL hyperlinking in browseable API now handles more cases correctly.
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index c86403d8..7ac12058 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -1,4 +1,4 @@
-__version__ = '2.2.5'
+__version__ = '2.2.6'
 
 VERSION = __version__  # synonym
 
-- 
cgit v1.2.3


From 3f91379e4eaf07418a99fda1932af91511c55e7b Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 10 Apr 2013 09:24:24 +0100
Subject: Fix 1.3 compat issue.  Closes #780

---
 rest_framework/compat.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rest_framework/compat.py b/rest_framework/compat.py
index 6551723a..067e9018 100644
--- a/rest_framework/compat.py
+++ b/rest_framework/compat.py
@@ -400,19 +400,23 @@ except ImportError:
 try:
     from django.utils.html import smart_urlquote
 except ImportError:
+    import re
+    from django.utils.encoding import smart_str
     try:
         from urllib.parse import quote, urlsplit, urlunsplit
     except ImportError:     # Python 2
         from urllib import quote
         from urlparse import urlsplit, urlunsplit
 
+    unquoted_percents_re = re.compile(r'%(?![0-9A-Fa-f]{2})')
+
     def smart_urlquote(url):
         "Quotes a URL if it isn't already quoted."
         # Handle IDN before quoting.
         scheme, netloc, path, query, fragment = urlsplit(url)
         try:
-            netloc = netloc.encode('idna').decode('ascii') # IDN -> ACE
-        except UnicodeError: # invalid domain part
+            netloc = netloc.encode('idna').decode('ascii')  # IDN -> ACE
+        except UnicodeError:  # invalid domain part
             pass
         else:
             url = urlunsplit((scheme, netloc, path, query, fragment))
@@ -421,7 +425,7 @@ except ImportError:
         # contains a % not followed by two hexadecimal digits. See #9655.
         if '%' not in url or unquoted_percents_re.search(url):
             # See http://bugs.python.org/issue2637
-            url = quote(force_bytes(url), safe=b'!*\'();:@&=+$,/?#[]~')
+            url = quote(smart_str(url), safe=b'!*\'();:@&=+$,/?#[]~')
 
         return force_text(url)
 
-- 
cgit v1.2.3


From b73dfb9cc15e96994c4d6a5ff8b2a18538bcaf74 Mon Sep 17 00:00:00 2001
From: Victor Shih
Date: Wed, 10 Apr 2013 22:00:40 -0700
Subject: Remove redundant text.

---
 docs/api-guide/authentication.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 mode change 100644 => 100755 docs/api-guide/authentication.md

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
old mode 100644
new mode 100755
index 0eea31d7..1f08f542
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -107,7 +107,7 @@ Unauthenticated responses that are denied permission will result in an `HTTP 401
 
     WWW-Authenticate: Basic realm="api"
 
-**Note:** If you use `BasicAuthentication` in production you must ensure that your API is only available over `https` only.  You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.
+**Note:** If you use `BasicAuthentication` in production you must ensure that your API is only available over `https`.  You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.
 
 ## TokenAuthentication
 
@@ -148,7 +148,7 @@ The `curl` command line tool may be useful for testing token authenticated APIs.
 
 ---
 
-**Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only.
+**Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https`.
 
 ---
 
@@ -259,7 +259,7 @@ Finally, sync your database.
 
 ---
 
-**Note:** If you use `OAuth2Authentication` in production you must ensure that your API is only available over `https` only.
+**Note:** If you use `OAuth2Authentication` in production you must ensure that your API is only available over `https`.
 
 ---
 
-- 
cgit v1.2.3


From 5a5a602f8ad2e84b36aa88d86334c5afecc40295 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Sat, 13 Apr 2013 20:07:36 +0100
Subject: Allow overriding get_object to work correctly. Fixes #784

---
 rest_framework/generics.py | 1 +
 rest_framework/mixins.py   | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/rest_framework/generics.py b/rest_framework/generics.py
index 36ecf915..f9133c73 100644
--- a/rest_framework/generics.py
+++ b/rest_framework/generics.py
@@ -130,6 +130,7 @@ class SingleObjectAPIView(SingleObjectMixin, GenericAPIView):
         """
         Override default to add support for object-level permissions.
         """
+        queryset = self.filter_queryset(self.get_queryset())
         obj = super(SingleObjectAPIView, self).get_object(queryset)
         self.check_object_permissions(self.request, obj)
         return obj
diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index 7d9a6e65..3bd7d6df 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -97,9 +97,7 @@ class RetrieveModelMixin(object):
     Should be mixed in with `SingleObjectAPIView`.
     """
     def retrieve(self, request, *args, **kwargs):
-        queryset = self.get_queryset()
-        filtered_queryset = self.filter_queryset(queryset)
-        self.object = self.get_object(filtered_queryset)
+        self.object = self.get_object()
         serializer = self.get_serializer(self.object)
         return Response(serializer.data)
 
-- 
cgit v1.2.3


From 23289b023db230f73e4a5bfae24a56c79e3fcd4b Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 16 Apr 2013 14:32:46 +0100
Subject: Explicit error if dev does not return a response from the view

---
 rest_framework/views.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rest_framework/views.py b/rest_framework/views.py
index 81cbdcbb..7c97607b 100644
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -3,7 +3,7 @@ Provides an APIView class that is used as the base of all class-based views.
 """
 from __future__ import unicode_literals
 from django.core.exceptions import PermissionDenied
-from django.http import Http404
+from django.http import Http404, HttpResponse
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.views.decorators.csrf import csrf_exempt
@@ -327,6 +327,12 @@ class APIView(View):
         """
         Returns the final response object.
         """
+        # Make the error obvious if a proper response is not returned
+        assert isinstance(response, HttpResponse), (
+            'Expected a `Response` to be returned from the view, '
+            'but received a `%s`' % type(response)
+        )
+
         if isinstance(response, Response):
             if not getattr(request, 'accepted_renderer', None):
                 neg = self.perform_content_negotiation(request, force=True)
-- 
cgit v1.2.3