Code Reference

REST framework

Django · Reference cheat sheet

REST framework

Django · Reference cheat sheet


📋 Overview

Django REST framework (DRF) builds Web APIs on Django: serializers, views/viewsets, routers, authentication, and permissions. Use for JSON APIs consumed by SPAs and mobile apps. Pair with Django 4.2+/5.x; install djangorestframework.

🔧 Core concepts

PieceRole
SerializersValidate input / render output
APIView / genericsClass-based API endpoints
ViewSets + RoutersCRUD URL wiring
AuthenticationSession, Token, JWT (3rd party), etc.
PermissionsIsAuthenticated, IsAdminUser, custom
Pagination / filteringDEFAULT_PAGINATION_CLASS, django-filter
Browsable APIHTML forms for debugging

Settings live under REST_FRAMEWORK = \{...\}.

💡 Examples

Install & settings:

INSTALLED_APPS = [
    # …
    "rest_framework",
]

REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "rest_framework.authentication.SessionAuthentication",
        "rest_framework.authentication.BasicAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES": [
        "rest_framework.permissions.IsAuthenticatedOrReadOnly",
    ],
    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
    "PAGE_SIZE": 20,
}

ViewSet + router:

# api/views.py
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticatedOrReadOnly
from .models import Article
from .serializers import ArticleSerializer


class ArticleViewSet(viewsets.ModelViewSet):
    queryset = Article.objects.select_related("author").all()
    serializer_class = ArticleSerializer
    permission_classes = [IsAuthenticatedOrReadOnly]
    lookup_field = "slug"

    def perform_create(self, serializer):
        serializer.save(author=self.request.user)
# config/urls.py
from django.urls import include, path
from rest_framework.routers import DefaultRouter
from api.views import ArticleViewSet

router = DefaultRouter()
router.register("articles", ArticleViewSet, basename="article")

urlpatterns = [
    path("api/", include(router.urls)),
    path("api-auth/", include("rest_framework.urls")),
]

Function-style @api_view:

from rest_framework.decorators import api_view, permission_classes
from rest_framework.permissions import AllowAny
from rest_framework.response import Response


@api_view(["GET"])
@permission_classes([AllowAny])
def health(request):
    return Response({"status": "ok"})

⚠️ Pitfalls

  • CSRF: SessionAuthentication requires CSRF on unsafe methods from browsers.
  • Exposing ModelViewSet without permissions is a data leak.
  • N+1 in serializers—use select_related on the queryset.
  • Do not put secrets in browsable API responses.

On this page