Hi, > Le 15 mars 2017 à 08:06, CocaCola <solsol9...@gmail.com> a écrit : > > Even if there is no security problem.. > The hashed password is meaningless value. > Why is it showing a hashed password?
This is the expected behavior. For one thing, it’s a security issue to store passwords clear in the DB. Django stores it encrypted to avoid this. Second thing, DRF tries hard to return the most meaningful data. In that case, DRF won’t be returning what has been given. Instead it’ll get the data from the DB and return them, which implies the password is encrypted. > of course i know how to remove password at response . > by manipulating returndict.. To my opinion, the best option is to set the field as write only. > another way, i can use a serializer with fields without a password, > but it will not be validated, so additional manipulation is required. Not sure what you mean by that. > Why is not it the default setting to hide the (hashed) 'password' field of > AbstractBaseUser? Because it’s the developer job to design the API and take those decision / actions. The framework may provide guidance but won’t replace human. I’ve tried to make things automated (and half magic there) with nested serializer in 2.x and it didn’t work at all. I really love the 3.x approach to leave it to the dev. I’ve seen a lot of bad feedback on REST API which were caused by bad design decisions or even lack of thoughts from the development team. API needs to be designed. It’s HARD and time consuming. It requires knowledge and deep understanding of the requirements. Regards, Xavier Ordoquy, Linovia. -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
