Using Django REST Framework, I want to limit which values can be used in a related field in a creation.

For example consider this example (based on the filtering example on https://web.archive.org/web/20140515203013/http://www.django-rest-framework.org/api-guide/filtering.html, but changed to ListCreateAPIView):

class PurchaseList(generics.ListCreateAPIView)model = Purchaseserializer_class = PurchaseSerializerdef get_queryset(self):user = self.request.userreturn Purchase.objects.filter(purchaser=user)

In this example, how do I ensure that on creation the purchaser may only be equal to self.request.user, and that this is the only value populated in the dropdown in the form in the browsable API renderer?

I ended up doing something similar to what Khamaileon suggested here. Basically I modified my serializer to peek into the request, which kind of smells wrong, but it gets the job done... Here's how it looks (examplified with the purchase-example):

class PurchaseSerializer(serializers.HyperlinkedModelSerializer):def get_fields(self, *args, **kwargs):fields = super(PurchaseSerializer, self).get_fields(*args, **kwargs)fields['purchaser'].queryset = permitted_objects(self.context['view'].request.user, fields['purchaser'].queryset)return fieldsclass Meta:model = Purchase

permitted_objects is a function which takes a user and a query, and returns a filtered query which only contains objects that the user has permission to link to. This seems to work both for validation and for the browsable API dropdown fields.