Hide user field in api front-end and set default

Before, it was possible in the api font-end for a logged-in user to set
the user value of a quote during create or update. This means, the user
could set another user as the owner of the quote.

This behavior seems unintended.

To prevent this option, the user field is defined as a hidden field in
the serializer. Hidden fields will not show up in the api frontend form.

A quote should have a user assigned to it (even if it is not required on
the model level) to allow management (update/delete) of the quote. The
quote can only be managed by it's owner. To prevent quotes without an
owner, the hidden user field is assigned the default value of the
currently logged-in user in the serializer.

Author: tbrlpld

days/069-072-django-rest/demo/api/serializers.py

@@ -5,6 +5,13 @@
 
 class QuoteSerializer(serializers.ModelSerializer):
 
+    # This is not included in the videos. Without this setting, it was possible
+    # to set the user value to something other than the currently logged-in
+    # user. This setting hides the user field from the form in the API frontend
+    # and sets the currently logged-in users as the field value by default.
+    # See also: https://stackoverflow.com/a/53193276
+    user = serializers.HiddenField(default=serializers.CurrentUserDefault())
+
     class Meta:
         model = Quote
         fields = ('quote', 'author', 'source', 'cover', 'user')