rest_framework 1.0.0.rc1 → 1.0.1

data/lib/rest_framework/serializers/native_serializer.rb

@@ -1,13 +1,21 @@
 # This serializer uses `.serializable_hash` to convert objects to Ruby primitives (with the
 # top-level being either an array or a hash).
 class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers::BaseSerializer
+  EXTRACT_FROM_QUERY = ->(p, controller) {
+    return Set[] if p.blank?
+    (
+      controller.request&.query_parameters&.[](p).presence&.split(",")&.map { |x|
+        x.strip.presence
+      }&.compact || []
+    ).to_set
+  }
   class_attribute :config
   class_attribute :singular_config
   class_attribute :plural_config
   class_attribute :action_config
 
   # Accept/ignore `*args` to be compatible with the `ActiveModel::Serializer#initialize` signature.
-  def initialize(object=nil, *args, many: nil, model: nil, **kwargs)
+  def initialize(object = nil, *args, many: nil, model: nil, **kwargs)
     super(object, *args, **kwargs)
 
     if many.nil?
@@ -26,28 +34,66 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
     @model ||= @controller.class.get_model if @controller
   end
 
-  # Get controller action, if possible.
-  def get_action
-    return @controller&.action_name&.to_sym
+  def action
+    @action ||= @controller&.action_name&.to_sym
   end
 
-  # Get a locally defined native serializer configuration, if one is defined.
-  def get_local_native_serializer_config
-    action = self.get_action
+  def fields
+    return @fields if defined?(@fields)
+    return nil unless base_fields = @controller&.get_fields
+
+    only_param = @controller.class.native_serializer_only_query_param
+    except_param = @controller.class.native_serializer_except_query_param
+    include_param = @controller.class.native_serializer_include_query_param
+    exclude_param = @controller.class.native_serializer_exclude_query_param
+
+    only = EXTRACT_FROM_QUERY.call(only_param, @controller)
+    except = EXTRACT_FROM_QUERY.call(except_param, @controller)
+    include = EXTRACT_FROM_QUERY.call(include_param, @controller)
+    exclude = EXTRACT_FROM_QUERY.call(exclude_param, @controller)
+
+    field_configuration = @controller.class.field_configuration
+    @fields = base_fields.select do |f|
+      cfg = field_configuration[f]
+
+      # We never serialize write-only fields.
+      next false if cfg[:write_only]
+
+      # We never serialize `hidden_from_index` fields for collections as this is a performance
+      # option.
+      next false if cfg[:hidden_from_index] && @many
+
+      # Explicitly excluded fields should never be serialized.
+      next false if f.in?(except) || f.in?(exclude)
+
+      # Hidden fields must be in `only` or `include` to be serialized; for non-hidden fields, either
+      # `only` must be empty, or the field must be in `only` or `include`.
+      if cfg[:hidden]
+        next true if f.in?(only) || f.in?(include)
+      elsif only.empty? || f.in?(only) || f.in?(include)
+        next true
+      end
 
-    if action && self.action_config
+      next false
+    end
+
+    @fields
+  end
+
+  def get_local_native_serializer_config
+    if (action = self.action) && (cfg = action_config)
       # Index action should use :list serializer config if :index is not provided.
-      action = :list if action == :index && !self.action_config.key?(:index)
+      action = :list if action == :index && !cfg.key?(:index)
 
-      return self.action_config[action] if self.action_config[action]
+      return cfg[action] if cfg[action]
     end
 
     # No action_config, so try singular/plural config if explicitly instructed to via @many.
     return self.plural_config if @many == true && self.plural_config
     return self.singular_config if @many == false && self.singular_config
 
-    # Lastly, try returning the default config, or singular/plural config in that order.
-    return self.config || self.singular_config || self.plural_config
+    # Lastly, try returning the default config.
+    self.config
   end
 
   # Get a native serializer configuration from the controller.
@@ -60,105 +106,12 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
       controller_serializer = @controller.class.native_serializer_singular_config
     end
 
-    return controller_serializer || @controller.class.native_serializer_config
-  end
-
-  # Filter a single subconfig for specific keys. By default, keys from `fields` are removed from the
-  # provided `subcfg`. There are two (mutually exclusive) options to adjust the behavior:
-  #
-  #  `add`: Add any `fields` to the `subcfg` which aren't already in the `subcfg`.
-  #  `only`: Remove any values found in the `subcfg` not in `fields`.
-  def self.filter_subcfg(subcfg, fields:, add: false, only: false)
-    raise "`add` and `only` conflict with one another" if add && only
-
-    # Don't process nil `subcfg`s.
-    return subcfg unless subcfg
-
-    if subcfg.is_a?(Array)
-      subcfg = subcfg.map(&:to_sym)
-
-      if add
-        # Only add fields which are not already included.
-        subcfg += fields - subcfg
-      elsif only
-        subcfg.select! { |c| c.in?(fields) }
-      else
-        subcfg -= fields
-      end
-    elsif subcfg.is_a?(Hash)
-      subcfg = subcfg.symbolize_keys
-
-      if add
-        # Add doesn't make sense in a hash context since we wouldn't know the values.
-      elsif only
-        subcfg.select! { |k, _v| k.in?(fields) }
-      else
-        subcfg.reject! { |k, _v| k.in?(fields) }
-      end
-    else  # Subcfg is a single element (assume string/symbol).
-      subcfg = subcfg.to_sym
-
-      if add
-        subcfg = subcfg.in?(fields) ? fields : [subcfg, *fields]
-      elsif only
-        subcfg = subcfg.in?(fields) ? subcfg : []
-      else
-        subcfg = subcfg.in?(fields) ? [] : subcfg
-      end
-    end
-
-    return subcfg
-  end
-
-  # Filter out configuration properties based on the :except/:only query parameters.
-  def filter_from_request(cfg)
-    return cfg unless @controller
-
-    except_param = @controller.class.native_serializer_except_query_param
-    only_param = @controller.class.native_serializer_only_query_param
-    if except_param && except = @controller.request&.query_parameters&.[](except_param).presence
-      if except = except.split(",").map(&:strip).map(&:to_sym).presence
-        # Filter `only`, `except` (additive), `include`, `methods`, and `serializer_methods`.
-        if cfg[:only]
-          cfg[:only] = self.class.filter_subcfg(cfg[:only], fields: except)
-        elsif cfg[:except]
-          cfg[:except] = self.class.filter_subcfg(cfg[:except], fields: except, add: true)
-        else
-          cfg[:except] = except
-        end
-
-        cfg[:include] = self.class.filter_subcfg(cfg[:include], fields: except)
-        cfg[:methods] = self.class.filter_subcfg(cfg[:methods], fields: except)
-        cfg[:serializer_methods] = self.class.filter_subcfg(
-          cfg[:serializer_methods], fields: except
-        )
-        cfg[:includes_map] = self.class.filter_subcfg(cfg[:includes_map], fields: except)
-      end
-    elsif only_param && only = @controller.request&.query_parameters&.[](only_param).presence
-      if only = only.split(",").map(&:strip).map(&:to_sym).presence
-        # Filter `only`, `include`, and `methods`. Adding anything to `except` is not needed,
-        # because any configuration there takes precedence over `only`.
-        if cfg[:only]
-          cfg[:only] = self.class.filter_subcfg(cfg[:only], fields: only, only: true)
-        else
-          cfg[:only] = only
-        end
-
-        cfg[:include] = self.class.filter_subcfg(cfg[:include], fields: only, only: true)
-        cfg[:methods] = self.class.filter_subcfg(cfg[:methods], fields: only, only: true)
-        cfg[:serializer_methods] = self.class.filter_subcfg(
-          cfg[:serializer_methods], fields: only, only: true
-        )
-        cfg[:includes_map] = self.class.filter_subcfg(cfg[:includes_map], fields: only, only: true)
-      end
-    end
-
-    return cfg
+    controller_serializer || @controller.class.native_serializer_config
   end
 
   # Get the associations limit from the controller.
-  def _get_associations_limit
-    return @_get_associations_limit if defined?(@_get_associations_limit)
+  def _associations_limit
+    return @_associations_limit if defined?(@_associations_limit)
 
     limit = @controller&.class&.native_serializer_associations_limit
 
@@ -174,11 +127,11 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
       end
     end
 
-    return @_get_associations_limit = limit
+    @_associations_limit = limit
   end
 
   # Get a serializer configuration from the controller. `@controller` and `@model` must be set.
-  def _get_controller_serializer_config(fields)
+  def _get_controller_serializer_config
     columns = []
     includes = {}
     methods = []
@@ -194,7 +147,7 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
     reflections = @model.reflections
     attachment_reflections = @model.attachment_reflections
 
-    fields.each do |f|
+    self.fields.each do |f|
       field_config = @controller.class.field_configuration[f]
       next if field_config[:write_only]
 
@@ -210,13 +163,13 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
             sub_methods << sf
           end
         end
-        sub_config = {only: sub_columns, methods: sub_methods}
+        sub_config = { only: sub_columns, methods: sub_methods }
 
         # Apply certain rules regarding collection associations.
         if ref.collection?
           # If we need to limit the number of serialized association records, then dynamically add a
           # serializer method to do so.
-          if limit = self._get_associations_limit
+          if limit = self._associations_limit
             serializer_methods[f] = f
             self.define_singleton_method(f) do |record|
               next record.send(f).limit(limit).as_json(**sub_config)
@@ -257,7 +210,7 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
         # ActiveStorage Integration: Define attachment serializer method.
         if ref.macro == :has_one_attached
           serializer_methods[f] = f
-          includes_map[f] = {"#{f}_attachment": :blob}
+          includes_map[f] = { "#{f}_attachment": :blob }
           self.define_singleton_method(f) do |record|
             attached = record.send(f)
             next attached.attachment ? {
@@ -268,7 +221,7 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
           end
         elsif ref.macro == :has_many_attached
           serializer_methods[f] = f
-          includes_map[f] = {"#{f}_attachments": :blob}
+          includes_map[f] = { "#{f}_attachments": :blob }
           self.define_singleton_method(f) do |record|
             # Iterating the collection yields attachment objects.
             next record.send(f).map { |a|
@@ -288,7 +241,7 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
       end
     end
 
-    return {
+    {
       only: columns,
       include: includes,
       methods: methods,
@@ -312,29 +265,29 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
     end
 
     # If the config wasn't determined, build a serializer config from controller fields.
-    if @model && fields = @controller&.get_fields
-      return self._get_controller_serializer_config(fields.deep_dup)
+    if @model && self.fields
+      return self._get_controller_serializer_config
     end
 
     # By default, pass an empty configuration, using the default Rails serializer.
-    return {}
+    {}
   end
 
-  # Get a configuration passable to `serializable_hash` for the object, filtered if required.
+  # Get a configuration passable to `serializable_hash` for the object.
   def get_serializer_config
-    return self.filter_from_request(self.get_raw_serializer_config)
+    self.get_raw_serializer_config
   end
 
   # Serialize a single record and merge results of `serializer_methods`.
   def _serialize(record, config, serializer_methods)
     # Ensure serializer_methods is either falsy, or a hash.
     if serializer_methods && !serializer_methods.is_a?(Hash)
-      serializer_methods = [serializer_methods].flatten.map { |m| [m, m] }.to_h
+      serializer_methods = [ serializer_methods ].flatten.map { |m| [ m, m ] }.to_h
     end
 
     # Merge serialized record with any serializer method results.
-    return record.serializable_hash(config).merge(
-      serializer_methods&.map { |m, k| [k.to_sym, self.send(m, record)] }.to_h,
+    record.serializable_hash(config).merge(
+      serializer_methods&.map { |m, k| [ k.to_sym, self.send(m, record) ] }.to_h,
     )
   end
 
@@ -352,29 +305,29 @@ class RESTFramework::Serializers::NativeSerializer < RESTFramework::Serializers:
       return @object.map { |r| self._serialize(r, config, serializer_methods) }
     end
 
-    return self._serialize(@object, config, serializer_methods)
+    self._serialize(@object, config, serializer_methods)
   end
 
   # Allow a serializer instance to be used as a hash directly in a nested serializer config.
   def [](key)
     @_nested_config ||= self.get_serializer_config
-    return @_nested_config[key]
+    @_nested_config[key]
   end
 
   def []=(key, value)
     @_nested_config ||= self.get_serializer_config
-    return @_nested_config[key] = value
+    @_nested_config[key] = value
   end
 
   # Allow a serializer class to be used as a hash directly in a nested serializer config.
   def self.[](key)
     @_nested_config ||= self.new.get_serializer_config
-    return @_nested_config[key]
+    @_nested_config[key]
   end
 
   def self.[]=(key, value)
     @_nested_config ||= self.new.get_serializer_config
-    return @_nested_config[key] = value
+    @_nested_config[key] = value
   end
 end
 

data/lib/rest_framework/utils.rb

@@ -1,9 +1,9 @@
 module RESTFramework::Utils
-  HTTP_VERB_ORDERING = %w(GET POST PUT PATCH DELETE OPTIONS HEAD)
+  HTTP_VERB_ORDERING = %w[GET POST PUT PATCH DELETE OPTIONS HEAD]
 
   # Convert `extra_actions` hash to a consistent format: `{path:, methods:, metadata:, kwargs:}`.
   def self.parse_extra_actions(extra_actions)
-    return (extra_actions || {}).map { |k, v|
+    (extra_actions || {}).map { |k, v|
       path = k
       kwargs = {}
 
@@ -13,7 +13,7 @@ module RESTFramework::Utils
         v = v.symbolize_keys
 
         # Cast method/methods to an array.
-        methods = [v.delete(:methods), v.delete(:method)].flatten.compact
+        methods = [ v.delete(:methods), v.delete(:method) ].flatten.compact
 
         # Override path if it's provided.
         if v.key?(:path)
@@ -26,7 +26,7 @@ module RESTFramework::Utils
         # Pass any further kwargs to the underlying Rails interface.
         kwargs = v
       else
-        methods = [v].flatten
+        methods = [ v ].flatten
       end
 
       next [
@@ -41,10 +41,11 @@ module RESTFramework::Utils
     }.to_h
   end
 
-  # Get actions which should be skipped for a given controller.
-  def self.get_skipped_builtin_actions(controller_class)
-    return (
-      RESTFramework::BUILTIN_ACTIONS.keys + RESTFramework::BUILTIN_MEMBER_ACTIONS.keys
+  def self.get_skipped_builtin_actions(controller_class, singular)
+    (
+      (
+        RESTFramework::BUILTIN_ACTIONS.keys - (singular ? [ :index ] : [])
+      ) + RESTFramework::BUILTIN_MEMBER_ACTIONS.keys
     ).reject do |action|
       controller_class.method_defined?(action)
     end
@@ -58,7 +59,7 @@ module RESTFramework::Utils
   # Normalize a path pattern by replacing URL params with generic placeholder, and removing the
   # `(.:format)` at the end.
   def self.comparable_path(path)
-    return path.gsub("(.:format)", "").gsub(/:[0-9A-Za-z_-]+/, ":x")
+    path.gsub("(.:format)", "").gsub(/:[0-9A-Za-z_-]+/, ":x")
   end
 
   # Show routes under a controller action; used for the browsable API.
@@ -74,7 +75,7 @@ module RESTFramework::Utils
 
     # Return routes that match our current route subdomain/pattern, grouped by controller. We
     # precompute certain properties of the route for performance.
-    return application_routes.routes.select { |r|
+    application_routes.routes.select { |r|
       # We `select` first to avoid unnecessarily calculating metadata for routes we don't even want
       # to show.
       (r.defaults[:subdomain].blank? || r.defaults[:subdomain] == request.subdomain) &&
@@ -100,7 +101,7 @@ module RESTFramework::Utils
         verb: r.verb,
         path: path,
         path_with_params: r.format(
-          r.required_parts.each_with_index.map { |p, i| [p, path_params[i]] }.to_h,
+          r.required_parts.each_with_index.map { |p, i| [ p, path_params[i] ] }.to_h,
         ),
         relative_path: relative_path,
         concat_path: concat_path,
@@ -125,17 +126,17 @@ module RESTFramework::Utils
       # Sort the controller groups by current controller first, then alphanumerically.
       # Note: Use `controller_path` instead of `params[:controller]` to avoid re-raising a
       # `ActionDispatch::Http::Parameters::ParseError` exception.
-      [request.controller_class.controller_path == c ? 0 : 1, c]
+      [ request.controller_class.controller_path == c ? 0 : 1, c ]
     }.to_h
   end
 
   # Custom inflector for RESTful controllers.
-  def self.inflect(s, acronyms=nil)
+  def self.inflect(s, acronyms = nil)
     acronyms&.each do |acronym|
       s = s.gsub(/\b#{acronym}\b/i, acronym)
     end
 
-    return s
+    s
   end
 
   # Parse fields hashes.
@@ -153,12 +154,12 @@ module RESTFramework::Utils
     parsed_fields -= h[:except].map(&:to_s) if h[:except]
 
     # Warn for any unknown keys.
-    (h.keys - [:only, :except, :include, :exclude]).each do |k|
-      Rails.logger.warn("RRF: Unknown key in fields hash: #{k}")
+    (h.keys - [ :only, :except, :include, :exclude ]).each do |k|
+      Rails.logger.warn("RRF: Unknown key in fields hash: #{k}.")
     end
 
     # We should always return strings, not symbols.
-    return parsed_fields.map(&:to_s)
+    parsed_fields.map(&:to_s)
   end
 
   # Get the fields for a given model, including not just columns (which includes
@@ -181,7 +182,7 @@ module RESTFramework::Utils
     # Associations:
     associations = model.reflections.map { |association, ref|
       # Ignore associations for which we have custom integrations.
-      if ref.class_name.in?(%w(ActionText::RichText ActiveStorage::Attachment ActiveStorage::Blob))
+      if ref.class_name.in?(%w[ActionText::RichText ActiveStorage::Attachment ActiveStorage::Blob])
         next nil
       end
 
@@ -194,29 +195,29 @@ module RESTFramework::Utils
       next association
     }.compact
 
-    return base_fields + associations + atf + asf
+    base_fields + associations + atf + asf
   end
 
   # Get the sub-fields that may be serialized and filtered/ordered for a reflection.
   def self.sub_fields_for(ref)
     if !ref.polymorphic? && model = ref.klass
-      sub_fields = [model.primary_key].flatten.compact
+      sub_fields = [ model.primary_key ].flatten.compact
       label_fields = RESTFramework.config.label_fields
 
-      # Preferrably find a database column to use as label.
+      # Preferably find a database column to use as label.
       if match = label_fields.find { |f| f.in?(model.column_names) }
-        return sub_fields + [match]
+        return sub_fields + [ match ]
       end
 
       # Otherwise, find a method.
       if match = label_fields.find { |f| model.method_defined?(f) }
-        return sub_fields + [match]
+        return sub_fields + [ match ]
       end
 
       return sub_fields
     end
 
-    return ["id", "name"]
+    [ "id", "name" ]
   end
 
   # Get a field's id/ids variation.
@@ -229,7 +230,7 @@ module RESTFramework::Utils
       return reflection.foreign_key
     end
 
-    return nil
+    nil
   end
 
   # Wrap a serializer with an adapter if it is an ActiveModel::Serializer.
@@ -238,6 +239,6 @@ module RESTFramework::Utils
       return RESTFramework::ActiveModelSerializerAdapterFactory.for(s)
     end
 
-    return s
+    s
   end
 end

data/lib/rest_framework/version.rb

@@ -19,7 +19,7 @@ module RESTFramework
       end
 
       # No VERSION file, so version is unknown.
-      return UNKNOWN
+      UNKNOWN
     end
 
     def self.stamp_version

data/lib/rest_framework.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module RESTFramework
+  BUILTIN_FORM_ACTIONS = %i[new edit].freeze
   BUILTIN_ACTIONS = {
     index: :get,
     new: :get,
@@ -9,14 +10,14 @@ module RESTFramework
   BUILTIN_MEMBER_ACTIONS = {
     show: :get,
     edit: :get,
-    update: [:put, :patch].freeze,
+    update: [ :put, :patch ].freeze,
     destroy: :delete,
   }.freeze
   RRF_BUILTIN_ACTIONS = {
     options: :options,
   }.freeze
   RRF_BUILTIN_BULK_ACTIONS = {
-    update_all: [:put, :patch].freeze,
+    update_all: [ :put, :patch ].freeze,
     destroy_all: :delete,
   }.freeze
 
@@ -35,12 +36,12 @@ module RESTFramework
   EXTERNAL_ASSETS = {
     # Bootstrap
     "bootstrap.min.css" => {
-      url: "https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css",
-      sri: "sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH",
+      url: "https://cdn.jsdelivr.net/npm/bootstrap@5.3.7/dist/css/bootstrap.min.css",
+      sri: "sha384-LN+7fdVzj6u52u30Kp6M/trliBMCMKTyK833zpbD+pXdCLuTusPj697FH4R/5mcr",
     },
     "bootstrap.min.js" => {
-      url: "https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js",
-      sri: "sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz",
+      url: "https://cdn.jsdelivr.net/npm/bootstrap@5.3.7/dist/js/bootstrap.bundle.min.js",
+      sri: "sha384-ndDqU0Gzau9qJ1lfW4pNLlhNTkCfHzAVBReH9diLvGRem5+R9g2FzA8ZGN954O5Q",
     },
 
     # Bootstrap Icons
@@ -65,12 +66,12 @@ module RESTFramework
     "highlight-a11y-dark.min.css" => {
       url: "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.0/styles/a11y-dark.min.css",
       sri: "sha512-Vj6gPCk8EZlqnoveEyuGyYaWZ1+jyjMPg8g4shwyyNlRQl6d3L9At02ZHQr5K6s5duZl/+YKMnM3/8pDhoUphg==",
-      extra_tag_attrs: {class: "rrf-dark-mode"},
+      extra_tag_attrs: { class: "rrf-dark-mode" },
     },
     "highlight-a11y-light.min.css" => {
       url: "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.0/styles/a11y-light.min.css",
       sri: "sha512-WDk6RzwygsN9KecRHAfm9HTN87LQjqdygDmkHSJxVkVI7ErCZ8ZWxP6T8RvBujY1n2/E4Ac+bn2ChXnp5rnnHA==",
-      extra_tag_attrs: {class: "rrf-light-mode"},
+      extra_tag_attrs: { class: "rrf-light-mode" },
     },
 
     # NeatJSON
@@ -117,7 +118,7 @@ module RESTFramework
       raise "Unknown asset extension: #{ext}."
     end
 
-    [name, cfg]
+    [ name, cfg ]
   }.to_h.freeze
   # rubocop:enable Layout/LineLength
 
@@ -126,9 +127,9 @@ module RESTFramework
   # Global configuration should be kept minimal, as controller-level configurations allows multiple
   # APIs to be defined to behave differently.
   class Config
-    DEFAULT_LABEL_FIELDS = %w(name label login title email username url).freeze
-    DEFAULT_SEARCH_COLUMNS = DEFAULT_LABEL_FIELDS + %w(description note).freeze
-    DEFAULT_EXCLUDE_BODY_FIELDS = %w[
+    DEFAULT_LABEL_FIELDS = %w[name label login title email username url].freeze
+    DEFAULT_SEARCH_COLUMNS = DEFAULT_LABEL_FIELDS + %w[description note].freeze
+    DEFAULT_READ_ONLY_FIELDS = %w[
       created_at
       created_by
       created_by_id
@@ -139,6 +140,10 @@ module RESTFramework
       utf8
       authenticity_token
     ].freeze
+    DEFAULT_WRITE_ONLY_FIELDS = %w[
+      password
+      password_confirmation
+    ].freeze
 
     # Permits use of `render(api: obj)` syntax over `render_api(obj)`; `true` by default.
     attr_accessor :register_api_renderer
@@ -172,8 +177,9 @@ module RESTFramework
     # The default search columns to use when generating search filters.
     attr_accessor :search_columns
 
-    # The default list of fields to exclude from the body of the request.
-    attr_accessor :exclude_body_fields
+    # Helper to set global read/write only fields.
+    attr_accessor :read_only_fields
+    attr_accessor :write_only_fields
 
     # Option to use vendored assets (requires sprockets or propshaft) rather than linking to
     # external assets (the default).
@@ -187,12 +193,13 @@ module RESTFramework
 
       self.label_fields = DEFAULT_LABEL_FIELDS
       self.search_columns = DEFAULT_SEARCH_COLUMNS
-      self.exclude_body_fields = DEFAULT_EXCLUDE_BODY_FIELDS
+      self.read_only_fields = DEFAULT_READ_ONLY_FIELDS
+      self.write_only_fields = DEFAULT_WRITE_ONLY_FIELDS
     end
   end
 
   def self.config
-    return @config ||= Config.new
+    @config ||= Config.new
   end
 
   def self.configure
@@ -200,7 +207,7 @@ module RESTFramework
   end
 
   def self.features
-    return @features ||= {}
+    @features ||= {}
   end
 end