Compare revisions

e97d33ad · e97d33ad · e97d33ad · e97d33ad · e97d33ad · e97d33ad
--- a/djangoldp/migrations/0016_alter_activity_options_alter_follower_options_and_more.py
+++ b/djangoldp/migrations/0016_alter_activity_options_alter_follower_options_and_more.py
+# Generated by Django 4.2.3 on 2023-08-31 15:27
+from django.db import migrations
+class Migration(migrations.Migration):
+    dependencies = [
+        ('djangoldp', '0015_auto_20210125_1847'),
+    ]
+    operations = [
+        migrations.AlterModelOptions(
+            name='activity',
+            options={'default_permissions': {'delete', 'change', 'view', 'add', 'control'}},
+        ),
+        migrations.AlterModelOptions(
+            name='follower',
+            options={'default_permissions': {'delete', 'change', 'view', 'add', 'control'}},
+        ),
+        migrations.AlterModelOptions(
+            name='ldpsource',
+            options={'default_permissions': {'delete', 'change', 'view', 'add', 'control'}, 'ordering': ('federation',)},
+        ),
+        migrations.AlterModelOptions(
+            name='scheduledactivity',
+            options={'default_permissions': {'delete', 'change', 'view', 'add', 'control'}},
+        ),
+    ]
--- a/djangoldp/migrations/0017_alter_activity_urlid_alter_follower_urlid_and_more.py
+++ b/djangoldp/migrations/0017_alter_activity_urlid_alter_follower_urlid_and_more.py
+# Generated by Django 4.2.3 on 2023-09-03 20:26
+from django.db import migrations
+import djangoldp.fields
+class Migration(migrations.Migration):
+    dependencies = [
+        ('djangoldp', '0016_alter_activity_options_alter_follower_options_and_more'),
+    ]
+    operations = [
+        migrations.AlterField(
+            model_name='activity',
+            name='urlid',
+            field=djangoldp.fields.LDPUrlField(blank=True, db_index=True, null=True, unique=True),
+        ),
+        migrations.AlterField(
+            model_name='follower',
+            name='urlid',
+            field=djangoldp.fields.LDPUrlField(blank=True, db_index=True, null=True, unique=True),
+        ),
+        migrations.AlterField(
+            model_name='ldpsource',
+            name='urlid',
+            field=djangoldp.fields.LDPUrlField(blank=True, db_index=True, null=True, unique=True),
+        ),
+    ]
--- a/djangoldp/migrations/0018_alter_activity_payload_alter_activity_response_body.py
+++ b/djangoldp/migrations/0018_alter_activity_payload_alter_activity_response_body.py
+# Generated by Django 4.2.3 on 2023-10-17 19:25
+from django.db import migrations, models
+class Migration(migrations.Migration):
+    dependencies = [
+        ('djangoldp', '0017_alter_activity_urlid_alter_follower_urlid_and_more'),
+    ]
+    operations = [
+        migrations.AlterField(
+            model_name='activity',
+            name='payload',
+            field=models.TextField(),
+        ),
+        migrations.AlterField(
+            model_name='activity',
+            name='response_body',
+            field=models.TextField(null=True),
+        ),
+    ]
--- a/djangoldp/models.py
+++ b/djangoldp/models.py
 import json
+import logging
 import uuid
-from urllib.parse import urlparse
 from django.conf import settings
-from django.contrib.auth.models import User
-from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
+from django.core.exceptions import ObjectDoesNotExist, ValidationError, FieldDoesNotExist
 from django.db import models
-from django.db.models import BinaryField, DateTimeField
 from django.db.models.base import ModelBase
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_save, pre_delete, m2m_changed
 from django.dispatch import receiver
-from django.urls import reverse_lazy, get_resolver
+from django.urls import get_resolver
 from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.decorators import classonlymethod
+from guardian.shortcuts import assign_perm
 from rest_framework.utils import model_meta
 from djangoldp.fields import LDPUrlField
-from djangoldp.permissions import LDPPermissions
+from djangoldp.permissions import DEFAULT_DJANGOLDP_PERMISSIONS, OwnerPermissions, InheritPermissions, ReadOnly
-import logging
 logger = logging.getLogger('djangoldp')
+Group._meta.serializer_fields = ['name', 'user_set']
+Group._meta.rdf_type = 'foaf:Group'
+# Group._meta.rdf_context = {'user_set': 'foaf:member'}
+Group._meta.permission_classes = [(OwnerPermissions&ReadOnly)|InheritPermissions]
+Group._meta.owner_field = 'user'
+Group._meta.inherit_permissions = []
 class LDPModelManager(models.Manager):
    def local(self):
@@ -30,44 +34,21 @@ class LDPModelManager(models.Manager):
        internal_ids = [x.pk for x in queryset if not Model.is_external(x)]
        return queryset.filter(pk__in=internal_ids)
-    def nested_fields(self):
-        '''parses the relations on the model, and returns a list of nested field names'''
-        nested_fields = set()
-        # include all many-to-many relations
-        for field_name, relation_info in model_meta.get_field_info(self.model).relations.items():
-            if relation_info.to_many:
-                if field_name is not None:
-                    nested_fields.add(field_name)
-        # include all nested fields explicitly included on the model
-        nested_fields.update(set(Model.get_meta(self.model, 'nested_fields', set())))
-        # exclude anything marked explicitly to be excluded
-        nested_fields = nested_fields.difference(set(Model.get_meta(self.model, 'nested_fields_exclude', set())))
-        return list(nested_fields)
-    def fields(self):
-        return self.nested_fields()
 class Model(models.Model):
-    urlid = LDPUrlField(blank=True, null=True, unique=True)
+    urlid = LDPUrlField(blank=True, null=True, unique=True, db_index=True)
    is_backlink = models.BooleanField(default=False, help_text='set automatically to indicate the Model is a backlink')
    allow_create_backlink = models.BooleanField(default=True,
                                                help_text='set to False to disable backlink creation after Model save')
    objects = LDPModelManager()
-    nested = LDPModelManager()
+    class Meta:
+        default_permissions = DEFAULT_DJANGOLDP_PERMISSIONS
+        abstract = True
+        depth = 0
    def __init__(self, *args, **kwargs):
        super(Model, self).__init__(*args, **kwargs)
-    @classmethod
-    def get_view_set(cls):
-        '''returns the view_set defined in the model Meta or the LDPViewSet class'''
-        view_set = getattr(cls._meta, 'view_set', getattr(cls.Meta, 'view_set', None))
-        if view_set is None:
-            from djangoldp.views import LDPViewSet
-            view_set = LDPViewSet
-        return view_set
    @classmethod
    def get_container_path(cls):
        '''returns the url path which is used to access actions on this model (e.g. /users/)'''
@@ -82,7 +63,7 @@ class Model(models.Model):
    @classonlymethod
    def absolute_url(cls, instance_or_model):
-        if isinstance(instance_or_model, ModelBase) or instance_or_model.urlid is None or instance_or_model.urlid == '':
+        if isinstance(instance_or_model, ModelBase) or not instance_or_model.urlid:
            return '{}{}'.format(settings.SITE_URL, Model.resource(instance_or_model))
        else:
            return instance_or_model.urlid
@@ -105,16 +86,24 @@ class Model(models.Model):
    @classonlymethod
    def slug_field(cls, instance_or_model):
        if isinstance(instance_or_model, ModelBase):
-            object_name = instance_or_model.__name__.lower()
+            model = instance_or_model
        else:
-            object_name = instance_or_model._meta.object_name.lower()
+            model = type(instance_or_model)
+        # Use cached value if present
+        if hasattr(model, "_slug_field"):
+            return model._slug_field
+        object_name = model.__name__.lower()
        view_name = '{}-detail'.format(object_name)
        try:
            slug_field = '/{}'.format(get_resolver().reverse_dict[view_name][0][0][1][0])
        except MultiValueDictKeyError:
-            slug_field = Model.get_meta(instance_or_model, 'lookup_field', 'pk')
+            slug_field = getattr(model._meta, 'lookup_field', 'pk')
        if slug_field.startswith('/'):
            slug_field = slug_field[1:]
+        model._slug_field = slug_field
        return slug_field
    @classonlymethod
@@ -129,11 +118,6 @@ class Model(models.Model):
        return path
-    class Meta:
-        default_permissions = ('add', 'change', 'delete', 'view', 'control')
-        abstract = True
-        depth = 0
    @classonlymethod
    def resolve_id(cls, id):
        '''
@@ -153,7 +137,7 @@ class Model(models.Model):
    @classonlymethod
    def resolve_parent(cls, path):
        split = path.strip('/').split('/')
-        parent_path = "/".join(split[0:len(split) - 1])
+        parent_path = "/".join(split[:-1])
        return Model.resolve_id(parent_path)
    @classonlymethod
@@ -170,8 +154,8 @@ class Model(models.Model):
        :param path: a URL path to check
        :return: the container model and resolved id in a tuple
        '''
-        if settings.BASE_URL in path:
+        if path.startswith(settings.BASE_URL):
-            path = path[len(settings.BASE_URL):]
+            path = path.replace(settings.BASE_URL, '')
        container = cls.resolve_container(path)
        try:
            resolve_id = cls.resolve_id(path)
@@ -220,46 +204,19 @@ class Model(models.Model):
            raise ObjectDoesNotExist
        return Model.get_or_create(model, urlid, **kwargs)
-    @classonlymethod
-    def get_model_rdf_type(cls, model):
-        if model is get_user_model():
-            return "foaf:user"
-        else:
-            return Model.get_meta(model, "rdf_type")
    @classonlymethod
    def get_subclass_with_rdf_type(cls, type):
+        #TODO: deprecate
        '''returns Model subclass with Meta.rdf_type matching parameterised type, or None'''
        if type == 'foaf:user':
            return get_user_model()
        for subcls in Model.__subclasses__():
-            if Model.get_meta(subcls, 'rdf_type') == type:
+            if getattr(subcls._meta, "rdf_type", None) == type:
                return subcls
        return None
-    @classonlymethod
-    def get_permission_classes(cls, related_model, default_permissions_classes):
-        '''returns the permission_classes set in the models Meta class'''
-        return cls.get_meta(related_model, 'permission_classes', default_permissions_classes)
-    @classonlymethod
-    def get_meta(cls, model_class, meta_name, default=None):
-        '''returns the models Meta class'''
-        if hasattr(model_class, 'Meta'):
-            meta = getattr(model_class.Meta, meta_name, default)
-        else:
-            meta = default
-        return getattr(model_class._meta, meta_name, meta)
-    @staticmethod
-    def get_permissions(obj_or_model, context, filter):
-        permissions = filter
-        for permission_class in Model.get_permission_classes(obj_or_model, [LDPPermissions]):
-            permissions = permission_class().filter_user_perms(context, obj_or_model, permissions)
-        return [{'mode': {'@type': name.split('_')[0]}} for name in permissions]
    @classmethod
    def is_external(cls, value):
        '''
@@ -267,19 +224,24 @@ class Model(models.Model):
        :return: True if the urlid is external to the server, False otherwise
        '''
        try:
+            if not value:
+                return False
            if not isinstance(value, str):
                value = value.urlid
-            return value is not None and not value.startswith(settings.SITE_URL)
+            # This expects all @ids to start with http which mlight not be universal. Maybe needs a fix.
+            return value.startswith('http') and not value.startswith(settings.SITE_URL)
        except:
            return False
+#TODO: this breaks the serializer, which probably assumes that traditional models don't have a urlid.
+# models.Model.urlid = property(lambda self: '{}{}'.format(settings.SITE_URL, Model.resource(self)))
 class LDPSource(Model):
    federation = models.CharField(max_length=255)
    class Meta(Model.Meta):
-        rdf_type = 'ldp:Container'
+        rdf_type = 'sib:federatedContainer'
        ordering = ('federation',)
        container_path = 'sources'
        lookup_field = 'federation'
@@ -292,42 +254,40 @@ class Activity(Model):
    '''Models an ActivityStreams Activity'''
    local_id = LDPUrlField(help_text='/inbox or /outbox url (local - this server)')  # /inbox or /outbox full url
    external_id = LDPUrlField(null=True, help_text='the /inbox or /outbox url (from the sender or receiver)')
-    payload = BinaryField()
+    payload = models.TextField()
    response_location = LDPUrlField(null=True, blank=True, help_text='Location saved activity can be found')
    response_code = models.CharField(null=True, blank=True, help_text='Response code sent by receiver', max_length=8)
-    response_body = BinaryField(null=True)
+    response_body = models.TextField(null=True)
    type = models.CharField(null=True, blank=True, help_text='the ActivityStreams type of the Activity',
                            max_length=64)
    is_finished = models.BooleanField(default=True)
-    created_at = DateTimeField(auto_now_add=True)
+    created_at = models.DateTimeField(auto_now_add=True)
    success = models.BooleanField(default=False, help_text='set to True when an Activity is successfully delivered')
    class Meta(Model.Meta):
        container_path = "activities"
        rdf_type = 'as:Activity'
+        disable_url = True
-    def _bytes_to_json(self, obj):
-        if hasattr(obj, 'tobytes'):
-            obj = obj.tobytes()
-        if obj is None or obj == b'':
-            return {}
-        return json.loads(obj)
    def to_activitystream(self):
-        return self._bytes_to_json(self.payload)
+        return json.loads(self.payload)
    def response_to_json(self):
-        return self._bytes_to_json(self.response_body)
+        return self.to_activitystream()
 # temporary database-side storage used for scheduled tasks in the ActivityQueue
 class ScheduledActivity(Activity):
-    failed_attempts = models.PositiveIntegerField(default=0, help_text='a log of how many failed retries have been made sending the activity')
+    failed_attempts = models.PositiveIntegerField(default=0,
+                                                  help_text='a log of how many failed retries have been made sending the activity')
    def save(self, *args, **kwargs):
        self.is_finished = False
        super(ScheduledActivity, self).save(*args, **kwargs)
+    class Meta(Model.Meta):
+        disable_url = True
 class Follower(Model):
    '''Models a subscription on a model. When the model is saved, an Update activity will be sent to the inbox'''
@@ -338,32 +298,74 @@ class Follower(Model):
    def __str__(self):
        return 'Inbox ' + str(self.inbox) + ' on ' + str(self.object)
+    class Meta(Model.Meta):
+        disable_url = True
+class DynamicNestedField:
+    '''
+    Used to define a method as a nested_field.
+    Usage:
+        LDPUser.circles = lambda self: Circle.objects.filter(members__user=self)
+        LDPUser.circles.field = DynamicNestedField(Circle, 'circles')
+    '''
+    related_query_name = None
+    one_to_many = False
+    many_to_many = True
+    many_to_one = False
+    one_to_one = False
+    read_only = True
+    name = ''
+    def __init__(self, model:models.Model|None, remote_name:str, name:str='', remote:object|None=None) -> None:
+        self.model = model
+        self.name = name
+        if remote:
+            self.remote_field = remote
+        else:
+            self.remote_field = DynamicNestedField(None, '', remote_name, self)
 @receiver([post_save])
 def auto_urlid(sender, instance, **kwargs):
    if isinstance(instance, Model):
+        changed = False
        if getattr(instance, Model.slug_field(instance), None) is None:
            setattr(instance, Model.slug_field(instance), instance.pk)
-            instance.save()
+            changed = True
-        if (instance.urlid is None or instance.urlid == '' or 'None' in instance.urlid):
+        if (not instance.urlid or 'None' in instance.urlid):
            instance.urlid = instance.get_absolute_url()
+            changed = True
+        if changed:
            instance.save()
+@receiver(post_save)
+def create_role_groups(sender, instance, created, **kwargs):
+    if created:
+        for name, params in getattr(instance._meta, 'permission_roles', {}).items():
+            group, x = Group.objects.get_or_create(name=f'LDP_{instance._meta.model_name}_{name}_{instance.id}')
+            setattr(instance, name, group)
+            instance.save()
+            if params.get('add_author'):
+                assert hasattr(instance._meta, 'auto_author'), "add_author requires to also define auto_author"
+                author = getattr(instance, instance._meta.auto_author)
+                if author:
+                    group.user_set.add(author)
+            for permission in params.get('perms', []):
+                assign_perm(f'{permission}_{instance._meta.model_name}', group, instance)
-if 'djangoldp_account' not in settings.DJANGOLDP_PACKAGES:
-    def webid(self):
-        # an external user should have urlid set
-        webid = getattr(self, 'urlid', None)
-        if webid is not None and urlparse(settings.BASE_URL).netloc != urlparse(webid).netloc:
-            webid = self.urlid
-        # local user use user-detail URL with primary key
-        else:
-            webid = '{0}{1}'.format(settings.BASE_URL, reverse_lazy('user-detail', kwargs={'pk': self.pk}))
-        return webid
-    get_user_model().webid = webid
+def invalidate_cache_if_has_entry(entry):
+    from djangoldp.serializers import GLOBAL_SERIALIZER_CACHE
+    if GLOBAL_SERIALIZER_CACHE.has(entry):
+        GLOBAL_SERIALIZER_CACHE.invalidate(entry)
+def invalidate_model_cache_if_has_entry(model):
+    entry = getattr(model._meta, 'label', None)
+    invalidate_cache_if_has_entry(entry)
+@receiver([pre_save, pre_delete])
+def invalidate_caches(sender, instance, **kwargs):
+    invalidate_model_cache_if_has_entry(sender)
-@receiver(post_save, sender=User)
+@receiver([m2m_changed])
-def update_perms(sender, instance, created, **kwargs):
+def invalidate_caches_m2m(sender, instance, action, *args, **kwargs):
-    LDPPermissions.invalidate_cache()
+    invalidate_model_cache_if_has_entry(kwargs['model'])
\ No newline at end of file
--- a/djangoldp/pagination.py
+++ b/djangoldp/pagination.py
 from rest_framework.pagination import LimitOffsetPagination
+from rest_framework.pagination import PageNumberPagination
 from rest_framework.response import Response
+class LDPOffsetPagination(LimitOffsetPagination):
+    def get_paginated_response(self, data):
+        next_url = self.get_next_link()
+        previous_url = self.get_previous_link()
+        links = []
+        for url, label in ((previous_url, 'prev'), (next_url, 'next')):
+            if url is not None:
+                links.append('<{}>; rel="{}"'.format(url, label))
+        headers = {'Link': ', '.join(links)} if links else {}
+        return Response(data, headers=headers)
+class LDPPagination(PageNumberPagination):
+    page_query_param = 'p'
+    page_size_query_param = 'limit'
-class LDPPagination(LimitOffsetPagination):
    def get_paginated_response(self, data):
        next_url = self.get_next_link()
        previous_url = self.get_previous_link()

--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
-import time
+from copy import copy
 from django.conf import settings
-from django.contrib.auth.models import _user_get_all_permissions
+from django.http import Http404
-from django.core.exceptions import PermissionDenied
+from rest_framework.permissions import BasePermission, DjangoObjectPermissions, OR, AND
-from django.db.models.base import ModelBase
+from rest_framework.filters import BaseFilterBackend
-from rest_framework.permissions import DjangoObjectPermissions
+from rest_framework_guardian.filters import ObjectPermissionsFilter
+from djangoldp.filters import OwnerFilterBackend, NoFilterBackend, PublicFilterBackend, IPFilterBackend, ActiveFilterBackend
+from djangoldp.utils import is_anonymous_user, is_authenticated_user, check_client_ip
-class LDPPermissions(DjangoObjectPermissions):
+DEFAULT_DJANGOLDP_PERMISSIONS = {'view', 'add', 'change', 'delete', 'control'}
+DEFAULT_RESOURCE_PERMISSIONS = {'view', 'change', 'delete', 'control'}
+DEFAULT_CONTAINER_PERMISSIONS = {'view', 'add'}
+def join_filter_backends(*permissions_or_filters:BaseFilterBackend|BasePermission, model:object, union:bool=False) -> BaseFilterBackend:
+    '''Creates a new Filter backend by joining a list of existing backends.
+    It chains the filterings or joins them, depending on the argument union'''
+    backends = []
+    for permission_or_filter in permissions_or_filters:
+        if hasattr(permission_or_filter, 'get_filter_backend'):
+            backends.append(permission_or_filter.get_filter_backend(model))
+        elif isinstance(permission_or_filter, type) and issubclass(permission_or_filter, BaseFilterBackend):
+            backends.append(permission_or_filter)
+    class JointFilterBackend(BaseFilterBackend):
+        def __init__(self) -> None:
+            self.filters = []
+            for backend in backends:
+                if backend:
+                    self.filters.append(backend())
+        def filter_queryset(self, request:object, queryset:object, view:object) -> object:
+            if union:
+                result = queryset.none() #starts with empty for union
+            else:
+                result = queryset
+            for filter in self.filters:
+                if union:
+                    result = result | filter.filter_queryset(request, queryset, view)
+                else:
+                    result = filter.filter_queryset(request, result, view)
+            return result
+    return JointFilterBackend
+permission_map ={
+    'GET': ['%(app_label)s.view_%(model_name)s'],
+    'OPTIONS': [],
+    'HEAD': ['%(app_label)s.view_%(model_name)s'],
+    'POST': ['%(app_label)s.add_%(model_name)s'],
+    'PUT': ['%(app_label)s.change_%(model_name)s'],
+    'PATCH': ['%(app_label)s.change_%(model_name)s'],
+    'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+}
+# Patch of OR and AND classes to enable chaining of LDPBasePermission
+def OR_get_permissions(self, user, model, obj=None):
+    perms1 = self.op1.get_permissions(user, model, obj) if hasattr(self.op1, 'get_permissions') else set()
+    perms2 = self.op2.get_permissions(user, model, obj) if hasattr(self.op2, 'get_permissions') else set()
+    return set.union(perms1, perms2)    
+OR.get_permissions = OR_get_permissions
+def OR_get_filter_backend(self, model):
+    return join_filter_backends(self.op1, self.op2, model=model, union=True)
+OR.get_filter_backend = OR_get_filter_backend
+OR.__repr__ = lambda self: f"{self.op1}|{self.op2}"
+def AND_get_permissions(self, user, model, obj=None):
+    perms1 = self.op1.get_permissions(user, model, obj) if hasattr(self.op1, 'get_permissions') else set()
+    perms2 = self.op2.get_permissions(user, model, obj) if hasattr(self.op2, 'get_permissions') else set()
+    return set.intersection(perms1, perms2)    
+AND.get_permissions = AND_get_permissions
+def AND_get_filter_backend(self, model):
+    return join_filter_backends(self.op1, self.op2, model=model, union=False)
+AND.get_filter_backend = AND_get_filter_backend
+AND.__repr__ = lambda self: f"{self.op1}&{self.op2}"
+class LDPBasePermission(BasePermission):
    """
-        Default permissions
+    A base class from which all permission classes should inherit.
-        Anon: None
+    Extends the DRF permissions class to include the concept of model-permissions, separate from the view, and to
-        Auth: None but inherit from Anon
+    change to a system of outputting permissions sets for the serialization of WebACLs
-        Owner: None but inherit from Auth
    """
-    anonymous_perms = ['view']
+    # filter backends associated with the permissions class. This will be used to filter queryset in the (auto-generated)
-    authenticated_perms = ['inherit']
+    # view for a model, and in the serializing nested fields
-    owner_perms = ['inherit']
+    filter_backend = ActiveFilterBackend
+    # by default, all permissions
-    perms_cache = {
+    permissions = getattr(settings, 'DJANGOLDP_PERMISSIONS', DEFAULT_DJANGOLDP_PERMISSIONS)
-        'time': time.time()
+    # perms_map defines the permissions required for different methods
-    }
+    perms_map = permission_map
-    with_cache = getattr(settings, 'PERMISSIONS_CACHE', True)
-    @classmethod
-    def invalidate_cache(cls):
-        cls.perms_cache = {
-            'time': time.time()
-        }
    @classmethod
-    def refresh_cache(cls):
+    def get_filter_backend(cls, model):
-        if time.time() - cls.perms_cache['time'] > 5:
+        '''returns the Filter backend associated with this permission class'''
-            cls.invalidate_cache()
+        return cls.filter_backend
+    def check_all_permissions(self, required_permissions):
-    def user_permissions(self, user, obj_or_model, obj=None):
+        '''returns True if the all the permissions are included in the permissions of the class'''
-        """
+        return all([permission.split('.')[1].split('_')[0] in self.permissions for permission in required_permissions])
-            Filter user permissions for a model class
+    def get_allowed_methods(self):
-        """
+        '''returns the list of methods allowed for the permissions of the class, depending on the permission map'''
+        return [method for method, permissions in self.perms_map.items() if self.check_all_permissions(permissions)]
-        # this may be a permission for the model class, or an instance
+    def has_permission(self, request, view):
-        self.refresh_cache()
+        '''checks if the request is allowed at all, based on its method and the permissions of the class'''
-        if isinstance(obj_or_model, ModelBase):
+        return request.method in self.get_allowed_methods()
-            model = obj_or_model
+    def has_object_permission(self, request, view, obj=None):
+        '''checks if the access to the object is allowed,'''
+        return self.has_permission(request, view)
+    def get_permissions(self, user, model, obj=None):
+        '''returns the permissions the user has on a given model or on a given object'''
+        return self.permissions.intersection(DEFAULT_RESOURCE_PERMISSIONS if obj else DEFAULT_CONTAINER_PERMISSIONS)
+class AnonymousReadOnly(LDPBasePermission):
+    """Anonymous users can only view, no check for others"""
+    permissions = {'view'}
+    def has_permission(self, request, view):
+        return super().has_permission(request, view) or is_authenticated_user(request.user)
+    def get_permissions(self, user, model, obj=None):
+        if is_anonymous_user(user):
+            return self.permissions
        else:
-            obj = obj_or_model
+            return super().permissions #all permissions
-            model = obj_or_model.__class__
-        model_name = model._meta.model_name
+class AuthenticatedOnly(LDPBasePermission):
-        user_key = 'None' if user is None else user.id
+    """Only authenticated users have permissions"""
-        obj_key = 'None' if obj is None else obj.id
+    def has_permission(self, request, view):
-        perms_cache_key = 'User{}{}{}'.format(user_key, model_name, obj_key)
+        return request.method=='OPTIONS' or is_authenticated_user(request.user)
-        if self.with_cache and perms_cache_key in self.perms_cache:
-            return self.perms_cache[perms_cache_key]
-        # Get Anonymous permissions from Model's Meta. If not found use default
-        anonymous_perms = getattr(model._meta, 'anonymous_perms', self.anonymous_perms)
-        # Get Auth permissions from Model's Meta. If not found use default
-        authenticated_perms = getattr(model._meta, 'authenticated_perms', self.authenticated_perms)
-        # Extend Auth if inherit is given
-        if 'inherit' in authenticated_perms:
-            authenticated_perms = authenticated_perms + list(set(anonymous_perms) - set(authenticated_perms))
-        # Get Owner permissions from Model's Meta. If not found use default
-        owner_perms = getattr(model._meta, 'owner_perms', self.owner_perms)
-        # Extend Owner if inherit is given
-        if 'inherit' in owner_perms:
-            owner_perms = owner_perms + list(set(authenticated_perms) - set(owner_perms))
-        # return permissions - using set to avoid duplicates
-        # apply Django-Guardian (object-level) permissions
-        perms = set()
-        if obj is not None and not user.is_anonymous:
+class ReadOnly(LDPBasePermission):
-            # get permissions from all backends and then remove model name from the permissions
+    """Users can only view"""
-            model_name = model._meta.model_name
+    permissions = {'view'}
-            forbidden_string = "_" + model_name
-            perms = set([p.replace(forbidden_string, '') for p in _user_get_all_permissions(user, obj)])
-        # apply anon, owner and auth permissions
+class ReadAndCreate(LDPBasePermission):
-        if user.is_anonymous:
+    """Users can only view and create"""
-            perms = perms.union(set(anonymous_perms))
+    permissions = {'view', 'add'}
-        else:
+class CreateOnly(LDPBasePermission):
-            if obj and hasattr(model._meta, 'owner_field') and (
+    """Users can only view and create"""
-                    getattr(obj, getattr(model._meta, 'owner_field')) == user
+    permissions = {'add'}
-                    or (hasattr(user, 'urlid') and getattr(obj, getattr(model._meta, 'owner_field')) == user.urlid)
-                    or getattr(obj, getattr(model._meta, 'owner_field')) == user.id):
-                perms = perms.union(set(owner_perms))
-            else:
+class ACLPermissions(DjangoObjectPermissions, LDPBasePermission):
-                perms = perms.union(set(authenticated_perms))
+    """Permissions based on the rights given in db, on model for container requests or on object for resource requests"""
+    filter_backend = ObjectPermissionsFilter
-        self.perms_cache[perms_cache_key] = list(perms)
+    perms_map = permission_map
+    def has_permission(self, request, view):
+        if view.action in ('list', 'create'): # The container permission only apply to containers requests
+            return super().has_permission(request, view)
+        return True
-        return self.perms_cache[perms_cache_key]
+    def get_permissions(self, user, model, obj=None):
-        # return list(perms)
+        model_name = model._meta.model_name
+        app_label = model._meta.app_label
+        if obj:
+            return {perm.replace('_'+model_name, '') for perm in user.get_all_permissions(obj)}
+        permissions = set(filter(lambda perm: perm.startswith(app_label) and perm.endswith(model_name), user.get_all_permissions()))
+        return {perm.replace(app_label+'.', '').replace('_'+model_name, '') for perm in permissions}
+class OwnerPermissions(LDPBasePermission):
+    """Gives all permissions to the owner of the object"""
+    filter_backend = OwnerFilterBackend
+    def check_permission(self, user, model, obj):
+        if user.is_superuser:
+            return True
+        if getattr(model._meta, 'owner_field', None):
+            field = model._meta.get_field(model._meta.owner_field)
+            if field.many_to_many or field.one_to_many:
+                return user in getattr(obj, field.get_accessor_name()).all()
+            else:
+                return user == getattr(obj, model._meta.owner_field)
+        if getattr(model._meta, 'owner_urlid_field', None) is not None:
+            return is_authenticated_user(user) and user.urlid == getattr(obj, model._meta.owner_urlid_field)
+        return True
-    def filter_user_perms(self, context, obj_or_model, permissions):
+    def has_object_permission(self, request, view, obj=None):
-        # Only used on Model.get_permissions to translate permissions to LDP
+        return self.check_permission(request.user, view.model, obj)
-        return [perm for perm in permissions if perm in self.user_permissions(context['request'].user, obj_or_model)]
+    def get_permissions(self, user, model, obj=None):
+        if not obj or self.check_permission(user, model, obj):
+            return self.permissions
+        return set()
+class OwnerCreatePermission(LDPBasePermission):
+    '''only accepts the creation of new resources if the owner of the created resource is the user of the request'''
+    def check_patch(self, first, second, user):
+        diff = first - second
+        return diff == set() or diff == {user.urlid}
+    def has_permission(self, request:object, view:object) -> bool:
+        if request.method != 'POST':
+            return super().has_permission(request, view)
+        if is_anonymous_user(request.user):
+            return False
+        owner = None
+        if getattr(view.model._meta, 'owner_field', None):
+            field = view.model._meta.get_field(view.model._meta.owner_field)
+            if field.many_to_many or field.one_to_many:
+                owner = request.data[field.get_accessor_name()]
+            else:
+                owner = request.data[view.model._meta.owner_field]
+        if getattr(view.model._meta, 'owner_urlid_field', None):
+            owner = request.data[view.model._meta.owner_urlid_field]
+        return not owner or owner['@id'] == request.user.urlid
+class PublicPermission(LDPBasePermission):
+    """Gives read-only access to resources which have a public flag to True"""
+    filter_backend = PublicFilterBackend
+    permissions = {'view', 'add'}
+    def has_object_permission(self, request, view, obj=None):
+        assert hasattr(view.model._meta, 'public_field'), \
+            f'Model {view.model} has PublicPermission applied without "public_field" defined'
+        public_field = view.model._meta.public_field
+        if getattr(obj, public_field, False):
+            return super().has_object_permission(request, view, obj)
+        return False
+class JoinMembersPermission(LDPBasePermission):
+    filter_backend = None
+    def has_permission(self, request:object, view:object) -> bool:
+        if is_anonymous_user(request.user):
+            return False
+        return request.method == 'PATCH'
+    def check_patch(self, first, second, user):
+        diff = first - second
+        return diff == set() or diff == {user.urlid}
+    def has_object_permission(self, request:object, view:object, obj:object) -> bool:
+        '''only accept patch request, only if the only difference on the user_set is the user'''
+        if not self.has_permission(request, view) or not obj or not 'user_set' in request.data:
+            return False
+        new_members = request.data['user_set']
+        if not isinstance(new_members, list):
+            new_members = [new_members]
+        new_ids = {user['@id'] for user in new_members}
+        old_ids = {user.urlid for user in obj.members.user_set.all()}
+        return self.check_patch(new_ids, old_ids, request.user) and self.check_patch(old_ids, new_ids, request.user)
+    def get_permissions(self, user, model, obj=None):
+        return set()
+class IPOpenPermissions(LDPBasePermission):
+    filter_backend = IPFilterBackend
+    def has_permission(self, request, view):
+        return check_client_ip(request)
-    # perms_map defines the permissions required for different methods
+    def has_object_permission(self, request, view, obj):
-    perms_map = {
+        return check_client_ip(request)
-        'GET': ['%(app_label)s.view_%(model_name)s'],
-        'OPTIONS': [],
-        'HEAD': ['%(app_label)s.view_%(model_name)s'],
-        'POST': ['%(app_label)s.add_%(model_name)s'],
-        'PUT': ['%(app_label)s.change_%(model_name)s'],
-        'PATCH': ['%(app_label)s.change_%(model_name)s'],
-        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
-    }
-    def get_permissions(self, method, obj):
-        """
-            Translate perms_map to request
-        """
-        kwargs = {
-            'app_label': obj._meta.app_label,
-            'model_name': obj._meta.model_name
-        }
-        # Only allows methods that are on perms_map
-        if method not in self.perms_map:
-            raise PermissionDenied
-        return [perm % kwargs for perm in self.perms_map[method]]
-    def has_permission(self, request, view):
+    def get_permissions(self, user, model, obj=None):
-        """
+        #Will always say there is no migrations, not taking the IP into accounts
-            Access to containers
+        return set()
-        """
-        from djangoldp.models import Model
-        if self.is_a_container(request._request.path):
-            try:
-                obj = Model.resolve_parent(request.path)
-                model = view.parent_model
-            except:
-                obj = None
-                model = view.model
-        else:
-            obj = Model.resolve_id(request._request.path)
-            model = view.model
-        # get permissions required
-        perms = self.get_permissions(request.method, model)
-        user_perms = self.user_permissions(request.user, model, obj)
-        # compare them with the permissions I have
+class InheritPermissions(LDPBasePermission):
-        for perm in perms:
+    """Gets the permissions from a related objects"""
-            if not perm.split('.')[-1].split('_')[0] in user_perms:
+    @classmethod
-                return False
+    def get_parent_fields(cls, model: object) -> list:
+        '''checks that the model is adequately configured and returns the associated model'''
+        assert hasattr(model._meta, 'inherit_permissions') and isinstance(model._meta.inherit_permissions, list), \
+            f'Model {model} has InheritPermissions applied without "inherit_permissions" defined as a list'
-        return True
+        return model._meta.inherit_permissions
-    def is_a_container(self, path):
+    @classmethod
-        from djangoldp.models import Model
+    def get_parent_model(cls, model:object, field_name:str) -> object:
-        container, id = Model.resolve(path)
+        parent_model = model._meta.get_field(field_name).related_model
-        return id is None
+        assert hasattr(parent_model._meta, 'permission_classes'), \
+            f'Related model {parent_model} has no "permission_classes" defined'
+        return parent_model
+    def get_parent_objects(self, obj:object, field_name:str) -> list:
+        '''gets the parent object'''
+        if obj is None:
+            return []
+        field = obj._meta.get_field(field_name)
+        if field.many_to_many or field.one_to_many:
+            return getattr(obj, field.get_accessor_name()).all()
+        parent = getattr(obj, field_name, None)
+        return [parent] if parent else []
+    @classmethod
+    def clone_with_model(self, request:object, view:object, model:object) -> tuple:
+        '''changes the model on the argument, so that they can be called on the parent model'''
+        # For some reason if we copy the request itself, we go into an infinite loop, so take the native request instead
+        _request = copy(request._request)
+        _request.model = model
+        _request.data = request.data #because the data is not present on the native request
+        _request._request = _request #so that it can be nested
+        _view = copy(view)
+        _view.queryset = None #to make sure the model is taken into account
+        _view.model = model
+        return _request, _view
-    def has_object_permission(self, request, view, obj):
+    @classmethod
-        """
+    def generate_filter_backend(cls, parent:object, field_name:str) -> BaseFilterBackend:
-            Access to objects
+        '''returns a new Filter backend that applies all filters of the parent model'''
-            User have permission on request: Continue
+        filter_arg = f'{field_name}__in'
-            User does not have permission:   403
+        backends = {perm().get_filter_backend(parent) for perm in parent._meta.permission_classes}
-        """
-        # get permissions required
+        class InheritFilterBackend(BaseFilterBackend):
-        perms = self.get_permissions(request.method, obj)
+            def __init__(self) -> None:
-        model = obj
+                self.filters = []
-        user_perms = self.user_permissions(request.user, model, obj)
+                for backend in backends:
+                    if backend:
-        # compare them with the permissions I have
+                        self.filters.append(backend())
-        for perm in perms:
+            def filter_queryset(self, request:object, queryset:object, view:object) -> object:
-            if not perm.split('.')[-1].split('_')[0] in user_perms:
+                request, view = InheritPermissions.clone_with_model(request, view, parent)
-                return False
+                for filter in self.filters:
+                    allowed_parents = filter.filter_queryset(request, parent.objects.all(), view)
+                    queryset = queryset.filter(**{filter_arg: allowed_parents})
+                return queryset
+        return InheritFilterBackend
+    @classmethod
+    def generate_filter_backend_for_none(cls, fields) -> BaseFilterBackend:
+        '''returns a new Filter backend that checks that none of the parent fields are set'''
+        class InheritNoneFilterBackend(BaseFilterBackend):
+            def filter_queryset(self, request:object, queryset:object, view:object) -> object:
+                return queryset.filter(**{field: None for field in fields})
+        return InheritNoneFilterBackend
+    @classmethod
+    def get_filter_backend(cls, model:object) -> BaseFilterBackend:
+        '''Returns a union filter backend of all filter backends of parents'''
+        fields = cls.get_parent_fields(model)
+        backends = [cls.generate_filter_backend(cls.get_parent_model(model, field), field) for field in fields]
+        backend_none = cls.generate_filter_backend_for_none(fields)
+        return join_filter_backends(*backends, backend_none, model=model, union=True)
+    def has_permission(self, request:object, view:object) -> bool:
+        '''Returns True unless we're trying to create a resource with a link to a parent we're not allowed to change'''
+        if request.method == 'POST':
+            for field in InheritPermissions.get_parent_fields(view.model):
+                if field in request.data:
+                    model = InheritPermissions.get_parent_model(view.model, field)
+                    parent = model.objects.get(urlid=request.data[field]['@id'])
+                    _request, _view = InheritPermissions.clone_with_model(request, view, model)
+                    if not all([perm().has_object_permission(_request, _view, parent) for perm in model._meta.permission_classes]):
+                        return False
        return True
+    def has_object_permission(self, request:object, view:object, obj:object) -> bool:
+        '''Returns True if at least one inheriting object has permission'''
+        if not obj:
+            return super().has_object_permission(request, view, obj)
+        parents = []
+        for field in InheritPermissions.get_parent_fields(view.model):
+            model = InheritPermissions.get_parent_model(view.model, field)
+            parent_request, parent_view = InheritPermissions.clone_with_model(request, view, model)
+            for parent_object in self.get_parent_objects(obj, field):
+                parents.append(parent_object)
+                try:
+                    if all([perm().has_object_permission(parent_request, parent_view, parent_object) for perm in model._meta.permission_classes]):
+                        return True
+                except Http404:
+                    #keep trying
+                    pass
+        # return False if there were parent resources but none accepted
+        return False if parents else True
+    def get_permissions(self, user:object, model:object, obj:object=None) -> set:
+        '''returns a union of all inheriting linked permissions'''
+        perms = set()
+        parents = []
+        for field in InheritPermissions.get_parent_fields(model):
+            parent_model = InheritPermissions.get_parent_model(model, field)
+            for parent_object in self.get_parent_objects(obj, field):
+                parents.append(parent_object)
+                perms = perms.union(set.intersection(*[perm().get_permissions(user, parent_model, parent_object) 
+                                               for perm in parent_model._meta.permission_classes]))
+        if parents:
+            return perms
+        return super().get_permissions(user, model, obj)
\ No newline at end of file
--- a/djangoldp/related.py
+++ b/djangoldp/related.py
+from rest_framework.utils import model_meta
+def get_prefetch_fields(model, serializer, depth, prepend_string=''):
+    '''
+    This method should then be used with queryset.prefetch_related, to auto-fetch joined resources (to speed up nested serialization)
+    This can speed up ModelViewSet and LDPViewSet alike by as high a factor as 2
+    :param model: the model to be analysed
+    :param serializer: an LDPSerializer instance. Used to extract the fields for each nested model
+    :param depth: the depth at which to stop the recursion (should be set to the configured depth of the ViewSet)
+    :param prepend_string: should be set to the default. Used in recursive calls
+    :return: set of strings to prefetch for a given model. Including serialized nested fields and foreign keys recursively
+    called on many-to-many fields until configured depth reached
+    '''
+    # the objective is to build a list of fields and nested fields which should be prefetched for the optimisation
+    # of database queries
+    fields = set()
+    # get a list of all fields which would be serialized on this model
+    # TODO: dynamically generating serializer fields is necessary to retrieve many-to-many fields at depth > 0,
+    #  but the _all_ default has issues detecting reverse many-to-many fields
+    # meta_args = {'model': model, 'depth': 0, 'fields': getattr(model._meta, 'serializer_fields', '__all__')}
+    # meta_class = type('Meta', (), meta_args)
+    # serializer = (type(LDPSerializer)('TestSerializer', (LDPSerializer,), {'Meta': meta_class}))()
+    serializer_fields = set([f for f in serializer.get_fields()])
+    empty_containers = getattr(model._meta, 'empty_containers', [])
+    # we are only interested in foreign keys (and many-to-many relationships)
+    model_relations = model_meta.get_field_info(model).relations
+    for field_name, relation_info in model_relations.items():
+        # foreign keys can be added without fuss
+        if not relation_info.to_many:
+            fields.add((prepend_string + field_name))
+            continue
+        # nested fields should be added if serialized
+        if field_name in serializer_fields and field_name not in empty_containers:
+            fields.add((prepend_string + field_name))
+            # and they should also have their immediate foreign keys prefetched if depth not reached
+            if depth >= 0:
+                new_prepend_str = prepend_string + field_name + '__'
+                fields = fields.union(get_prefetch_fields(relation_info.related_model, serializer, depth - 1, new_prepend_str))
+    return fields
--- a/djangoldp/serializers.py
+++ b/djangoldp/serializers.py
-import time
 import uuid
-from collections import OrderedDict, Mapping, Iterable
+import json
+from collections import OrderedDict
+from collections.abc import Mapping, Iterable
+from copy import copy
 from typing import Any
 from urllib import parse
@@ -9,60 +11,113 @@ from django.contrib.auth import get_user_model
 from django.core.exceptions import ImproperlyConfigured
 from django.core.exceptions import ValidationError as DjangoValidationError
 from django.db import transaction
+from django.db.models import QuerySet
 from django.urls import resolve, Resolver404, get_script_prefix
 from django.urls.resolvers import get_resolver
-from django.db.models import QuerySet
 from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.encoding import uri_to_iri
+from django.utils.functional import cached_property
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import SkipField, empty, ReadOnlyField
 from rest_framework.fields import get_error_detail, set_value
-from rest_framework.relations import HyperlinkedRelatedField, ManyRelatedField, MANY_RELATION_KWARGS, Hyperlink
+from rest_framework.relations import HyperlinkedRelatedField, ManyRelatedField, Hyperlink, MANY_RELATION_KWARGS
 from rest_framework.serializers import HyperlinkedModelSerializer, ListSerializer, ModelSerializer, LIST_SERIALIZER_KWARGS
 from rest_framework.settings import api_settings
 from rest_framework.utils import model_meta
 from rest_framework.utils.field_mapping import get_nested_relation_kwargs
-from rest_framework.utils.serializer_helpers import ReturnDict
+from rest_framework.utils.serializer_helpers import ReturnDict, BindingDict
 from djangoldp.fields import LDPUrlField, IdURLField
 from djangoldp.models import Model
-from djangoldp.permissions import LDPPermissions
+from djangoldp.permissions import DEFAULT_DJANGOLDP_PERMISSIONS
+# defaults for various DjangoLDP settings (see documentation)
+MAX_RECORDS_SERIALIZER_CACHE = getattr(settings, 'MAX_RECORDS_SERIALIZER_CACHE', 10000)
 class InMemoryCache:
    def __init__(self):
        self.cache = {
-            'time': time.time()
        }
-    def invalidate_cache(self):
+    def reset(self):
        self.cache = {
-            'time': time.time()
        }
-    def refresh_cache(self):
+    def has(self, cache_key, container_urlid=None, vary=None):
-        if time.time() - self.cache['time'] > 5:
+        return cache_key in self.cache and \
-            self.invalidate_cache()
+               (container_urlid is None or container_urlid in self.cache[cache_key]) and \
+               (vary is None or vary in self.cache[cache_key][container_urlid])
-    def has(self, cache_key):
+    def get(self, cache_key, container_urlid, vary):
-        return cache_key in self.cache
+        if self.has(cache_key, container_urlid, vary):
+            return self.cache[cache_key][container_urlid][vary]['value']
-    def get(self, cache_key):
+        else:
-        return self.cache[cache_key]
+            return None
-    def set(self, cache_key, value):
+    def set(self, cache_key, container_urlid, vary, value):
-        self.cache[cache_key] = value
+        if len(self.cache.keys()) > MAX_RECORDS_SERIALIZER_CACHE:
+            self.reset()
+        if cache_key not in self.cache:
+            self.cache[cache_key] = {}
+        if container_urlid not in self.cache[cache_key]:
+            self.cache[cache_key][container_urlid] = {}
+        self.cache[cache_key][container_urlid][vary] = {'value': value}
+    def invalidate(self, cache_key, container_urlid=None, vary=None):
+        # can clear cache_key -> container_urlid -> vary, cache_key -> container_urlid or cache_key
+        if container_urlid is not None:
+            if vary is not None:
+                self.cache[cache_key][container_urlid].pop(vary, None)
+            else:
+                self.cache[cache_key].pop(container_urlid, None)
+        else:
+            self.cache.pop(cache_key, None)
+GLOBAL_SERIALIZER_CACHE = InMemoryCache()
+class RDFSerializerMixin:
+    def add_permissions(self, data, user, model, obj=None):
+        '''takes a set or list of permissions and returns them in the JSON-LD format'''
+        if self.parent and not settings.LDP_INCLUDE_INNER_PERMS: #Don't serialize permissions on nested objects
+            return data
+        if user.is_superuser:
+            data['permissions'] = getattr(settings, 'DJANGOLDP_PERMISSIONS', DEFAULT_DJANGOLDP_PERMISSIONS)
+            return data
+        permission_classes = getattr(model._meta, 'permission_classes', [])
+        if not permission_classes:
+            return data
+        # The permissions must be given by all permission classes to be granted
+        permissions = set.intersection(*[permission().get_permissions(user, model, obj) for permission in permission_classes])
+        # Don't grant delete permissions on containers
+        if not obj and 'delete' in permissions:
+            permissions.remove('delete')
+        data['permissions'] = permissions
+        return data
+    def serialize_rdf_fields(self, obj, data, include_context=False):
+        '''adds the @type and the @context to the data'''
+        rdf_type = getattr(obj._meta, 'rdf_type', None)
+        rdf_context = getattr(obj._meta, 'rdf_context', None)
+        if rdf_type:
+            data['@type'] = rdf_type
+        if include_context and rdf_context:
+            data['@context'] = rdf_context
+        return data
+    def serialize_container(self, data, id, user, model, obj=None):
+        '''turns a list into a container representation'''
+        return self.add_permissions({'@id': id, '@type': 'ldp:Container', 'ldp:contains': data}, user, model, obj)
-class LDListMixin:
+class LDListMixin(RDFSerializerMixin):
    '''A Mixin for serializing containers into JSONLD format'''
    child_attr = 'child'
    with_cache = getattr(settings, 'SERIALIZER_CACHE', True)
-    to_representation_cache = InMemoryCache()
+    def get_child(self):
+        return getattr(self, self.child_attr)
    # converts primitive data representation to the representation used within our application
    def to_internal_value(self, data):
        try:
@@ -78,7 +133,51 @@ class LDListMixin:
        if isinstance(data, str) and data.startswith("http"):
            data = [{'@id': data}]
-        return [getattr(self, self.child_attr).to_internal_value(item) for item in data]
+        return [self.get_child().to_internal_value(item) for item in data]
+    def filter_queryset(self, queryset, child_model):
+        '''Applies the permission of the child model to the child queryset'''
+        view = copy(self.context['view'])
+        view.model = child_model
+        filter_backends = list({perm_class().get_filter_backend(child_model) for perm_class in 
+                getattr(child_model._meta, 'permission_classes', []) if hasattr(perm_class(), 'get_filter_backend')})
+        for backend in filter_backends:
+            if backend:
+                queryset = backend().filter_queryset(self.context['request'], queryset, view)
+        return queryset
+    def compute_id(self, value):
+        '''generates the @id of the container'''
+        if not hasattr(self, 'parent_instance'):
+            #This is a container
+            return f"{settings.BASE_URL}{self.context['request'].path}"
+        return f"{settings.BASE_URL}{Model.resource_id(self.parent_instance)}{self.field_name}/"
+    def get_attribute(self, instance):
+        # save the parent object for nested field url
+        self.parent_instance = instance
+        return super().get_attribute(instance)
+    def check_cache(self, value, id, model, cache_vary):
+        '''Auxiliary function to avoid code duplication - checks cache and returns from it if it has entry'''
+        parent_meta = getattr(self.get_child(), 'Meta', getattr(self.parent, 'Meta', None))
+        depth = max(getattr(parent_meta, "depth", 0), 0) if parent_meta else 1
+        if depth:
+            # if the depth is greater than 0, we don't hit the cache, because a nested container might be outdated
+            # this Mixin may not have access to the depth of the parent serializer, e.g. if it's a ManyRelatedField
+            # in these cases we assume the depth is 0 and so we hit the cache
+            return None
+        cache_key = getattr(model._meta, 'label', None)
+        if self.with_cache and GLOBAL_SERIALIZER_CACHE.has(cache_key, id, cache_vary):
+            cache_value = GLOBAL_SERIALIZER_CACHE.get(cache_key, id, cache_vary)
+            # this check is to handle the situation where the cache has been invalidated by something we don't check
+            # namely if my permissions are upgraded then I may have access to view more objects
+            cache_under_value = cache_value['ldp:contains'] if 'ldp:contains' in cache_value else cache_value
+            if not hasattr(cache_under_value, '__len__') or not hasattr(value, '__len__') or (len(cache_under_value) == len(value)):
+                return cache_value
+        return False
    def to_representation(self, value):
        '''
@@ -88,64 +187,35 @@ class LDListMixin:
         - Can Add if add permission on contained object's type
         - Can view the container is view permission on container model : container obj are filtered by view permission
        '''
-        self.to_representation_cache.refresh_cache()
        try:
-            child_model = getattr(self, self.child_attr).Meta.model
+            child_model = self.get_child().Meta.model
        except AttributeError:
            child_model = value.model
+        user = self.context['request'].user
-        parent_model = None
+        id = self.compute_id(value)
-        if isinstance(value, QuerySet):
+        is_container = True
-            value = list(value)
+        if getattr(self, 'parent', None): #If we're in a nested container
+            if isinstance(value, QuerySet) and getattr(self, 'parent', None):
-        if not isinstance(value, Iterable):
+                value = self.filter_queryset(value, child_model)
-            if not self.id.startswith('http'):
-                self.id = '{}{}{}'.format(settings.BASE_URL, Model.resource(parent_model), self.id)
+            if getattr(self, 'field_name', None) is not None:
+                if self.field_name in getattr(self.parent.Meta.model._meta, 'empty_containers', []):
-            cache_key = self.id
+                    return {'@id': id}
-            if self.with_cache and self.to_representation_cache.has(cache_key):
+                if not self.field_name in getattr(self.parent.Meta.model._meta, 'nested_fields', []):
-                return self.to_representation_cache.get(cache_key)
+                    is_container = False
-            filtered_values = value
+        cache_vary = str(user)
-            container_permissions = Model.get_permissions(child_model, self.context, ['view', 'add'])
+        cache_result = self.check_cache(value, id, child_model, cache_vary)
+        if cache_result:
-        else:
+            return cache_result
-            # this is a container. Parent model is the containing object, child the model contained
-            try:
+        data = super().to_representation(value)
-                parent_model = Model.resolve_parent(self.context['request'].path)
+        if is_container:
-            except:
+            data = self.serialize_container(data, id, user, child_model)
-                parent_model = child_model
+        GLOBAL_SERIALIZER_CACHE.set(getattr(child_model._meta, 'label'), id, cache_vary, data)
-            if not self.id.startswith('http'):
+        return GLOBAL_SERIALIZER_CACHE.get(getattr(child_model._meta, 'label'), id, cache_vary)
-                self.id = '{}{}{}'.format(settings.BASE_URL, Model.resource(parent_model), self.id)
-            cache_key = self.id
-            if self.with_cache and self.to_representation_cache.has(cache_key):
-                return self.to_representation_cache.get(cache_key)
-            # remove objects from the list which I don't have permission to view
-            filtered_values = list(
-                filter(lambda v: Model.get_permission_classes(v, [LDPPermissions])[0]().has_object_permission(
-                    self.context['request'], self.context['view'], v), value))
-            container_permissions = Model.get_permissions(child_model, self.context, ['add'])
-            container_permissions.extend(
-                Model.get_permissions(parent_model, self.context, ['view']))
-        self.to_representation_cache.set(self.id, {'@id': self.id,
-                '@type': 'ldp:Container',
-                'ldp:contains': super().to_representation(filtered_values),
-                'permissions': container_permissions
-                })
-        return self.to_representation_cache.get(self.id)
-    def get_attribute(self, instance):
-        parent_id_field = self.parent.fields[self.parent.url_field_name]
-        context = self.parent.context
-        parent_id = parent_id_field.get_url(instance, parent_id_field.view_name, context['request'], context['format'])
-        self.id = parent_id + self.field_name + "/"
-        return super().get_attribute(instance)
    def get_value(self, dictionary):
        try:
@@ -201,31 +271,38 @@ class LDListMixin:
            return obj
+class IdentityFieldMixin:
+    def to_internal_value(self, data):
+        '''Gives the @id as a representation if present'''
+        try:
+            return super().to_internal_value(data[self.parent.url_field_name])
+        except (KeyError, TypeError):
+            return super().to_internal_value(data)
-class ContainerSerializer(LDListMixin, ListSerializer):
+class ContainerSerializer(LDListMixin, ListSerializer, IdentityFieldMixin):
    id = ''
    @property
    def data(self):
        return ReturnDict(super(ListSerializer, self).data, serializer=self)
-    def to_internal_value(self, data):
-        try:
-            return super().to_internal_value(data[self.parent.url_field_name])
-        except (KeyError, TypeError):
-            return super().to_internal_value(data)
 class ManyJsonLdRelatedField(LDListMixin, ManyRelatedField):
    child_attr = 'child_relation'
    url_field_name = "@id"
-class JsonLdField(HyperlinkedRelatedField):
+class JsonLdField(HyperlinkedRelatedField, IdentityFieldMixin):
    def __init__(self, view_name=None, **kwargs):
        super().__init__(view_name, **kwargs)
        self.get_lookup_args()
+    def get_url(self, obj, view_name, request, format):
+        '''Overridden from DRF to shortcut on urlid-holding objects'''
+        if hasattr(obj, 'urlid') and obj.urlid not in (None, ''):
+            return obj.urlid
+        return super().get_url(obj, view_name, request, format)
    def get_lookup_args(self):
        try:
            lookup_field = get_resolver().reverse_dict[self.view_name][0][0][1][0]
@@ -234,26 +311,25 @@ class JsonLdField(HyperlinkedRelatedField):
        except MultiValueDictKeyError:
            pass
+class JsonLdRelatedField(JsonLdField, RDFSerializerMixin):
+    def use_pk_only_optimization(self):
+        return False
-class JsonLdRelatedField(JsonLdField):
    def to_representation(self, value):
        try:
+            include_context = False
            if Model.is_external(value):
-                return {'@id': value.urlid}
+                data = {'@id': value.urlid}
            else:
-                return {'@id': super().to_representation(value)}
+                include_context = True
+                data = {'@id': super().to_representation(value)}
+            return self.serialize_rdf_fields(value, data, include_context=include_context)
        except ImproperlyConfigured:
            return value.pk
-    def to_internal_value(self, data):
-        try:
-            return super().to_internal_value(data[self.parent.url_field_name])
-        except (KeyError, TypeError):
-            return super().to_internal_value(data)
    @classmethod
    def many_init(cls, *args, **kwargs):
-        list_kwargs = {'child_relation': cls(*args, **kwargs)}
+        list_kwargs = {'child_relation': cls(*args, **kwargs),}
        for key in kwargs:
            if key in MANY_RELATION_KWARGS:
                list_kwargs[key] = kwargs[key]
@@ -270,13 +346,6 @@ class JsonLdIdentityField(JsonLdField):
    def use_pk_only_optimization(self):
        return False
-    def to_internal_value(self, data):
-        '''tells serializer how to write identity field'''
-        try:
-            return super().to_internal_value(data[self.parent.url_field_name])
-        except KeyError:
-            return super().to_internal_value(data)
    def to_representation(self, value: Any) -> Any:
        '''returns hyperlink representation of identity field'''
        try:
@@ -285,7 +354,7 @@ class JsonLdIdentityField(JsonLdField):
                return Hyperlink(value, value)
            # expecting a user instance. Compute the webid and return this in hyperlink format
            else:
-                return Hyperlink(value.webid(), value)
+                return Hyperlink(value.urlid, value)
        except AttributeError:
            return super().to_representation(value)
@@ -298,15 +367,39 @@ class JsonLdIdentityField(JsonLdField):
            return super().get_attribute(instance)
-class LDPSerializer(HyperlinkedModelSerializer):
+class LDPSerializer(HyperlinkedModelSerializer, RDFSerializerMixin):
    url_field_name = "@id"
    serializer_related_field = JsonLdRelatedField
    serializer_url_field = JsonLdIdentityField
    ModelSerializer.serializer_field_mapping[LDPUrlField] = IdURLField
-    with_cache = getattr(settings, 'SERIALIZER_CACHE', True)
+    # The default serializer repr ends in infinite loop. Overloading it prevents that.
+    def __repr__(self):
+        return self.__class__.__name__
+    @cached_property
+    def fields(self):
+        """
+        A dictionary of {field_name: field_instance}.
+        """
+        # `fields` is evaluated lazily. We do this to ensure that we don't
+        # have issues importing modules that use ModelSerializers as fields,
+        # even if Django's app-loading stage has not yet run.
+        fields = BindingDict(self)
+        # we allow the request object to specify a subset of fields which should be serialized
+        model_fields = self.get_fields()
+        req_header_accept_shape = self.context['request'].META.get('HTTP_ACCEPT_MODEL_FIELDS') if 'request' in self.context else None
+        try:
+            allowed_fields = list(set(json.loads(req_header_accept_shape)).intersection(model_fields.keys())) if req_header_accept_shape is not None else model_fields.keys()
+        except json.decoder.JSONDecodeError:
+            raise ValidationError("Please send the HTTP header Accept-Model-Fields as an array of strings")
-    to_representation_cache = InMemoryCache()
+        for key, value in model_fields.items():
+            if key in allowed_fields:
+                fields[key] = value
+        return fields
    def get_default_field_names(self, declared_fields, model_info):
        try:
@@ -316,19 +409,12 @@ class LDPSerializer(HyperlinkedModelSerializer):
        return fields + list(getattr(self.Meta, 'extra_fields', []))
    def to_representation(self, obj):
-        # external Models should only be returned with an id (on GET)
+        # external Models should only be returned with rdf values
-        self.to_representation_cache.refresh_cache()
+        if Model.is_external(obj):
-        if self.context['request'].method == 'GET' and Model.is_external(obj):
+            data = {'@id': obj.urlid}
-            return {'@id': obj.urlid}
+            return self.serialize_rdf_fields(obj, data)
-        if self.with_cache and hasattr(obj, 'urlid'):
+        data = super().to_representation(obj)
-            if self.to_representation_cache.has(obj.urlid):
-                data = self.to_representation_cache.get(obj.urlid)
-            else:
-                data = super().to_representation(obj)
-                self.to_representation_cache.set(obj.urlid, data)
-        else:
-            data = super().to_representation(obj)
        slug_field = Model.slug_field(obj)
        for field in data:
@@ -339,61 +425,45 @@ class LDPSerializer(HyperlinkedModelSerializer):
            data['@id'] = data.pop('urlid')['@id']
        if not '@id' in data:
            data['@id'] = '{}{}'.format(settings.SITE_URL, Model.resource(obj))
-        rdf_type = Model.get_meta(obj, 'rdf_type', None)
-        rdf_context = Model.get_meta(obj, 'rdf_context', None)
-        if rdf_type is not None:
-            data['@type'] = rdf_type
-        if rdf_context is not None:
-            data['@context'] = rdf_context
-        data['permissions'] = Model.get_permissions(obj, self.context,
-                                                    ['view', 'change', 'control', 'delete'])
+        data = self.serialize_rdf_fields(obj, data, include_context=True)
+        data = self.add_permissions(data, self.context['request'].user, type(obj), obj=obj)
        return data
    def build_property_field(self, field_name, model_class):
        class JSonLDPropertyField(ReadOnlyField):
            def to_representation(self, instance):
                from djangoldp.views import LDPViewSet
+                if isinstance(instance, QuerySet):
-                if isinstance(instance, QuerySet) or isinstance(instance, Model):
+                    model = instance.model
-                    try:
+                elif isinstance(instance, Model):
-                        model_class = instance.model
+                    model = type(instance)
-                    except:
-                        model_class = instance.__class__
-                    serializer_generator = LDPViewSet(model=model_class,
-                                                      lookup_field=Model.get_meta(model_class, 'lookup_field', 'pk'),
-                                                      permission_classes=Model.get_meta(model_class,
-                                                                                        'permission_classes',
-                                                                                        [LDPPermissions]),
-                                                      fields=Model.get_meta(model_class, 'serializer_fields', []),
-                                                      nested_fields=model_class.nested.nested_fields())
-                    parent_depth = max(getattr(self.parent.Meta, "depth", 0) - 1, 0)
-                    serializer_generator.depth = parent_depth
-                    serializer = serializer_generator.build_read_serializer()(context=self.parent.context)
-                    if parent_depth is 0:
-                        serializer.Meta.fields = ["@id"]
-                    if isinstance(instance, QuerySet):
-                        data = list(instance)
-                        return {'@id': '{}{}{}/'.format(settings.SITE_URL, '{}{}/', self.source),
-                                '@type': 'ldp:Container',
-                                'ldp:contains': [serializer.to_representation(item) if item is not None else None for
-                                                 item
-                                                 in data],
-                                'permissions': Model.get_permissions(self.parent.Meta.model,
-                                                                     self.context,
-                                                                     ['view', 'add'])
-                                }
-                    else:
-                        return serializer.to_representation(instance)
                else:
                    return instance
+                depth = max(getattr(self.parent.Meta, "depth", 0) - 1, 0)
+                fields = ["@id"] if depth==0 else getattr(model._meta, 'serializer_fields', [])
+                serializer_generator = LDPViewSet(model=model, fields=fields, depth=depth,
+                                                    lookup_field=getattr(model._meta, 'lookup_field', 'pk'),
+                                                    permission_classes=getattr(model._meta, 'permission_classes', []),
+                                                    nested_fields=getattr(model._meta, 'nested_fields', []))
+                serializer = serializer_generator.get_serializer_class()(context=self.parent.context)
+                if isinstance(instance, QuerySet):
+                    id = '{}{}{}/'.format(settings.SITE_URL, '{}{}/', self.source)
+                    children = [serializer.to_representation(item) for item in instance]
+                    return self.parent.serialize_container(children, id, self.parent.context['request'].user, model)
+                else:
+                    return serializer.to_representation(instance)
-        field_class = JSonLDPropertyField
+        return JSonLDPropertyField, {}
-        field_kwargs = {}
-        return field_class, field_kwargs
+    def handle_value_object(self, value):
+        '''
+        In JSON-LD value-objects can be passed in, which store some context on the field passed. By overriding this
+        function you can react to this context on a field without overriding build_standard_field
+        '''
+        return value['@value']
    def build_standard_field(self, field_name, model_field):
        class JSonLDStandardField:
@@ -424,6 +494,10 @@ class LDPSerializer(HyperlinkedModelSerializer):
                if self.field_name == '@id' and value == './':
                    self.field_name = 'urlid'
                    return None
+                if isinstance(value, dict) and '@value' in value:
+                    value = self.parent.handle_value_object(value)
                return self.manage_empty(value)
            def manage_empty(self, value):
@@ -442,9 +516,7 @@ class LDPSerializer(HyperlinkedModelSerializer):
        return type(field_class.__name__ + 'Valued', (JSonLDStandardField, field_class), {}), field_kwargs
    def build_nested_field(self, field_name, relation_info, nested_depth):
        class NestedLDPSerializer(self.__class__):
            class Meta:
                model = relation_info.related_model
                depth = nested_depth - 1
@@ -454,11 +526,8 @@ class LDPSerializer(HyperlinkedModelSerializer):
                    fields = '__all__'
            def to_internal_value(self, data):
-                if data is '':
+                if data == '':
                    return ''
-                # workaround for Hubl app - 293
-                if 'username' in data and not self.url_field_name in data:
-                    data[self.url_field_name] = './'
                if self.url_field_name in data:
                    if not isinstance(data, Mapping):
                        message = self.error_messages['invalid'].format(
@@ -473,7 +542,6 @@ class LDPSerializer(HyperlinkedModelSerializer):
                    # validate fields passed in the data
                    fields = list(filter(lambda x: x.field_name in data, self._writable_fields))
                    for field in fields:
                        validate_method = getattr(self, 'validate_' + field.field_name, None)
                        primitive_value = field.get_value(data)
@@ -493,23 +561,26 @@ class LDPSerializer(HyperlinkedModelSerializer):
                    if errors:
                        raise ValidationError(errors)
-                    # resolve path of the resource
+                    # if it's a local resource - use the path to resolve the slug_field on the model
                    uri = data[self.url_field_name]
-                    http_prefix = uri.startswith(('http:', 'https:'))
+                    if not Model.is_external(uri):
+                        http_prefix = uri.startswith(('http:', 'https:'))
-                    if http_prefix:
+                        if http_prefix:
-                        uri = parse.urlparse(uri).path
+                            uri = parse.urlparse(uri).path
-                        prefix = get_script_prefix()
+                            prefix = get_script_prefix()
-                        if uri.startswith(prefix):
+                            if uri.startswith(prefix):
-                            uri = '/' + uri[len(prefix):]
+                                uri = '/' + uri[len(prefix):]
-                    try:
+                        try:
-                        match = resolve(uri_to_iri(uri))
+                            match = resolve(uri_to_iri(uri))
-                        slug_field = Model.slug_field(self.__class__.Meta.model)
+                            slug_field = Model.slug_field(self.__class__.Meta.model)
-                        ret[slug_field] = match.kwargs[slug_field]
+                            ret[slug_field] = match.kwargs[slug_field]
-                    except Resolver404:
+                        except Resolver404:
-                        if 'urlid' in data:
+                            pass
-                            ret['urlid'] = data['urlid']
+                    if 'urlid' in data:
+                        ret['urlid'] = data['urlid']
                else:
                    ret = super().to_internal_value(data)
@@ -542,15 +613,16 @@ class LDPSerializer(HyperlinkedModelSerializer):
        list_serializer_class = getattr(meta, 'list_serializer_class', ContainerSerializer)
        serializer = list_serializer_class(*args, **list_kwargs)
-        if 'context' in kwargs and getattr(kwargs['context']['view'], 'nested_field', None) is not None:
+        # if the child serializer has disabled the cache, really it means disable it on the container
-            serializer.id = '{}{}/'.format(serializer.id, kwargs['context']['view'].nested_field)
+        if hasattr(child_serializer, 'with_cache'):
-        elif 'context' in kwargs:
+            serializer.with_cache = child_serializer.with_cache
-            serializer.id = '{}{}'.format(settings.BASE_URL, kwargs['context']['view'].request.path)
        return serializer
    def to_internal_value(self, data):
-        is_user_and_external = self.Meta.model is get_user_model() and '@id' in data and not data['@id'].startswith(
+        #TODO: This hack is needed because external users don't pass validation.
-            settings.BASE_URL)
+        # Objects require all fields to be optional to be created as external, and username is required.
+        is_user_and_external = self.Meta.model is get_user_model() and '@id' in data and Model.is_external(data['@id'])
        if is_user_and_external:
            data['username'] = 'external'
        ret = super().to_internal_value(data)
@@ -610,7 +682,7 @@ class LDPSerializer(HyperlinkedModelSerializer):
    def internal_create(self, validated_data, model):
        validated_data = self.resolve_fk_instances(model, validated_data, True)
-        # build tuples list of nested_field keys and their values
+        # build tuples list of nested_field keys and their values. All list values are considered nested fields
        nested_fields = []
        nested_list_fields_name = list(filter(lambda key: isinstance(validated_data[key], list), validated_data))
        for field_name in nested_list_fields_name:
@@ -618,10 +690,13 @@ class LDPSerializer(HyperlinkedModelSerializer):
        info = model_meta.get_field_info(model)
        many_to_many = []
+        one_to_one = {}
        for field_name, relation_info in info.relations.items():
            if relation_info.to_many and relation_info.reverse and (
                    field_name in validated_data) and not field_name is None:
                many_to_many.append((field_name, validated_data.pop(field_name)))
+            elif relation_info.reverse and (field_name in validated_data) and not field_name is None:
+                one_to_one[field_name] = validated_data[field_name]
        validated_data = self.remove_empty_value(validated_data)
        if model is get_user_model() and not 'username' in validated_data:
@@ -631,6 +706,11 @@ class LDPSerializer(HyperlinkedModelSerializer):
        for field_name, value in many_to_many:
            validated_data[field_name] = value
+        if one_to_one:
+             for field_name, value in one_to_one.items():
+                 setattr(instance, field_name, value)
+                 value.save()
        self.save_or_update_nested_list(instance, nested_fields)
        return instance
@@ -638,13 +718,12 @@ class LDPSerializer(HyperlinkedModelSerializer):
    def remove_empty_value(self, validated_data):
        '''sets any empty strings in the validated_data to None'''
        for attr, value in validated_data.items():
-            if value is '':
+            if value == '':
                validated_data[attr] = None
        return validated_data
    def update(self, instance, validated_data):
        model = self.Meta.model
        nested_fields = []
        nested_fields_name = list(filter(lambda key: isinstance(validated_data[key], list), validated_data))
        for field_name in nested_fields_name:
@@ -653,7 +732,7 @@ class LDPSerializer(HyperlinkedModelSerializer):
        for attr, value in validated_data.items():
            if isinstance(value, dict):
                value = self.update_dict_value(attr, instance, value)
-            if value is '' and not isinstance(getattr(instance, attr), str):
+            if value == '' and not isinstance(getattr(instance, attr), str):
                setattr(instance, attr, None)
            else:
                setattr(instance, attr, value)
@@ -708,14 +787,16 @@ class LDPSerializer(HyperlinkedModelSerializer):
    def update_dict_value(self, attr, instance, value):
        info = model_meta.get_field_info(instance)
-        slug_field = Model.slug_field(instance)
        relation_info = info.relations.get(attr)
-        if slug_field in value :
+        slug_field = Model.slug_field(relation_info.related_model)
+        if slug_field in value:
            value = self.update_dict_value_when_id_is_provided(attr, instance, relation_info, slug_field, value)
        else:
            if 'urlid' in value:
                if parse.urlparse(settings.BASE_URL).netloc == parse.urlparse(value['urlid']).netloc:
-                    model, value = Model.resolve(value['urlid'])
+                    model, oldObj = Model.resolve(value['urlid'])
+                    value = self.update(instance=oldObj, validated_data=value)
                elif hasattr(relation_info.related_model, 'urlid'):
                    value = Model.get_or_create_external(relation_info.related_model, value['urlid'])
            else:
@@ -748,7 +829,8 @@ class LDPSerializer(HyperlinkedModelSerializer):
            manager = getattr(instance, attr)
            oldObj = manager._meta.model.objects.get(**kwargs)
        else:
-            oldObj = getattr(instance, attr)
+            related_model = relation_info.related_model
+            oldObj = related_model.objects.get(**kwargs)
        value = self.update(instance=oldObj, validated_data=value)
        return value
@@ -757,22 +839,19 @@ class LDPSerializer(HyperlinkedModelSerializer):
        for (field_name, data) in nested_fields:
            manager = getattr(instance, field_name)
            field_model = manager.model
-            slug_field = Model.slug_field(manager.model)
+            slug_field = Model.slug_field(field_model)
            try:
-                item_pk_to_keep = list(map(lambda e: e[slug_field], filter(lambda x: slug_field in x, data)))
+                item_pk_to_keep = [obj_dict[slug_field] for obj_dict in data if slug_field in obj_dict]
            except TypeError:
-                item_pk_to_keep = list(
+                item_pk_to_keep = [getattr(obj, slug_field) for obj in data if hasattr(obj, slug_field)]
-                    map(lambda e: getattr(e, slug_field), filter(lambda x: hasattr(x, slug_field), data)))
-            if getattr(manager, 'through', None) is None:
+            if hasattr(manager, 'through'):
-                for item in list(manager.all()):
-                    if not str(getattr(item, slug_field)) in item_pk_to_keep:
-                        item.delete()
-            else:
                manager.clear()
+            else:
+                manager.exclude(pk__in=item_pk_to_keep).delete()
            for item in data:
-                if not isinstance(item, dict):
+                if isinstance(item, Model):
                    item.save()
                    saved_item = item
                elif slug_field in item:
@@ -780,7 +859,7 @@ class LDPSerializer(HyperlinkedModelSerializer):
                    saved_item = self.get_or_create(field_model, item, kwargs)
                elif 'urlid' in item:
                    # has urlid and is a local resource
-                    if parse.urlparse(settings.BASE_URL).netloc == parse.urlparse(item['urlid']).netloc:
+                    if not Model.is_external(item['urlid']):
                        model, old_obj = Model.resolve(item['urlid'])
                        if old_obj is not None:
                            saved_item = self.update(instance=old_obj, validated_data=item)
@@ -800,7 +879,8 @@ class LDPSerializer(HyperlinkedModelSerializer):
                        pass
                    saved_item = self.internal_create(validated_data=item, model=manager.model)
-                if getattr(manager, 'through', None) is not None and manager.through._meta.auto_created:
+                if hasattr(manager, 'through') and manager.through._meta.auto_created:
+                    #First remove to avoid duplicates
                    manager.remove(saved_item)
                    manager.add(saved_item)
@@ -810,4 +890,4 @@ class LDPSerializer(HyperlinkedModelSerializer):
            saved_item = self.update(instance=old_obj, validated_data=item)
        except field_model.DoesNotExist:
            saved_item = self.internal_create(validated_data=item, model=field_model)
        return saved_item
\ No newline at end of file
--- a/djangoldp/templates/swagger-ui.html
+++ b/djangoldp/templates/swagger-ui.html
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Swagger</title>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link rel="stylesheet" type="text/css" href="https://unpkg.com/swagger-ui-dist@3/swagger-ui.css">
+</head>
+<body>
+    <div id="swagger-ui"></div>
+    <script src="https://unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js"></script>
+    <script>
+        const ui = SwaggerUIBundle({
+            url: "{% url 'schema' %}",
+            dom_id: '#swagger-ui',
+            presets: [
+                SwaggerUIBundle.presets.apis,
+                SwaggerUIBundle.SwaggerUIStandalonePreset
+            ],
+            layout: "BaseLayout",
+            requestInterceptor: (request) => {
+                request.headers['X-CSRFToken'] = "{{ csrf_token }}"
+                return request;
+            }
+        })
+    </script>
+</body>
+</html>
\ No newline at end of file
--- a/djangoldp/tests/djangoldp_settings.py
+++ b/djangoldp/tests/djangoldp_settings.py
+"""
+This module is meant to be used as a testing LDP package.
+It contains configuration elements imported by a djangoldp-package
+when the django server is setup.
+"""
+# define an extra variables
+MYPACKAGEVAR = 'ok'
+USE_I18N = False
+# register an extra middleware
+MIDDLEWARE = [
+    'djangoldp.tests.dummy.middleware.DummyMiddleware'
+]
+# register an extra installed app
+INSTALLED_APPS = [
+    'djangoldp.tests.dummy.apps.DummyConfig'
+]
+SECRET_KEY = "$r&)p-4k@h5b!1yrft6&q%j)_p$lxqh6#)jeeu0z1iag&y&wdu"
--- a/djangoldp/tests/djangoldp_urls.py
+++ b/djangoldp/tests/djangoldp_urls.py
-from django.conf.urls import re_path
+from django.urls import path
+from djangoldp.tests.models import Message, Conversation, Dummy, PermissionlessDummy, Task, DateModel, LDPDummy
-from djangoldp.permissions import LDPPermissions
+from djangoldp.permissions import ACLPermissions
-from djangoldp.tests.models import Skill, JobOffer, Message, Conversation, Dummy, PermissionlessDummy, Task, DateModel
 from djangoldp.views import LDPViewSet
 urlpatterns = [
-    re_path(r'^messages/', LDPViewSet.urls(model=Message, permission_classes=[LDPPermissions], fields=["@id", "text", "conversation"], nested_fields=['conversation'])),
+    path('messages/', LDPViewSet.urls(model=Message, fields=["@id", "text", "conversation"], nested_fields=['conversation'])),
-    re_path(r'^conversations/', LDPViewSet.urls(model=Conversation, nested_fields=["message_set"], permission_classes=[LDPPermissions])),
+    path('tasks/', LDPViewSet.urls(model=Task)),
-    re_path(r'^tasks/', LDPViewSet.urls(model=Task, permission_classes=[LDPPermissions])),
+    path('conversations/', LDPViewSet.urls(model=Conversation, nested_fields=["message_set", "observers"])),
-    re_path(r'^dates/', LDPViewSet.urls(model=DateModel, permission_classes=[LDPPermissions])),
+    path('dummys/', LDPViewSet.urls(model=Dummy, lookup_field='slug',)),
-    re_path(r'^dummys/', LDPViewSet.urls(model=Dummy, permission_classes=[LDPPermissions], lookup_field='slug',)),
+    path('permissionless-dummys/', LDPViewSet.urls(model=PermissionlessDummy, lookup_field='slug', permission_classes=[ACLPermissions])),
-    re_path(r'^permissionless-dummys/', LDPViewSet.urls(model=PermissionlessDummy, permission_classes=[LDPPermissions], lookup_field='slug',)),
 ]
--- a/djangoldp/tests/dummy/__init__.py
+++ b/djangoldp/tests/dummy/__init__.py
--- a/djangoldp/tests/dummy/apps.py
+++ b/djangoldp/tests/dummy/apps.py
+"""This module contains apps for testing."""
+from django.apps import AppConfig
+class DummyConfig(AppConfig):
+    # 'djangoldp.tests' is already registered as an installed app (it simulates a LDP package)
+    name = 'djangoldp.tests.dummy'
--- a/djangoldp/tests/dummy/middleware.py
+++ b/djangoldp/tests/dummy/middleware.py
+"""This module contains a dummy middleware for djangoldp testing."""
+class DummyMiddleware(object):
+    def __init__(self, get_response):
+        self.get_response = get_response
+    def __call__(self, request):
+        return self.get_response(request)
--- a/djangoldp/tests/fixtures/inbox.json
+++ b/djangoldp/tests/fixtures/inbox.json
+[{"model": "djangoldp_notification.notification", "pk": 100, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 101, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 102, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 103, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 104, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 105, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 106, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 107, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 108, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 109, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 110, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 111, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 112, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 113, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 114, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 115, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 116, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 117, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 118, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 119, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 120, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 121, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 122, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 123, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 124, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 125, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 126, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 127, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 128, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 129, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 130, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 131, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 132, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 133, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 134, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 135, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 136, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 137, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 138, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 139, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 140, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 141, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 142, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 143, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 144, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 145, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 146, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 147, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 148, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 149, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 150, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 151, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 152, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 153, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 154, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 155, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 156, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 157, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 158, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 159, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 160, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 161, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 162, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 163, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 164, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 165, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 166, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 167, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 168, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 169, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 170, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 171, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 172, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 173, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 174, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 175, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 176, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 177, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 178, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 179, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 180, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 181, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 182, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 183, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 184, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 185, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 186, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 187, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 188, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 189, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 190, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 191, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 192, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 193, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 194, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 195, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 196, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 197, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 198, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 199, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}, {"model": "djangoldp_notification.notification", "pk": 200, "fields": {"user": "1", "author": "Test", "object": "http://localhost:8000/users/admin/", "type": "Update", "summary": "Test", "date": "2020-11-26"}}]
\ No newline at end of file
--- a/djangoldp/tests/fixtures/live.json
+++ b/djangoldp/tests/fixtures/live.json
--- a/djangoldp/tests/fixtures/test.json
+++ b/djangoldp/tests/fixtures/test.json
--- a/djangoldp/tests/fixtures/test_1000.json
+++ b/djangoldp/tests/fixtures/test_1000.json
--- a/djangoldp/tests/fixtures/test_ten_1000.json
+++ b/djangoldp/tests/fixtures/test_ten_1000.json
--- a/djangoldp/tests/models.py
+++ b/djangoldp/tests/models.py
 from django.conf import settings
-from django.contrib.auth.models import AbstractUser
+from django.contrib.auth.models import AbstractUser, Group
 from django.db import models
-from django.db.models import BinaryField, DateField
-from django.db.models.signals import post_save
-from django.dispatch import receiver
 from django.utils.datetime_safe import date
-from djangoldp.fields import LDPUrlField
+from djangoldp.models import Model, DynamicNestedField
-from djangoldp.models import Model
+from djangoldp.permissions import ACLPermissions, AuthenticatedOnly, ReadOnly, \
-from djangoldp.permissions import LDPPermissions
+    ReadAndCreate, AnonymousReadOnly, OwnerPermissions, InheritPermissions
+from .permissions import Only2WordsForToto, ReadOnlyStartsWithA
-class User(AbstractUser, Model):
+class User(AbstractUser, Model):
    class Meta(AbstractUser.Meta, Model.Meta):
+        ordering = ['pk']
        serializer_fields = ['@id', 'username', 'first_name', 'last_name', 'email', 'userprofile',
-                             'conversation_set', 'circle_set', 'projects']
+                             'conversation_set','groups', 'projects', 'owned_circles']
-        anonymous_perms = ['view', 'add']
+        permission_classes = [ReadAndCreate|OwnerPermissions]
-        authenticated_perms = ['inherit', 'change']
+        rdf_type = 'foaf:user'
-        owner_perms = ['inherit']
+        nested_fields = ['owned_circles']
 class Skill(Model):
@@ -31,11 +30,12 @@ class Skill(Model):
        return self.joboffer_set.filter(date__gte=date.today())
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'add']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'delete', 'control']
+        serializer_fields = ["@id", "title", "recent_jobs", "slug", "obligatoire"]
-        serializer_fields = ["@id", "title", "recent_jobs", "slug"]
+        nested_fields = ['joboffer_set']
        lookup_field = 'slug'
+        rdf_type = 'hd:skill'
 class JobOffer(Model):
@@ -51,12 +51,15 @@ class JobOffer(Model):
        return self.skills.all().first()
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'change', 'add']
+        permission_classes = [AnonymousReadOnly, ReadOnly|OwnerPermissions]
-        owner_perms = ['inherit', 'delete', 'control']
        serializer_fields = ["@id", "title", "skills", "recent_skills", "resources", "slug", "some_skill", "urlid"]
+        nested_fields = ['skills', 'resources', 'recent_skills']
        container_path = "job-offers/"
        lookup_field = 'slug'
+        rdf_type = 'hd:joboffer'
+JobOffer.recent_skills.field = DynamicNestedField(Skill, 'recent_skills')
 class Conversation(models.Model):
@@ -64,11 +67,12 @@ class Conversation(models.Model):
    author_user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.DO_NOTHING)
    peer_user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, related_name="peers_conv",
                                  on_delete=models.DO_NOTHING)
+    observers = models.ManyToManyField(settings.AUTH_USER_MODEL, blank=True, related_name='observed_conversations')
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'add']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'delete', 'control']
+        nested_fields=["message_set", "observers"]
        owner_field = 'author_user'
@@ -77,33 +81,99 @@ class Resource(Model):
    description = models.CharField(max_length=255)
    class Meta(Model.Meta):
-        anonymous_perms = ['view', 'add', 'delete', 'change', 'control']
+        ordering = ['pk']
-        authenticated_perms = ['inherit']
-        owner_perms = ['inherit']
        serializer_fields = ["@id", "joboffers"]
+        nested_fields = ['joboffers']
+        depth = 1
+        rdf_type = 'hd:Resource'
+# a resource in which only the owner has permissions (for testing owner permissions)
+class OwnedResource(Model):
+    description = models.CharField(max_length=255, blank=True, null=True)
+    user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, related_name="owned_resources",
+                             on_delete=models.CASCADE)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [OwnerPermissions]
+        owner_field = 'user'
+        serializer_fields = ['@id', 'description', 'user']
+        nested_fields = ['owned_resources']
+        depth = 1
+class OwnedResourceVariant(Model):
+    description = models.CharField(max_length=255, blank=True, null=True)
+    user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, related_name="owned_variant_resources",
+                             on_delete=models.CASCADE)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadOnly|OwnerPermissions]
+        owner_field = 'user'
+        serializer_fields = ['@id', 'description', 'user']
+        depth = 1
+class OwnedResourceNestedOwnership(Model):
+    description = models.CharField(max_length=255, blank=True, null=True)
+    parent = models.ForeignKey(OwnedResource, blank=True, null=True, related_name="owned_resources",
+                               on_delete=models.CASCADE)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [OwnerPermissions]
+        owner_field = 'parent__user'
+        serializer_fields = ['@id', 'description', 'parent']
+        nested_fields = ['owned_resources']
+        depth = 1
+class OwnedResourceTwiceNestedOwnership(Model):
+    description = models.CharField(max_length=255, blank=True, null=True)
+    parent = models.ForeignKey(OwnedResourceNestedOwnership, blank=True, null=True, related_name="owned_resources",
+                               on_delete=models.CASCADE)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [OwnerPermissions]
+        owner_field = 'parent__parent__user'
+        serializer_fields = ['@id', 'description', 'parent']
        depth = 1
 class UserProfile(Model):
    description = models.CharField(max_length=255, blank=True, null=True)
    user = models.OneToOneField(settings.AUTH_USER_MODEL, related_name='userprofile', on_delete=models.CASCADE)
+    slug = models.SlugField(blank=True, null=True, unique=True)
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit']
+        permission_classes = [AuthenticatedOnly,ReadOnly|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'control']
+        owner_field = 'user'
+        lookup_field = 'slug'
+        serializer_fields = ['@id', 'description', 'settings', 'user']
        depth = 1
+class NotificationSetting(Model):
+    user = models.OneToOneField(UserProfile, on_delete=models.CASCADE, related_name="settings")
+    receiveMail = models.BooleanField(default=True)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadAndCreate|OwnerPermissions]
 class Message(models.Model):
    text = models.CharField(max_length=255, blank=True, null=True)
    conversation = models.ForeignKey(Conversation, on_delete=models.DO_NOTHING)
    author_user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.DO_NOTHING)
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'add']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'delete', 'control']
 class Dummy(models.Model):
@@ -111,46 +181,74 @@ class Dummy(models.Model):
    slug = models.SlugField(blank=True, null=True, unique=True)
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'add']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'delete', 'control']
 class LDPDummy(Model):
    some = models.CharField(max_length=255, blank=True, null=True)
    class Meta(Model.Meta):
-        anonymous_perms = ['view']
+        ordering = ['pk']
-        authenticated_perms = ['inherit', 'add']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        owner_perms = ['inherit', 'change', 'delete', 'control']
+        nested_fields = ['anons']
-# model used in django-guardian permission tests (no anonymous etc permissions set)
+# model used in django-guardian permission tests (no permission to anyone except suuperusers)
 class PermissionlessDummy(Model):
    some = models.CharField(max_length=255, blank=True, null=True)
    slug = models.SlugField(blank=True, null=True, unique=True)
+    parent = models.ForeignKey(LDPDummy, on_delete=models.DO_NOTHING, related_name="anons", blank=True, null=True)
    class Meta(Model.Meta):
-        anonymous_perms = []
+        ordering = ['pk']
-        authenticated_perms = []
+        permission_classes = [ACLPermissions]
-        owner_perms = []
+        lookup_field='slug'
-        permissions = (
+        permissions = (('custom_permission_permissionlessdummy', 'Custom Permission'),)
-            ('custom_permission_permissionlessdummy', 'Custom Permission'),
-        )
 class Post(Model):
    content = models.CharField(max_length=255)
-    author = models.ForeignKey(UserProfile, blank=True, null=True, on_delete=models.SET_NULL)
+    author = models.ForeignKey(User, blank=True, null=True, on_delete=models.SET_NULL)
    peer_user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, related_name="peers_post",
                                  on_delete=models.SET_NULL)
    class Meta(Model.Meta):
+        ordering = ['pk']
        auto_author = 'author'
-        auto_author_field = 'userprofile'
+        rdf_type = 'hd:post'
-        anonymous_perms = ['view', 'add', 'delete', 'add', 'change', 'control']
-        authenticated_perms = ['inherit']
+class AnonymousReadOnlyPost(Model):
-        owner_perms = ['inherit']
+    content = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [AnonymousReadOnly]
+class AuthenticatedOnlyPost(Model):
+    content = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [AuthenticatedOnly]
+class ReadOnlyPost(Model):
+    content = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadOnly]
+class ReadAndCreatePost(Model):
+    content = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadAndCreate]
+class ANDPermissionsDummy(Model):
+    title = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadOnlyStartsWithA&Only2WordsForToto]
+class ORPermissionsDummy(Model):
+    title = models.CharField(max_length=255)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ReadOnlyStartsWithA|Only2WordsForToto]
 class Invoice(Model):
@@ -158,22 +256,73 @@ class Invoice(Model):
    date = models.DateField(blank=True, null=True)
    class Meta(Model.Meta):
+        ordering = ['pk']
        depth = 2
-        anonymous_perms = ['view']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        authenticated_perms = ['inherit', 'add']
+        nested_fields = ['batches']
-        owner_perms = ['inherit', 'change', 'delete', 'control']
 class Circle(Model):
    name = models.CharField(max_length=255, blank=True)
    description = models.CharField(max_length=255, blank=True)
-    team = models.ManyToManyField(settings.AUTH_USER_MODEL, through="CircleMember", blank=True)
    owner = models.ForeignKey(settings.AUTH_USER_MODEL, related_name="owned_circles", on_delete=models.DO_NOTHING, null=True, blank=True)
+    members = models.OneToOneField(Group, related_name="circle", on_delete=models.SET_NULL, null=True, blank=True)
+    admins = models.OneToOneField(Group, related_name="admin_circle", on_delete=models.SET_NULL, null=True, blank=True)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        auto_author = 'owner'
+        depth = 1
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions|ACLPermissions]
+        permission_roles = {
+            'members': {'perms': ['view'], 'add_author': True},
+            'admins': {'perms': ['view', 'change', 'control'], 'add_author': True},
+        }
+        serializer_fields = ['@id', 'name', 'description', 'members', 'owner', 'space']
+        rdf_type = 'hd:circle'
+Group._meta.inherit_permissions += ['circle','admin_circle']
+Group._meta.serializer_fields += ['circle', 'admin_circle']
+class RestrictedCircle(Model):
+    name = models.CharField(max_length=255, blank=True)
+    description = models.CharField(max_length=255, blank=True)
+    owner = models.ForeignKey(settings.AUTH_USER_MODEL, related_name="owned_restrictedcircles", on_delete=models.DO_NOTHING, null=True, blank=True)
+    members = models.ForeignKey(Group, related_name="restrictedcircles", on_delete=models.SET_NULL, null=True, blank=True)
+    admins = models.ForeignKey(Group, related_name="admin_restrictedcircles", on_delete=models.SET_NULL, null=True, blank=True)
    class Meta(Model.Meta):
-        anonymous_perms = ['view', 'add', 'delete', 'add', 'change', 'control']
+        ordering = ['pk']
-        authenticated_perms = ["inherit"]
+        auto_author = 'owner'
+        permission_classes = [ACLPermissions]
+        permission_roles = {
+            'members': {'perms': ['view'], 'add_author': True},
+            'admins': {'perms': ['view', 'change', 'control'], 'add_author': True},
+        }
        rdf_type = 'hd:circle'
+class RestrictedResource(Model):
+    content = models.CharField(max_length=255, blank=True)
+    circle = models.ForeignKey(RestrictedCircle, on_delete=models.CASCADE)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [InheritPermissions]
+        inherit_permissions = ['circle']
+class DoubleInheritModel(Model):
+    content = models.CharField(max_length=255, blank=True)
+    ro_ancestor = models.ForeignKey(ReadOnlyPost, on_delete=models.CASCADE, null=True, blank=True)
+    circle = models.ForeignKey(RestrictedCircle, on_delete=models.CASCADE, null=True, blank=True)
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [InheritPermissions]
+        inherit_permissions = ['circle', 'ro_ancestor']
+class Space(Model):
+    name = models.CharField(max_length=255, blank=True)
+    circle = models.OneToOneField(to=Circle, null=True, blank=True, on_delete=models.CASCADE, related_name='space')
+    class Meta(Model.Meta):
+        ordering = ['pk']
 class Batch(Model):
@@ -181,24 +330,11 @@ class Batch(Model):
    title = models.CharField(max_length=255, blank=True, null=True)
    class Meta(Model.Meta):
+        ordering = ['pk']
        serializer_fields = ['@id', 'title', 'invoice', 'tasks']
-        anonymous_perms = ['view', 'add']
+        permission_classes = [ReadAndCreate|OwnerPermissions]
-        authenticated_perms = ['inherit', 'add']
-        owner_perms = ['inherit', 'change', 'delete', 'control']
        depth = 1
+        rdf_type = 'hd:batch'
-class CircleMember(Model):
-    circle = models.ForeignKey(Circle, on_delete=models.CASCADE, related_name='members')
-    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="circles")
-    is_admin = models.BooleanField(default=False)
-    class Meta(Model.Meta):
-        container_path = "circle-members/"
-        anonymous_perms = ['view', 'add', 'delete', 'add', 'change', 'control']
-        authenticated_perms = ['inherit']
-        unique_together = ['user', 'circle']
-        rdf_type = 'hd:circlemember'
 class Task(models.Model):
@@ -206,20 +342,30 @@ class Task(models.Model):
    title = models.CharField(max_length=255)
    class Meta(Model.Meta):
+        ordering = ['pk']
        serializer_fields = ['@id', 'title', 'batch']
-        anonymous_perms = ['view']
+        permission_classes = [AnonymousReadOnly,ReadAndCreate|OwnerPermissions]
-        authenticated_perms = ['inherit', 'add']
-        owner_perms = ['inherit', 'change', 'delete', 'control']
+class ModelTask(Model, Task):
+    class Meta(Model.Meta):
+        ordering = ['pk']
+STATUS_CHOICES = [
+    ('Public', 'Public'),
+    ('Private', 'Private'),
+    ('Archived', 'Archived'),
+]
 class Project(Model):
    description = models.CharField(max_length=255, null=True, blank=False)
-    team = models.ManyToManyField(settings.AUTH_USER_MODEL, blank=True, related_name='projects')
+    status = models.CharField(max_length=8, choices=STATUS_CHOICES, default='Private', null=True, blank=True)
+    members = models.ManyToManyField(settings.AUTH_USER_MODEL, blank=True, related_name='projects')
    class Meta(Model.Meta):
-        anonymous_perms = ['view', 'add', 'delete', 'add', 'change', 'control']
+        ordering = ['pk']
-        authenticated_perms = ["inherit"]
        rdf_type = 'hd:project'
+        nested_fields = ['members']
 class DateModel(Model):
@@ -227,6 +373,7 @@ class DateModel(Model):
    value = models.DateField()
    class Meta(Model.Meta):
+        ordering = ['pk']
        rdf_type = "hd:date"
        serializer_fields_exclude = ['excluded']
@@ -235,9 +382,21 @@ class DateChild(Model):
    parent = models.ForeignKey(DateModel, on_delete=models.CASCADE, related_name='children')
    class Meta(Model.Meta):
+        ordering = ['pk']
        rdf_type = 'hd:datechild'
-@receiver(post_save, sender=User)
+class MyAbstractModel(Model):
-def update_perms(sender, instance, created, **kwargs):
+    defaultsomething = models.CharField(max_length=255, blank=True)
-    LDPPermissions.invalidate_cache()
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ACLPermissions]
+        abstract = True
+        rdf_type = "wow:defaultrdftype"
+class NoSuperUsersAllowedModel(Model):
+    class Meta(Model.Meta):
+        ordering = ['pk']
+        permission_classes = [ACLPermissions]
\ No newline at end of file
No results found