Because the serializer does not have "user" as a read only field, the API asks for a user (which would be a security/abuse concern) - and then overwrites it with request.user (which is great - and is not a security/abuse concern).
For example: https://github.com/tixdo/votes/blob/master/votes/api.py#L39
I would suggest setting read_only on 'user' on the serializer.
Because the serializer does not have "user" as a read only field, the API asks for a user (which would be a security/abuse concern) - and then overwrites it with request.user (which is great - and is not a security/abuse concern).
For example: https://github.com/tixdo/votes/blob/master/votes/api.py#L39
I would suggest setting read_only on 'user' on the serializer.