Server-side data with Django

This tutorial shows how to wire Handsontable’s dataProvider plugin to a Django REST Framework (DRF) backend. The backend handles pagination, sorting, and filtering on the server. The frontend displays results and sends all edits back to the API.

View full example on GitHub

Difficulty: Intermediate
Time: ~30 minutes
Backend: Python 3.11+, Django 4+, Django REST Framework 3.14+

What you’ll build

An employee directory grid that:

Loads data page by page from a DRF API
Sorts rows by any column on the server
Filters rows by column value on the server
Creates, updates, and deletes rows via batch API endpoints
Handles Django’s CSRF protection transparently

Before you begin

Install the Python dependencies:

1
pip install django djangorestframework django-cors-headers

Install the JavaScript dependency:

1
npm install handsontable

Step 1 — Set up the Django app

Create a Django project and a employees app:

1
django-admin startproject myproject .
2
python manage.py startapp employees

Why a separate app?
Django apps are self-contained modules. Keeping the employee model, serializer, and views in one app makes the code easier to extend and test independently.

1
INSTALLED_APPS = [
2
    # ...
3
    'rest_framework',
4
    'corsheaders',
5
    'employees',
6
]

Step 2 — Define the Employee model

Create the model in employees/models.py:

1
from django.db import models
2

3
class Employee(models.Model):
4
    first_name = models.CharField(max_length=100)
5
    last_name  = models.CharField(max_length=100)
6
    department = models.CharField(max_length=100)
7
    role       = models.CharField(max_length=100)
8
    salary     = models.DecimalField(max_digits=10, decimal_places=2)
9

10
    class Meta:
11
        ordering = ['last_name', 'first_name']

What’s happening:

DecimalField stores salary without floating-point rounding errors — important for currency values.
ordering in Meta sets the default query order. The OrderingFilter overrides it when the user sorts a column.
Django automatically adds an id primary key. This becomes the rowId value on the frontend.

Run migrations to create the database table:

1
python manage.py makemigrations employees
2
python manage.py migrate

Step 3 — Seed the database

Create the seed command file at employees/management/commands/seed.py (see server/seed_command.py in this recipe) and run it:

1
python manage.py seed

The command inserts 50 realistic employee records. It checks whether data already exists, so running it twice does not duplicate rows.

Step 4 — Write the serializer

Create employees/serializers.py:

1
from rest_framework import serializers
2
from .models import Employee
3

4
class EmployeeSerializer(serializers.ModelSerializer):
5
    class Meta:
6
        model  = Employee
7
        fields = ['id', 'first_name', 'last_name', 'department', 'role', 'salary']
8
        read_only_fields = ['id']

What’s happening:

ModelSerializer inspects the model and generates field definitions and validation rules automatically.
id is read-only because the database assigns it — the frontend never sends one for new rows.
The fields list controls which columns appear in the API response and therefore which columns Handsontable receives.

Step 5 — Configure pagination

Create employees/pagination.py:

1
from rest_framework.pagination import PageNumberPagination
2
from rest_framework.response import Response
3

4
class EmployeePagination(PageNumberPagination):
5
    page_size = 10
6
    page_size_query_param = 'pageSize'  # matches Handsontable's default param name
7
    max_page_size = 100
8

9
    def get_paginated_response(self, data):
10
        return Response({
11
            'rows':      data,
12
            'totalRows': self.page.paginator.count,
13
        })

Why a custom pagination class?

DRF’s default response shape is { count, next, previous, results }. Handsontable’s dataProvider expects { rows, totalRows }. Overriding get_paginated_response converts the shape on the server side, so the fetchRows callback on the frontend can return res.json() without any extra transformation.

Why page_size_query_param = 'pageSize'?

Handsontable sends ?pageSize=10 automatically. DRF’s default param name is page_size. Setting page_size_query_param = 'pageSize' lets DRF read Handsontable’s value directly, so no URL translation is needed in fetchRows.

Step 6 — Write the ViewSet

Create employees/views.py. The key parts are the sort translation and the three batch CRUD actions.

Sort translation

Handsontable sends ?sort[prop]=salary&sort[order]=desc. DRF’s OrderingFilter expects ?ordering=-salary. Translate in get_queryset:

1
sort_prop  = self.request.query_params.get('sort[prop]')
2
sort_order = self.request.query_params.get('sort[order]', 'asc')
3

4
if sort_prop and sort_prop in self.ordering_fields:
5
    ordering = sort_prop if sort_order == 'asc' else f'-{sort_prop}'
6
    self.request._request.GET = self.request._request.GET.copy()
7
    self.request._request.GET['ordering'] = ordering

What’s happening:

Read Handsontable’s sort[prop] and sort[order] params.
Prepend - for descending order (DRF convention).
Inject the translated value into the mutable query params copy so OrderingFilter picks it up as if the frontend had sent ?ordering= directly.

Filter translation

Handsontable sends filters as:

1
?filters[0][prop]=department&filters[0][value]=Engineering&filters[0][condition]=eq

Parse these and build a Django Q object:

1
q = Q()
2
index = 0
3

4
while index < 20:
5
    prefix    = f'filters[{index}]'
6
    prop      = self.request.query_params.get(f'{prefix}[prop]')
7
    value     = self.request.query_params.get(f'{prefix}[value]')
8
    condition = self.request.query_params.get(f'{prefix}[condition]', 'contains')
9

10
    if prop is None:
11
        break
12

13
    lookup_map = {
14
        'contains':     f'{prop}__icontains',
15
        'not_contains': f'{prop}__icontains',  # negated below
16
        'eq':           f'{prop}__iexact',
17
        'begins_with':  f'{prop}__istartswith',
18
        'ends_with':    f'{prop}__iendswith',
19
        'gte':          f'{prop}__gte',
20
        'lte':          f'{prop}__lte',
21
    }
22

23
    lookup = lookup_map.get(condition)
24

25
    if lookup:
26
        if condition in ('not_contains',):
27
            q &= ~Q(**{lookup: value})
28
        else:
29
            q &= Q(**{lookup: value})
30

31
    index += 1
32

33
return queryset.filter(q)

What’s happening:

The loop reads up to 20 filter conditions from the query string. Multiple conditions are combined with AND using &=.
icontains, istartswith, and iendswith are case-insensitive Django ORM lookups.
not_contains negates the Q object with ~.
gte and lte work for numeric fields like salary.

Batch CRUD endpoints

Standard REST conventions use single-resource endpoints (POST /employees/, DELETE /employees/{id}/). Handsontable’s dataProvider sends all mutations as arrays in a single request. A DRF @action solves this without creating a separate URL pattern by hand:

1
@action(detail=False, methods=['post'], url_path='create-rows')
2
def create_rows(self, request):
3
    serializer = EmployeeSerializer(data=request.data, many=True)
4
    serializer.is_valid(raise_exception=True)
5
    serializer.save()
6
    return Response(serializer.data, status=201)
7

8
@action(detail=False, methods=['patch'], url_path='update-rows')
9
def update_rows(self, request):
10
    updated = []
11
    for row in request.data:
12
        employee = Employee.objects.get(pk=row['id'])
13
        serializer = EmployeeSerializer(employee, data=row, partial=True)
14
        serializer.is_valid(raise_exception=True)
15
        serializer.save()
16
        updated.append(serializer.data)
17
    return Response(updated)
18

19
@action(detail=False, methods=['delete'], url_path='remove-rows')
20
def remove_rows(self, request):
21
    deleted_count, _ = Employee.objects.filter(pk__in=request.data).delete()
22
    return Response({'deleted': deleted_count})

What’s happening:

detail=False registers the action at the list URL (/api/employees/) instead of the detail URL (/api/employees/{id}/).
many=True on the serializer tells DRF to accept and validate an array of objects at once.
partial=True in update_rows allows updating a subset of fields without requiring all fields to be present.
filter(pk__in=ids).delete() removes multiple rows in a single SQL statement.

Why not use standard DELETE /api/employees/{id}/ for each row?

Deleting N rows individually requires N requests. A single batch request is faster and reduces network round trips.

Step 7 — Register URLs

Create employees/urls.py:

1
from django.urls import include, path
2
from rest_framework.routers import DefaultRouter
3
from .views import EmployeeViewSet
4

5
router = DefaultRouter()
6
router.register(r'employees', EmployeeViewSet, basename='employee')
7

8
urlpatterns = [
9
    path('api/', include(router.urls)),
10
]

Include this in your project’s root urls.py:

1
from django.urls import include, path
2

3
urlpatterns = [
4
    path('', include('employees.urls')),
5
]

DefaultRouter generates all standard and custom action URLs automatically. You can verify the registered routes by visiting http://localhost:8000/api/ in a browser.

Step 8 — Configure CORS

The browser blocks cross-origin requests by default. Add django-cors-headers to allow requests from the frontend development server:

1
MIDDLEWARE = [
2
    'corsheaders.middleware.CorsMiddleware',
3
    'django.middleware.common.CommonMiddleware',
4
    # ... rest of your middleware ...
5
]
6

7
CORS_ALLOWED_ORIGINS = [
8
    'http://localhost:5173',   # Vite dev server
9
    'http://localhost:3000',   # CRA / Next.js dev server
10
]

Why must CorsMiddleware come before CommonMiddleware?
CorsMiddleware needs to intercept the preflight OPTIONS request before Django’s routing logic handles it. Placing it after CommonMiddleware can result in missing CORS headers on preflight responses.

Production note: Replace the dev server origins with your actual production domain. Never set CORS_ALLOW_ALL_ORIGINS = True in production.

Step 9 — Handle CSRF in the frontend

Django protects mutating endpoints with a CSRF token. It sets a csrftoken cookie on every response. Read it and include it in the X-CSRFToken header for every POST, PATCH, or DELETE request:

1
function getCsrfToken() {
2
  return document.cookie
3
    .split('; ')
4
    .find((row) => row.startsWith('csrftoken='))
5
    ?.split('=')[1];
6
}

Pass the token in the request headers:

1
headers: {
2
  'Content-Type': 'application/json',
3
  'X-CSRFToken': getCsrfToken(),
4
},

Why a cookie instead of a hidden form field?
Handsontable uses fetch(), not HTML form submission. Reading the token from the cookie (SameSite + CSRF double-submit pattern) works with any JavaScript HTTP client without server-side template changes.

Step 10 — Build the URL for fetchRows

Handsontable’s dataProvider calls fetchRows with a { page, pageSize, sort, filters } object. Translate these into query string parameters:

1
function buildUrl(base, { page, pageSize, sort, filters }) {
2
  const params = new URLSearchParams();
3

4
  params.set('page', page);
5
  params.set('pageSize', pageSize);
6

7
  if (sort?.prop) {
8
    params.set('sort[prop]', sort.prop);
9
    params.set('sort[order]', sort.order ?? 'asc');
10
  }
11

12
  if (filters?.length) {
13
    filters.forEach(({ prop, value, condition }, i) => {
14
      params.set(`filters[${i}][prop]`, prop);
15
      params.set(`filters[${i}][value]`, value);
16
      params.set(`filters[${i}][condition]`, condition);
17
    });
18
  }
19

20
  return `${base}?${params.toString()}`;
21
}

What’s happening:

page and pageSize are sent as-is. DRF reads pageSize directly because page_size_query_param = 'pageSize' was set in Step 5.
sort is split into sort[prop] and sort[order]. The Django view reassembles them into DRF’s ordering param (see Step 6).
Each filter condition becomes a filters[N][prop], filters[N][value], filters[N][condition] triplet. The Django view parses this indexed format in a loop.

Step 11 — Initialize Handsontable

Wire everything together in the dataProvider configuration:

1
const hot = new Handsontable(container, {
2
  dataProvider: {
3
    rowId: 'id',
4

5
    fetchRows: async ({ page, pageSize, sort, filters }, { signal }) => {
6
      const url = buildUrl('http://localhost:8000/api/employees/', {
7
        page, pageSize, sort, filters,
8
      });
9
      const res = await fetch(url, { signal });
10

11
      if (!res.ok) throw new Error(`Fetch failed: ${res.status}`);
12

13
      // pagination.py already maps { count, results } to { rows, totalRows }.
14
      return res.json();
15
    },
16

17
    onRowsCreate: async (rows) => {
18
      const res = await fetch('.../create-rows/', {
19
        method: 'POST',
20
        headers: { 'Content-Type': 'application/json', 'X-CSRFToken': getCsrfToken() },
21
        body: JSON.stringify(rows),
22
      });
23
      return res.json(); // return created rows so dataProvider updates its row map
24
    },
25

26
    onRowsUpdate: async (rows) => {
27
      await fetch('.../update-rows/', {
28
        method: 'PATCH',
29
        headers: { 'Content-Type': 'application/json', 'X-CSRFToken': getCsrfToken() },
30
        body: JSON.stringify(rows),
31
      });
32
    },
33

34
    onRowsRemove: async (rowIds) => {
35
      await fetch('.../remove-rows/', {
36
        method: 'DELETE',
37
        headers: { 'Content-Type': 'application/json', 'X-CSRFToken': getCsrfToken() },
38
        body: JSON.stringify(rowIds),
39
      });
40
    },
41
  },
42

43
  pagination:    { pageSize: 10 },
44
  columnSorting: true,
45
  filters:       true,
46
  dropdownMenu:  ['filter_by_condition', 'filter_action_bar'],
47
  emptyDataState: true,
48
  notification:  true,
49

50
  colHeaders: ['First Name', 'Last Name', 'Department', 'Role', 'Salary'],
51
  columns: [
52
    { data: 'first_name', type: 'text' },
53
    { data: 'last_name',  type: 'text' },
54
    { data: 'department', type: 'text' },
55
    { data: 'role',       type: 'text' },
56
    { data: 'salary',     type: 'numeric', numericFormat: { pattern: '$0,0' } },
57
  ],
58

59
  rowHeaders: true,
60
  licenseKey: 'non-commercial-and-evaluation',
61
});

@code

Key options explained:

Option	What it does
`rowId: 'id'`	Tells `dataProvider` which field identifies a row. Must match the serializer field name.
`{ signal }` in `fetchRows`	Pass the `AbortSignal` to `fetch()` so in-flight requests are cancelled when the user sorts or filters before the previous response arrives.
`return res.json()` in `onRowsCreate`	Return the server response so `dataProvider` can update its internal row map with the server-assigned `id` values.
`pagination: { pageSize: 10 }`	Enables the pagination toolbar. `dataProvider` sends the current page and size to `fetchRows` automatically.
`columnSorting: true`	Enables column header click-to-sort. The sort state is passed to `fetchRows` on each change.
`filters: true`	Enables the column filter UI. Active conditions are passed to `fetchRows` on each change.
`emptyDataState: true`	Shows a friendly illustration when `fetchRows` returns zero rows (for example, when a filter matches nothing).
`notification: true`	Shows automatic error toast notifications when `fetchRows` or a mutation callback throws. Fetch failures include a Refetch action.

How it works — Complete flow

Initial load: dataProvider calls fetchRows({ page: 1, pageSize: 10 }). The view returns the first 10 rows and the total row count.
User clicks a column header: columnSorting updates its sort state and dataProvider calls fetchRows again with sort: { prop: 'salary', order: 'desc' }. The Django view translates this to ?ordering=-salary for OrderingFilter.
User applies a column filter: The filter UI updates its condition list and dataProvider calls fetchRows with the filters array. The Django view parses filters[0][prop], filters[0][value], and filters[0][condition] into a Django Q object.
User navigates to page 2: dataProvider calls fetchRows({ page: 2, pageSize: 10, ... }).
User edits a cell: dataProvider collects all changed cells for that row and calls onRowsUpdate with [{ id: 7, salary: 102000 }]. The update-rows endpoint applies a partial update.
User adds a row: dataProvider calls onRowsCreate with the new row values. The create-rows endpoint inserts the row and returns it with an id. dataProvider updates its internal map so future edits use the correct id.
User deletes rows: dataProvider calls onRowsRemove with the selected row ids. The remove-rows endpoint deletes all matching rows in a single SQL statement.

What you learned

DRF’s default response shape ({ count, results }) differs from what dataProvider expects ({ rows, totalRows }). Override get_paginated_response in a custom pagination class to map the shape on the server.
Set page_size_query_param = 'pageSize' so DRF reads Handsontable’s parameter name directly.
Translate Handsontable’s sort[prop] + sort[order] params to DRF’s ordering param in get_queryset before OrderingFilter runs.
Parse Handsontable’s indexed filters[N][...] params into Django Q objects to support column-level filtering.
Use DRF @action endpoints for batch CRUD instead of single-resource REST routes.
Read Django’s CSRF token from the csrftoken cookie and include it as the X-CSRFToken header in all mutating requests.
Place CorsMiddleware before CommonMiddleware so preflight requests receive CORS headers.

Next steps

Server-side data documentation — full dataProvider API reference
Rows pagination guide
Column filter guide
Rows sorting guide