Downgrade DRF to 3.8.2

**Purpose**

3.9.0 has a known issue where the browsable API
renders unescaped HTML

encode/django-rest-framework#6191 (comment)

**Changes**

Downgrade DRF to latest 3.8.x release

**QA Notes**

Check https://api.osf.io/v2/schemas/registrations/
to make sure that the Browsable API isn't rendering
HTML in the responses

**Ticket**

No ticket

Author: sloria

api_tests/base/test_versioning.py

@@ -116,15 +116,15 @@ def test_browsable_api_defaults_to_latest(self, app):
         url = '/v2/?format=api'
         res = app.get(url)
         assert res.status_code == 200
-        assert '"version": "{}"'.format(
+        assert '"version": "{}&quot'.format(
             LATEST_VERSIONS[2]
         ) in res.body
 
     def test_browsable_api_query_version(self, app):
         url = '/v2/?format=api&version=2.5'
         res = app.get(url)
         assert res.status_code == 200
-        assert '"version": "2.5"' in res.body
+        assert '"version": "2.5&quot' in res.body
 
     def test_json_defaults_to_default(self, app):
         url = '/v2/?format=json'

api_tests/nodes/views/test_node_contributors_list.py

@@ -2084,7 +2084,7 @@ def test_bulk_update_contributors_errors(
             auth=user.auth,
             expect_errors=True, bulk=True)
         assert res.status_code == 400
-        assert res.json['errors'][0]['detail'] == 'Must be a valid boolean.'
+        assert res.json['errors'][0]['detail'] == '"true and false" is not a valid boolean.'
 
         res = app.get(url_public, auth=user.auth)
         data = res.json['data']
@@ -2502,7 +2502,7 @@ def test_bulk_partial_update_errors(
             auth=user.auth,
             expect_errors=True, bulk=True)
         assert res.status_code == 400
-        assert res.json['errors'][0]['detail'] == 'Must be a valid boolean.'
+        assert res.json['errors'][0]['detail'] == '"true and false" is not a valid boolean.'
 
         res = app.get(url_public, auth=user.auth)
         data = res.json['data']

api_tests/registrations/views/test_registration_detail.py

@@ -322,7 +322,7 @@ def test_fields(
             auth=user.auth,
             expect_errors=True)
         assert res.status_code == 400
-        assert res.json['errors'][0]['detail'] == 'Must be a valid boolean.'
+        assert res.json['errors'][0]['detail'] == '"Dr.Strange" is not a valid boolean.'
 
     #   test_fields_other_than_public_are_ignored
         attribute_list = {

api_tests/users/views/test_user_settings_detail.py

@@ -80,7 +80,7 @@ def test_update_two_factor_enabled(self, app, user_one, url, payload):
         payload['data']['attributes']['two_factor_enabled'] = 'Yes'
         res = app.patch_json_api(url, payload, auth=user_one.auth, expect_errors=True)
         assert res.status_code == 400
-        assert res.json['errors'][0]['detail'] == 'Must be a valid boolean.'
+        assert res.json['errors'][0]['detail'] == '"Yes" is not a valid boolean.'
 
         # Already disabled - nothing happens, still disabled
         payload['data']['attributes']['two_factor_enabled'] = False
@@ -194,7 +194,7 @@ def test_bad_payload_patch_400(self, app, user_one, bad_payload, url):
         res = app.patch_json_api(url, bad_payload, auth=user_one.auth, expect_errors=True)
 
         assert res.status_code == 400
-        assert res.json['errors'][0]['detail'] == u'Must be a valid boolean.'
+        assert res.json['errors'][0]['detail'] == u'"22" is not a valid boolean.'
 
     def test_anonymous_patch_401(self, app, url, payload):
         res = app.patch_json_api(url, payload, expect_errors=True)

requirements.txt

@@ -66,7 +66,7 @@ raven==5.32.0
 
 # API requirements
 Django==1.11.15  # pyup: <2.0 # Remove this when we're on Py3
-djangorestframework==3.9.0
+djangorestframework==3.8.2
 django-cors-headers==2.1.0
 djangorestframework-bulk==0.2.1
 hashids==1.2.0