API appears to accept any user when creating objects, but always sets to request.user

[boulderdave]

Because the serializer does not have "user" as a read only field, the API asks for a user (which would be a security/abuse concern) - and then overwrites it with request.user (which is great - and is not a security/abuse concern).

For example: https://github.com/tixdo/votes/blob/master/votes/api.py#L39

I would suggest setting read_only on 'user' on the serializer.