django-basic-form-builder 0.1.3__tar.gz → 0.1.4__tar.gz

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to django-basic-form-builder will be documented in this file
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.4] - 2026-03-03
+
+### Security
+
+- **High**: Enforced `has_view_permission()` model-level checks within the `preview_view` endpoint to prevent low-privileged staff accounts from viewing draft form definitions.
+- **Medium**: Removed hardcoded `authentication_classes = []` and `permission_classes = []` on the public API endpoint (`FormSchemaView`). The API now respects the host-project's defaults unless `FORMBUILDER_API_ANONYMOUS = True` is set.
+- **Medium**: Tightened permissive schema configuration validation to prevent misinterpretation or Denial-of-Service attacks in downstream consumers.
+  - Rejected booleans for integer/numeric config fields since `bool` is a subclass of `int`.
+  - Enforced a 500-character max length on regex patterns and validated compilation with `re.compile()`.
+  - Added full ISO parsing for `minDate`/`maxDate` and strict format whitelisting for dates.
+
+### Documentation
+
+- Added a warning note about `bulk_create` caveats in relation to single-default invariants within the `FieldOption` model.
+- Further clarified the test site `settings.py` usage constraints.
+
 ## [0.1.3] - 2026-02-09
 
 ### Changed

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: django-basic-form-builder
-Version: 0.1.3
+Version: 0.1.4
 Summary: Reusable Django app for building JSON-driven forms via the admin
 Author-email: Göktürk Burak Köse <02macaw.others@icloud.com>
 License-Expression: MIT

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/RELEASE_NOTES.md

@@ -1,10 +1,23 @@
-# Release Notes - v0.1.0
+# Release Notes
 
-## Overview
+## v0.1.4 - 2026-03-03
 
-This is the initial release of django-basic-form-builder, a reusable Django app that enables dynamic form creation through the Django admin with JSON schema generation for frontend consumption.
+### Overview
 
-## What's Completed ✅
+Version 0.1.4 is a critical security-focused patch release addressing vulnerabilities identified in the 2026-03-03 security review. It enforces strict model-level permissions for admin preview endpoints, respects application-level API configurations by default, and implements comprehensive schema type validation and compilation to secure applications against arbitrary or malformed input payloads.
+
+### What's Changed ✅
+
+- Enforced permission checks (`has_view_permission()`) on the admin `preview_view` endpoint.
+- Handled API endpoint access dynamically using DRF's default configurations. Restored via `FORMBUILDER_API_ANONYMOUS = True` if required.
+- Implemented tight restriction on Boolean conversions for integer/numeric types within `models.py` configuration validations.
+- Explicit Regex compilation with `re.compile()` and a 500-character upper ceiling constraint to prevent ReDoS payloads.
+- Added strict format options and verified parsing logic for `minDate`/`maxDate` in configurations.
+- Improved documentation with `FieldOption` model warnings about bulk operations and updated the `formbuilder_test_site` environments.
+
+## v0.1.0 - Initial Release
+
+### Overview
 
 ### Core Features
 
@@ -144,8 +157,8 @@ For issues, questions, or contributions, please refer to:
 
 ## Version Information
 
-- **Version**: 0.1.0
-- **Release Date**: February 9, 2026
+- **Latest Version**: 0.1.4
+- **Release Date**: March 3, 2026
 - **Django**: 5.1+
 - **DRF**: 3.15+
 - **Python**: 3.12+

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/django_basic_form_builder.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: django-basic-form-builder
-Version: 0.1.3
+Version: 0.1.4
 Summary: Reusable Django app for building JSON-driven forms via the admin
 Author-email: Göktürk Burak Köse <02macaw.others@icloud.com>
 License-Expression: MIT

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/admin.py

@@ -4,7 +4,7 @@ import contextlib
 
 from django import forms
 from django.contrib import admin
-from django.core.exceptions import ValidationError
+from django.core.exceptions import PermissionDenied, ValidationError
 from django.http import JsonResponse
 from django.shortcuts import get_object_or_404
 from django.urls import path, reverse
@@ -298,6 +298,8 @@ class CustomFormAdmin(admin.ModelAdmin):
 
     def preview_view(self, request, pk, *args, **kwargs):
         custom_form = get_object_or_404(CustomForm, pk=pk)
+        if not self.has_view_permission(request, custom_form):
+            raise PermissionDenied
         if not custom_form.json_schema:
             custom_form.generate_schema(commit=True)
         return JsonResponse(custom_form.json_schema)

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/api/views.py

@@ -5,6 +5,7 @@ from django.http import Http404
 from django.shortcuts import get_object_or_404
 from drf_spectacular.utils import extend_schema
 from rest_framework.response import Response
+from rest_framework.settings import api_settings
 from rest_framework.views import APIView
 
 from ..models import CustomForm
@@ -12,8 +13,20 @@ from .serializers import FormSchemaSerializer
 
 
 class FormSchemaView(APIView):
-    authentication_classes: list = []
-    permission_classes: list = []
+    # By default, authentication and permission classes are inherited from
+    # DRF defaults (i.e. the host project's REST_FRAMEWORK settings).
+    # Set FORMBUILDER_API_ANONYMOUS = True in Django settings to allow
+    # unauthenticated access (restores pre-0.1.4 behavior).
+
+    def get_authenticators(self):
+        if getattr(settings, "FORMBUILDER_API_ANONYMOUS", False):
+            return []
+        return [auth() for auth in api_settings.DEFAULT_AUTHENTICATION_CLASSES]
+
+    def get_permissions(self):
+        if getattr(settings, "FORMBUILDER_API_ANONYMOUS", False):
+            return []
+        return [permission() for permission in api_settings.DEFAULT_PERMISSION_CLASSES]
 
     @extend_schema(responses=FormSchemaSerializer)
     def get(self, request, slug: str, *args, **kwargs):
@@ -27,3 +40,5 @@ class FormSchemaView(APIView):
         )
         serializer = FormSchemaSerializer(instance=custom_form.json_schema)
         return Response(serializer.data)
+
+

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/models.py

@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+import datetime
+import re
 from collections.abc import Iterable
 from numbers import Number
 from typing import Any
@@ -195,6 +197,14 @@ class FormField(models.Model):
         for key, allowed_types in self.FIELD_CONFIG_SCHEMA.get(self.field_type, {}).items():
             if key not in config:
                 continue
+            # Reject bool for non-bool fields (bool is a subclass of int)
+            if isinstance(config[key], bool) and bool not in allowed_types:
+                raise ValidationError(
+                    {
+                        "config": _("%(key)s must not be a boolean.")
+                        % {"key": key}
+                    }
+                )
             if not isinstance(config[key], tuple(allowed_types)):
                 raise ValidationError(
                     {
@@ -210,6 +220,7 @@ class FormField(models.Model):
         config = self.config or {}
         if self.field_type == self.FieldType.TEXT:
             self._ensure_min_max_relationship(config, "minLength", "maxLength")
+            self._validate_regex_pattern(config)
         elif self.field_type == self.FieldType.NUMBER:
             self._validate_numeric_config(config)
         elif self.field_type == self.FieldType.TEXTAREA:
@@ -271,13 +282,50 @@ class FormField(models.Model):
                 {"config": _("Rating style must be one of: stars, numeric, emoji.")}
             )
 
+    _MAX_REGEX_LENGTH = 500
+
+    def _validate_regex_pattern(self, config: dict[str, Any]) -> None:
+        pattern = config.get("pattern")
+        if not pattern:
+            return
+        if len(pattern) > self._MAX_REGEX_LENGTH:
+            raise ValidationError(
+                {"config": _("pattern is too long (max %(max)d characters).") % {"max": self._MAX_REGEX_LENGTH}}
+            )
+        try:
+            re.compile(pattern)
+        except re.error as exc:
+            raise ValidationError(
+                {"config": _("pattern is not a valid regex: %(err)s") % {"err": str(exc)}}
+            ) from exc
+
+    ALLOWED_DATE_FORMATS = frozenset({"YYYY-MM-DD", "DD/MM/YYYY", "MM/DD/YYYY", "DD.MM.YYYY"})
+
     def _validate_date_config(self, config: dict[str, Any]) -> None:
-        min_date = config.get("minDate")
-        max_date = config.get("maxDate")
-        # Basic validation - actual date parsing would happen in frontend/submission
-        if min_date and max_date:
-            # Could add date comparison if needed
-            pass
+        for key in ("minDate", "maxDate"):
+            value = config.get(key)
+            if value:
+                try:
+                    datetime.date.fromisoformat(value)
+                except (ValueError, TypeError) as exc:
+                    raise ValidationError(
+                        {"config": _("%(key)s must be a valid ISO date (YYYY-MM-DD).") % {"key": key}}
+                    ) from exc
+
+        fmt = config.get("format")
+        if fmt and fmt not in self.ALLOWED_DATE_FORMATS:
+            raise ValidationError(
+                {
+                    "config": _("format must be one of: %(formats)s")
+                    % {"formats": ", ".join(sorted(self.ALLOWED_DATE_FORMATS))}
+                }
+            )
+
+        min_date_str = config.get("minDate")
+        max_date_str = config.get("maxDate")
+        if min_date_str and max_date_str:
+            if datetime.date.fromisoformat(min_date_str) > datetime.date.fromisoformat(max_date_str):
+                raise ValidationError({"config": _("minDate cannot be after maxDate.")})
 
     def _validate_dropdown_config(self, config: dict[str, Any]) -> None:
         """Legacy method - kept for backward compatibility with old config-based options"""
@@ -302,7 +350,14 @@ class FormField(models.Model):
 
 
 class FieldOption(models.Model):
-    """Options for dropdown, radio, and checkbox fields"""
+    """Options for dropdown, radio, and checkbox fields.
+
+    Note: The single-default invariant for radio/dropdown fields is enforced in
+    ``clean()``, which is called by ``save()`` via ``full_clean()``. Code paths
+    that bypass ``save()`` (e.g. ``bulk_create``, raw SQL, or ``update()``)
+    will NOT enforce this constraint. Always use ``save()`` or call
+    ``full_clean()`` explicitly when creating or updating options.
+    """
 
     field = models.ForeignKey(
         FormField,

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/tests/test_admin.py

@@ -52,3 +52,29 @@ def test_preview_view_returns_json(custom_form: CustomForm, db):
 
     assert response.status_code == 200
     assert response.json()["fields"][0]["id"] == "email"
+
+
+def test_preview_view_forbidden_without_view_permission(custom_form: CustomForm, db):
+    """Staff user without view_customform permission should get 403."""
+    FormField.objects.create(
+        custom_form=custom_form,
+        label="Email",
+        slug="email",
+        field_type=FormField.FieldType.TEXT,
+        position=1,
+        required=True,
+        config={"inputMode": "email"},
+    )
+    custom_form.refresh_from_db()
+
+    user_model = auth.get_user_model()
+    user_model.objects.create_user(
+        username="staffuser", email="staff@example.com", password="pass", is_staff=True
+    )
+    client = Client()
+    assert client.login(username="staffuser", password="pass")
+
+    url = reverse("admin:formbuilder_customform_preview", args=[custom_form.pk])
+    response = client.get(url)
+
+    assert response.status_code == 403

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/tests/test_api.py

@@ -63,3 +63,37 @@ def test_api_filters_unpublished_forms(custom_form: CustomForm):
     response = client.get("/api/forms/contact-form/")
 
     assert response.status_code == 404
+
+
+@override_settings(
+    FORMBUILDER_API_ANONYMOUS=False,
+    REST_FRAMEWORK={
+        "DEFAULT_PERMISSION_CLASSES": [
+            "rest_framework.permissions.IsAuthenticated",
+        ],
+        "DEFAULT_RENDERER_CLASSES": [
+            "rest_framework.renderers.JSONRenderer",
+        ],
+        "DEFAULT_PARSER_CLASSES": [
+            "rest_framework.parsers.JSONParser",
+        ],
+        "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
+    },
+)
+def test_api_respects_drf_defaults_when_not_anonymous(custom_form: CustomForm):
+    """When FORMBUILDER_API_ANONYMOUS is False, DRF defaults should apply."""
+    FormField.objects.create(
+        custom_form=custom_form,
+        label="Email",
+        slug="email",
+        field_type=FormField.FieldType.TEXT,
+        position=1,
+        required=True,
+        config={"inputMode": "email"},
+    )
+    _publish_form(custom_form)
+
+    client = APIClient()
+    response = client.get("/api/forms/contact-form/")
+
+    assert response.status_code == 403

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/formbuilder/tests/test_models.py

@@ -258,3 +258,125 @@ def test_dropdown_cannot_have_multiple_defaults(custom_form: CustomForm):
 
     assert "is_default" in exc_info.value.error_dict
     assert "Only one default option is allowed for this field." in str(exc_info.value)
+
+
+# -- Validation hardening regression tests (Finding 3) --
+
+
+@pytest.mark.parametrize(
+    "field_type, config",
+    [
+        (FormField.FieldType.TEXT, {"minLength": True}),
+        (FormField.FieldType.TEXT, {"maxLength": True}),
+        (FormField.FieldType.TEXTAREA, {"rows": True}),
+        (FormField.FieldType.NUMBER, {"step": True}),
+        (FormField.FieldType.CHECKBOX, {"minSelections": True}),
+        (FormField.FieldType.RATING, {"scale": True}),
+    ],
+)
+def test_boolean_rejected_for_numeric_fields(custom_form: CustomForm, field_type, config):
+    """bool values must not pass validation for integer/numeric config keys."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Test",
+        slug="test-bool",
+        field_type=field_type,
+        position=1,
+        config=config,
+    )
+    with pytest.raises(ValidationError) as exc_info:
+        field.full_clean()
+    assert "must not be a boolean" in str(exc_info.value)
+
+
+def test_invalid_regex_pattern_rejected(custom_form: CustomForm):
+    """Malformed regex patterns must be rejected."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Name",
+        slug="name",
+        field_type=FormField.FieldType.TEXT,
+        position=1,
+        config={"pattern": "([a-z+"},
+    )
+    with pytest.raises(ValidationError) as exc_info:
+        field.full_clean()
+    assert "not a valid regex" in str(exc_info.value)
+
+
+def test_regex_pattern_too_long_rejected(custom_form: CustomForm):
+    """Regex patterns exceeding max length must be rejected."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Name",
+        slug="name",
+        field_type=FormField.FieldType.TEXT,
+        position=1,
+        config={"pattern": "a" * 501},
+    )
+    with pytest.raises(ValidationError) as exc_info:
+        field.full_clean()
+    assert "too long" in str(exc_info.value)
+
+
+def test_valid_regex_pattern_accepted(custom_form: CustomForm):
+    """A valid regex pattern should pass validation."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Name",
+        slug="name",
+        field_type=FormField.FieldType.TEXT,
+        position=1,
+        config={"pattern": "^[a-zA-Z]+$"},
+    )
+    field.full_clean()
+
+
+@pytest.mark.parametrize(
+    "config",
+    [
+        {"minDate": "not-a-date"},
+        {"maxDate": "2020-99-99"},
+        {"format": "%Q"},
+    ],
+)
+def test_invalid_date_config_rejected(custom_form: CustomForm, config):
+    """Invalid date strings and unsupported formats must be rejected."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Birthday",
+        slug="birthday",
+        field_type=FormField.FieldType.DATE,
+        position=1,
+        config=config,
+    )
+    with pytest.raises(ValidationError):
+        field.full_clean()
+
+
+def test_min_date_after_max_date_rejected(custom_form: CustomForm):
+    """minDate after maxDate must be rejected."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Birthday",
+        slug="birthday",
+        field_type=FormField.FieldType.DATE,
+        position=1,
+        config={"minDate": "2025-12-31", "maxDate": "2025-01-01"},
+    )
+    with pytest.raises(ValidationError) as exc_info:
+        field.full_clean()
+    assert "minDate cannot be after maxDate" in str(exc_info.value)
+
+
+def test_valid_date_config_accepted(custom_form: CustomForm):
+    """Valid date config should pass validation."""
+    field = FormField(
+        custom_form=custom_form,
+        label="Birthday",
+        slug="birthday",
+        field_type=FormField.FieldType.DATE,
+        position=1,
+        config={"minDate": "2025-01-01", "maxDate": "2025-12-31", "format": "YYYY-MM-DD"},
+    )
+    field.full_clean()

{django_basic_form_builder-0.1.3 → django_basic_form_builder-0.1.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "django-basic-form-builder"
-version = "0.1.3"
+version = "0.1.4"
 description = "Reusable Django app for building JSON-driven forms via the admin"
 requires-python = ">=3.12"
 readme = "README.md"