django-nativemojo 0.1.10__py3-none-any.whl → 0.1.16__py3-none-any.whl

mojo/models/rest.py

@@ -1,11 +1,12 @@
 # from django.http import JsonResponse
 from mojo.helpers.response import JsonResponse
-from mojo.serializers.models import GraphSerializer
-from mojo.helpers import modules
+from mojo.serializers import get_serializer_manager
 from mojo.helpers.settings import settings
+from mojo import errors as me
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction, models as dm
 import objict
+import datetime
 from mojo.helpers import dates, logit
 
 
@@ -13,6 +14,17 @@ logger = logit.get_logger("debug", "debug.log")
 ACTIVE_REQUEST = None
 LOGGING_CLASS = None
 MOJO_APP_STATUS_200_ON_ERROR = settings.MOJO_APP_STATUS_200_ON_ERROR
+MOJO_REST_LIST_PERM_DENY = settings.get("MOJO_REST_LIST_PERM_DENY", False)
+
+# use this when there is no ACTIVE_REQUEST
+SYSTEM_REQUEST = objict.objict()
+SYSTEM_REQUEST.user = objict.objict()
+SYSTEM_REQUEST.user.id = 1
+SYSTEM_REQUEST.user.username = "system"
+SYSTEM_REQUEST.user.email = ""
+SYSTEM_REQUEST.user.is_authenticated = True
+SYSTEM_REQUEST.user.has_permission = lambda perm: True
+SYSTEM_REQUEST.DATA = objict.objict()
 
 class MojoModel:
     """Base model class for REST operations with GraphSerializer integration."""
@@ -22,6 +34,13 @@ class MojoModel:
         """Returns the active request being processed."""
         return ACTIVE_REQUEST
 
+    @property
+    def active_user(self):
+        """Returns the active user being processed."""
+        if ACTIVE_REQUEST:
+            return ACTIVE_REQUEST.user
+        return None
+
     @classmethod
     def get_rest_meta_prop(cls, name, default=None):
         """
@@ -44,6 +63,17 @@ class MojoModel:
             return default
         return getattr(cls.RestMeta, name, default)
 
+    @classmethod
+    def get_rest_meta_graph(cls, graph_name):
+        graphs = cls.get_rest_meta_prop("GRAPHS", {})
+        if isinstance(graph_name, list):
+            for n in graph_name:
+                res = graphs.get(n, None)
+                if res is not None:
+                    return res
+            return None
+        return graphs.get(graph_name, None)
+
     @classmethod
     def rest_error_response(cls, request, status=500, **kwargs):
         """
@@ -113,10 +143,20 @@ class MojoModel:
         except ObjectDoesNotExist:
             return cls.rest_error_response(None, 404, error=f"{cls.__name__} not found")
 
+    @classmethod
+    def get_instance_from_request(cls, request, field_name=None):
+        if field_name is None:
+            field_name = cls.__name__.lower()
+        if field_name not in request.DATA:
+            field_name = f"{field_name}_id"
+            if field_name not in request.DATA:
+                return None
+        return cls.objects.filter(pk=request.DATA.get(field_name)).last()
+
     @classmethod
     def rest_check_permission(cls, request, permission_keys, instance=None):
         """
-        Check permissions for a given request.
+        Check permissions for a given request. Reports granular denied feedback to incident/event system.
 
         Args:
             request: Django HTTP request object.
@@ -129,20 +169,94 @@ class MojoModel:
         perms = cls.get_rest_meta_prop(permission_keys, [])
         if perms is None or len(perms) == 0:
             return True
+
         if "all" not in perms:
             if request.user is None or not request.user.is_authenticated:
+                cls.class_report_incident(
+                    details="Permission denied: unauthenticated user",
+                    event_type="unauthenticated",
+                    request=request,
+                    perms=perms,
+                    permission_keys=permission_keys,
+                    branch="unauthenticated",
+                    instance=repr(instance) if instance else None,
+                    request_path=getattr(request, "path", None),
+                )
                 return False
+
         if instance is not None:
+            is_view = isinstance(permission_keys, list) and "VIEW_PERMS" in permission_keys
+            if not is_view and isinstance(permission_keys, str):
+                is_view = permission_keys == "VIEW_PERMS"
+            if is_view:
+                if hasattr(instance, "check_view_permission"):
+                    allowed = instance.check_view_permission(perms, request)
+                    if not allowed:
+                        cls.class_report_incident(
+                            details="Permission denied: view_permission_denied",
+                            event_type="view_permission_denied",
+                            request=request,
+                            perms=perms,
+                            permission_keys=permission_keys,
+                            branch="instance.check_view_permission",
+                            instance=repr(instance),
+                            request_path=getattr(request, "path", None),
+                        )
+                    return allowed
+
             if hasattr(instance, "check_edit_permission"):
-                return instance.check_edit_permission(perms, request)
-            if "owner" in perms and getattr(instance, "user", None) is not None:
-                if instance.user.id == request.user.id:
+                allowed = instance.check_edit_permission(perms, request)
+                if not allowed:
+                    cls.class_report_incident(
+                        details="Permission denied: edit_permission_denied",
+                        event_type="edit_permission_denied",
+                        request=request,
+                        perms=perms,
+                        permission_keys=permission_keys,
+                        branch="instance.check_edit_permission",
+                        instance=repr(instance),
+                        request_path=getattr(request, "path", None),
+                    )
+                return allowed
+
+            if "owner" in perms:
+                owner_field = instance.get_rest_meta_prop("OWNER_FIELD", "user")
+                owner = getattr(instance, owner_field, None)
+                if owner is not None and owner.id == request.user.id:
                     return True
+            if hasattr(instance, "group"):
+                request.group = getattr(instance, "group", None)
+
         if request.group and hasattr(cls, "group"):
-            # lets check our group member permissions
-            # this will now force any queries to include the group
-            return request.group.member_has_permission(request.user, perms)
-        return request.user.has_permission(perms)
+            allowed = request.group.user_has_permission(request.user, perms)
+            if not allowed:
+                cls.class_report_incident(
+                    details="Permission denied: group_member_permission_denied",
+                    event_type="group_member_permission_denied",
+                    request=request,
+                    perms=perms,
+                    permission_keys=permission_keys,
+                    group=getattr(request, "group", None),
+                    branch="group.user_has_permission",
+                    instance=repr(instance) if instance else None,
+                    request_path=getattr(request, "path", None),
+                )
+            return allowed
+        if request.user is None or not request.user.is_authenticated:
+            return False
+        allowed = request.user.has_permission(perms)
+        if not allowed:
+            cls.class_report_incident(
+                details="Permission denied: user_permission_denied",
+                event_type="user_permission_denied",
+                request=request,
+                perms=perms,
+                permission_keys=permission_keys,
+                branch="user.has_permission",
+                instance=repr(instance) if instance else None,
+                request_path=getattr(request, "path", None),
+            )
+        return allowed
 
     @classmethod
     def on_rest_handle_get(cls, request, instance):
@@ -206,9 +320,41 @@ class MojoModel:
         Returns:
             JsonResponse representing the list of resources.
         """
+        # cls.debug("on_rest_handle_list")
         if cls.rest_check_permission(request, "VIEW_PERMS"):
             return cls.on_rest_list(request)
-        return cls.rest_error_response(request, 403, error=f"GET permission denied: {cls.__name__}")
+        else:
+            perms = cls.get_rest_meta_prop("VIEW_PERMS", [])
+            if perms and "owner" in perms and request.user.is_authenticated:
+                owner_field = cls.get_rest_meta_prop("OWNER_FIELD", "user")
+                q = {owner_field: request.user}
+                return cls.on_rest_list(request, cls.objects.filter(**q))
+        if MOJO_REST_LIST_PERM_DENY:
+            return cls.rest_error_response(request, 403, error=f"GET permission denied: {cls.__name__}")
+        return cls.on_rest_list_response(request, cls.objects.none())
+
+    def update_from_dict(self, dict_data):
+        request = ACTIVE_REQUEST or SYSTEM_REQUEST
+        return self.on_rest_save(request, dict_data)
+
+    @classmethod
+    def create_from_dict(cls, dict_data, **kwargs):
+        request = kwargs.pop('request', ACTIVE_REQUEST or SYSTEM_REQUEST)
+        instance = cls(**kwargs)
+        instance.on_rest_save(request, dict_data)
+        instance.on_rest_created()
+        if cls.get_rest_meta_prop("LOG_CHANGES", False):
+            instance.log(kind="model:created", log=f"{request.user.username} created {instance.pk}")
+        return instance
+
+    @classmethod
+    def create_from_request(cls, request, **kwargs):
+        instance = cls(**kwargs)
+        instance.on_rest_save(request, request.DATA)
+        instance.on_rest_created()
+        if cls.get_rest_meta_prop("LOG_CHANGES", False):
+            instance.log(kind="model:created", log=f"{ACTIVE_REQUEST.user.username} created {instance.pk}")
+        return instance
 
     @classmethod
     def on_rest_handle_create(cls, request):
@@ -221,9 +367,9 @@ class MojoModel:
         Returns:
             JsonResponse representing the result of the create operation.
         """
-        if cls.rest_check_permission(request, ["SAVE_PERMS", "VIEW_PERMS"]):
-            instance = cls()
-            return instance.on_rest_save_and_respond(request)
+        if cls.rest_check_permission(request, ["CREATE_PERMS", "SAVE_PERMS", "VIEW_PERMS"]):
+            instance = cls.create_from_request(request)
+            return instance.on_rest_get(request)
         return cls.rest_error_response(request, 403, error=f"CREATE permission denied: {cls.__name__}")
 
     @classmethod
@@ -256,10 +402,18 @@ class MojoModel:
         """
         if queryset is None:
             queryset = cls.objects.all()
-        if request.group is not None and hasattr(cls, "group"):
-            if "group" in request.DATA:
-                del request.DATA["group"]
-            queryset = queryset.filter(group=request.group)
+        # for better query perfomance we want raw request GET data
+        request.QUERY_PARAMS = request.GET.copy()
+        if request.group is not None:
+            GROUP_FIELD = cls.get_rest_meta_prop("GROUP_FIELD", None)
+            if GROUP_FIELD or hasattr(cls, "group"):
+                if "group" in request.QUERY_PARAMS:
+                    del request.QUERY_PARAMS["group"]
+                if GROUP_FIELD:
+                    q = {GROUP_FIELD: request.group}
+                else:
+                    q = {"group": request.group}
+                queryset = queryset.filter(**q)
         queryset = cls.on_rest_list_filter(request, queryset)
         queryset = cls.on_rest_list_date_range_filter(request, queryset)
         queryset = cls.on_rest_list_sort(request, queryset)
@@ -268,13 +422,40 @@ class MojoModel:
     @classmethod
     def on_rest_list_response(cls, request, queryset):
         # Implement pagination
-        page_size = request.DATA.get_typed("size", 10, int)
-        page_start = request.DATA.get_typed("start", 0, int)
+        page_size = request.DATA.get_typed(["size", "limit"], 10, int)
+        page_start = request.DATA.get_typed(["start", "offset"], 0, int)
         page_end = page_start+page_size
         paged_queryset = queryset[page_start:page_end]
         graph = request.DATA.get("graph", "list")
-        serializer = GraphSerializer(paged_queryset, graph=graph, many=True)
-        return serializer.to_response(request, count=queryset.count(), start=page_start, size=page_size)
+        format = request.DATA.get("download_format", "json")
+        count = queryset.count()
+        # Use serializer manager for optimal performance
+        manager = get_serializer_manager()
+        if format != "json":
+            format_key = format.split("_")[0]
+            serializer = manager.get_format_serializer(format_key)
+            formats = cls.get_rest_meta_prop("FORMATS")
+            if formats is not None and format in formats:
+                fields = formats[format]
+            else:
+                graph = cls.get_rest_meta_graph(["basic", "default"])
+                if not graph or not graph.get("fields"):
+                    raise me.ValueException("No valid graph found")
+                fields = graph.get("fields")
+            logger.info(f"Serializing queryset with fields: {fields}")
+            return serializer.serialize_queryset(queryset, fields=fields, filename=request.DATA.get("filename", f"{cls.__name__}.csv"))
+        serializer = manager.get_serializer(paged_queryset, graph=graph, many=True)
+        resp = serializer.to_response(request, count=count, start=page_start, size=page_size)
+        resp.log_context = {
+            "endpoint": "list",
+            "model": cls.__name__,
+            "page_size": page_size,
+            "page_start": page_start,
+            "page_end": page_end,
+            "graph": graph,
+            "count": count
+        }
+        return resp
 
     @classmethod
     def on_rest_list_date_range_filter(cls, request, queryset):
@@ -305,6 +486,22 @@ class MojoModel:
             queryset = queryset.filter(**{f"{dr_field}__lte": dr_end})
         return queryset
 
+    @classmethod
+    def normalize_rest_value(cls, request, field_name, value):
+        field = cls.get_model_field(field_name)
+        if field.get_internal_type() == "BooleanField":
+            if isinstance(value, str):
+                value = value.lower() in ("true", "1")
+            elif isinstance(value, int):
+                value = bool(value)
+            else:
+                value = bool(value)
+        elif value is not None:
+            if field.get_internal_type() in ["DateTimeField", "DateField"]:
+                if not isinstance(value, (datetime.datetime, datetime.date)):
+                    value = dates.parse_datetime(value)
+        return value
+
     @classmethod
     def on_rest_list_filter(cls, request, queryset):
         """
@@ -317,23 +514,29 @@ class MojoModel:
         Returns:
             The filtered queryset.
         """
+        reserved_keys = ["start", "size", "download_format", "dr_start", "dr_end", "limit", "offset"]
         filters = {}
-        for key, value in request.GET.items():
+        for key, value in request.QUERY_PARAMS.items():
             # Split key to check for foreign key relationships
+            if "." in key:
+                key = key.replace(".", "__")
             key_parts = key.split('__')
             field_name = key_parts[0]
+            if field_name in reserved_keys:
+                continue
             if hasattr(cls, field_name):
-                filters[key] = value
+                filters[key] = cls.normalize_rest_value(request, field_name, value)
             elif field_name in cls.__rest_field_names__ and cls._meta.get_field(field_name).is_relation:
+                # TODO Normalize relation field values
                 filters[key] = value
-        # logger.info("filters", filters)
+        logger.info("filters", filters)
         queryset = cls.on_rest_list_search(request, queryset)
         return queryset.filter(**filters)
 
     @classmethod
     def on_rest_list_search(cls, request, queryset):
         """
-        Search queryset based on 'q' param in the request for fields defined in 'SEARCH_FIELDS'.
+        Search queryset based on 'search' param in the request for fields defined in 'SEARCH_FIELDS'.
 
         Args:
             request: Django HTTP request object.
@@ -342,7 +545,7 @@ class MojoModel:
         Returns:
             The filtered queryset based on the search criteria.
         """
-        search_query = request.GET.get('q', None)
+        search_query = request.DATA.get('search', None)
         if not search_query:
             return queryset
 
@@ -397,8 +600,7 @@ class MojoModel:
             }
         return JsonResponse(response_payload)
 
-    @classmethod
-    def on_rest_create(cls, request):
+    def on_rest_created(self):
         """
         Handle the creation of an object.
 
@@ -406,12 +608,51 @@ class MojoModel:
             request: Django HTTP request object.
 
         Returns:
-            JsonResponse representing the newly created object.
+            None
+        """
+        # Perform any additional actions after object creation
+        pass
+
+    def on_rest_pre_save(self, changed_fields, created):
+        """
+        Handle the pre-save of an object.
+
+        Args:
+            created: Boolean indicating whether the object is being created.
+            changed_fields: Dictionary of fields that have changed.
+        Returns:
+            None
+        """
+        # Perform any additional actions before object save
+        pass
+
+    def on_rest_saved(self, changed_fields, created):
+        """
+        Handle the saving of an object.
+
+        Args:
+            created: Boolean indicating whether the object is being created.
+            changed_fields: Dictionary of fields that have changed.
+        Returns:
+            None
         """
-        instance = cls()
-        return instance.on_rest_save_and_respond(request)
+        # Perform any additional actions after object creation
+        pass
 
-    def on_rest_get(self, request):
+    def on_rest_response(self, request, graph="default"):
+        """
+        Handle the response after a REST request.
+
+        Args:
+            request: Django HTTP request object.
+            graph: String representing the graph to use for serialization.
+
+        Returns:
+            JsonResponse representing the object.
+        """
+        return self.on_rest_get(request, graph=graph)
+
+    def on_rest_get(self, request, graph="default"):
         """
         Handle the retrieval of a single object.
 
@@ -421,38 +662,139 @@ class MojoModel:
         Returns:
             JsonResponse representing the object.
         """
-        graph = request.GET.get("graph", "default")
-        serializer = GraphSerializer(self, graph=graph)
+        graph = request.DATA.get("graph", graph)
+        # Use serializer manager for optimal performance
+        manager = get_serializer_manager()
+        serializer = manager.get_serializer(self, graph=graph)
         return serializer.to_response(request)
 
+    def _set_field_change(self, key, old_value=None, new_value=None):
+        if not hasattr(self, "__changed_fields__"):
+            self.__changed_fields__ = objict.objict()
+        if old_value != new_value:
+            self.__changed_fields__[key] = old_value
+
+    def has_field_changed(self, key):
+        return key in self.__changed_fields__
+
+    def has_changed(self):
+        return bool(self.__changed_fields__)
+
+    def get_changes(self, data):
+        changes = {}
+        for key, value in self.__changed_fields__.items():
+            changes[key] = f"{value} -> {data.get(key, None)}"
+        return changes
+
     def on_rest_save(self, request, data_dict):
         """
         Create a model instance from a dictionary.
 
         Args:
             request: Django HTTP request object.
+            data_dict: Dictionary containing the data to save.
 
         Returns:
             None
         """
-        for field in self._meta.get_fields():
-            field_name = field.name
-            if field_name in data_dict:
-                field_value = data_dict[field_name]
-                set_field_method = getattr(self, f'set_{field_name}', None)
-                if callable(set_field_method):
-                    set_field_method(field_value, request)
-                elif field.is_relation and hasattr(field, 'related_model'):
-                    self.on_rest_save_related_field(field, field_value, request)
-                elif field.get_internal_type() == "JSONField":
-                    self.on_rest_update_jsonfield(field_name, field_value)
-                else:
-                    setattr(self, field_name, field_value)
+        self.__changed_fields__ = objict.objict()
+        # Get fields that should not be saved
+        no_save_fields = self.get_rest_meta_prop("NO_SAVE_FIELDS", ["id", "pk", "created", "uuid"])
+        post_save_actions = self.get_rest_meta_prop("POST_SAVE_ACTIONS", ['action'])
+        post_save_data = {}
+        action_resp = None  # an action may have a specific response
+        # Iterate through data_dict keys instead of model fields
+        for key, value in data_dict.items():
+            # Skip fields that shouldn't be saved
+            if key in no_save_fields:
+                continue
+            if key in post_save_actions:
+                post_save_data[key] = value
+                continue
+            self.on_rest_save_field(key, value, request)
+
+        created = self.pk is None
+        if created:
+            owner_field = self.get_rest_meta_prop("CREATED_BY_OWNER_FIELD", "user")
+            if request.user.is_authenticated and self.get_model_field(owner_field):
+                setattr(self, owner_field, request.user)
+            if request.group and self.get_model_field("group"):
+                if getattr(self, "group", None) is None:
+                    self.group = request.group
+        else:
+            owner_field = self.get_rest_meta_prop("UPDATED_BY_OWNER_FIELD", "modified_by")
+            if request.user.is_authenticated and self.get_model_field(owner_field):
+                setattr(self, owner_field, request.user)
+        self.on_rest_pre_save(self.__changed_fields__, created)
+        if "files" in data_dict:
+            self.on_rest_save_files(data_dict["files"])
         self.atomic_save()
+        self.on_rest_saved(self.__changed_fields__, created)
+        for key, value in post_save_data.items():
+            # post save fields can only be called via on_action_
+            handler = getattr(self, f'on_action_{key}', None)
+            if callable(handler):
+                action_resp = handler(value)
+
+        if self.get_rest_meta_prop("LOG_CHANGES", False) and self.has_changed():
+            self.log(kind="model:changed", log=self.get_changes(data_dict))
+        return action_resp
+
+    def on_rest_save_field(self, key, value, request):
+        # First check for custom setter method
+        set_field_method = getattr(self, f'set_{key}', None)
+        if callable(set_field_method):
+            old_value = getattr(self, key, None)
+            set_field_method(value)
+            new_value = getattr(self, key, None)
+            self._set_field_change(key, old_value, new_value)
+            return
+
+        # Check if this is a model field
+        field = self.get_model_field(key)
+        if field is None:
+            return
+        if field.get_internal_type() == "ForeignKey":
+            self.on_rest_save_related_field(field, value, request)
+        elif field.get_internal_type() == "JSONField":
+            self.on_rest_update_jsonfield(key, value)
+        else:
+            if field.get_internal_type() == "BooleanField":
+                if isinstance(value, str):
+                    value = value.lower() in ("true", "1")
+                elif isinstance(value, int):
+                    value = bool(value)
+                else:
+                    value = bool(value)
+            elif value is not None:
+                if field.get_internal_type() in ["DateTimeField", "DateField"]:
+                    if not isinstance(value, (datetime.datetime, datetime.date)):
+                        value = dates.parse_datetime(value)
+            self._set_field_change(key, getattr(self, key), value)
+            setattr(self, key, value)
+
+    def on_rest_save_files(self, files):
+        for name, file in files.items():
+            self.on_rest_save_file(name, file)
+
+    def on_rest_save_file(self, name, file):
+        # Implement file saving logic here
+        self.debug("Finding file for field: %s", name)
+        field = self.get_model_field(name)
+        if field is None:
+            return
+        self.debug("Saving file for field: %s", name)
+        if field.related_model and hasattr(field.related_model, "create_from_file"):
+            self.debug("Found file for field: %s", name)
+            related_model = field.related_model
+            instance = related_model.create_from_file(file, name)
+            setattr(self, name, instance)
 
     def on_rest_save_and_respond(self, request):
-        self.on_rest_save(request, request.DATA)
-        return self.on_rest_get(request)
+        resp = self.on_rest_save(request, request.DATA)
+        if resp is None:
+            return self.on_rest_get(request)
+        return JsonResponse(resp)
 
     def on_rest_save_related_field(self, field, field_value, request):
         if isinstance(field_value, dict):
@@ -466,11 +808,23 @@ class MojoModel:
                 if field.related_model.rest_check_permission(request, ["SAVE_PERMS", "VIEW_PERMS"], related_instance):
                     related_instance.on_rest_save(request, field_value)
             return
-        try:
+        if hasattr(field.related_model, "on_rest_related_save"):
+            related_instance = getattr(self, field.name)
+            field.related_model.on_rest_related_save(self, field.name, field_value, related_instance)
+        elif isinstance(field_value, int) or (isinstance(field_value, str)):
+            # self.debug(f"Related Model: {field.related_model.__name__}, Field Value: {field_value}")
+            field_value = int(field_value)
+            if not bool(field_value):
+                # None, "", 0 will set it to None
+                logger.info(f"Setting field {field.name} to None")
+                setattr(self, field.name, None)
+                return
+            field_value = int(field_value)
+            if (self.pk == field_value):
+                self.debug("Skipping self-reference")
+                return
             related_instance = field.related_model.objects.get(pk=field_value)
             setattr(self, field.name, related_instance)
-        except field.related_model.DoesNotExist:
-            pass  # Skip invalid related instances
 
     def on_rest_update_jsonfield(self, field_name, field_value):
         """helper to update jsonfield by merge in changes"""
@@ -487,6 +841,18 @@ class MojoModel:
             setattr(self, field_name, existing_value)
         return existing_value
 
+    def on_rest_pre_delete(self):
+        """
+        Handle the pre-deletion of an object.
+
+        Args:
+            request: Django HTTP request object.
+
+        Returns:
+            JsonResponse representing the result of the pre-delete operation.
+        """
+        pass
+
     def on_rest_delete(self, request):
         """
         Handle the deletion of an object.
@@ -498,20 +864,23 @@ class MojoModel:
             JsonResponse representing the result of the delete operation.
         """
         try:
+            self.on_rest_pre_delete()
             with transaction.atomic():
                 self.delete()
-            return JsonResponse({"status": "deleted"}, status=204)
+            return JsonResponse({"status": "deleted"}, status=200)
         except Exception as e:
             return JsonResponse({"error": str(e)}, status=400)
 
     def to_dict(self, graph="default"):
-        serializer = GraphSerializer(self, graph=graph)
-        return serializer.serialize()
+        # Use serializer manager for optimal performance
+        manager = get_serializer_manager()
+        return manager.serialize(self, graph=graph)
 
     @classmethod
     def queryset_to_dict(cls, qset, graph="default"):
-        serializer = GraphSerializer(qset, graph=graph)
-        return serializer.serialize()
+        # Use serializer manager for optimal performance
+        manager = get_serializer_manager()
+        return manager.serialize(qset, graph=graph, many=True)
 
     def atomic_save(self):
         """
@@ -520,19 +889,79 @@ class MojoModel:
         with transaction.atomic():
             self.save()
 
-    def report_incident(self, description, kind="error", level="critical", **kwargs):
-        self.model_logit(ACTIVE_REQUEST, description, kind=kind, level=level)
-        Event = modules.get_model("incidents", "Event")
-        if Event is None:
-            Event.report(description, kind, **kwargs)
+    def report_incident(self, details, event_type="info", level=1, request=None, **context):
+        """
+        Instance-level audit/event reporting. Automatically includes model+id.
+        """
+        context = dict(context)
+        context.setdefault("model_name", self.__class__.get_model_string())
+        if hasattr(self, 'id') and self.id is not None:
+            context.setdefault("model_id", self.id)
+        self.__class__.class_report_incident(
+            details, event_type=event_type, level=level, request=request, **context
+        )
+
+    @classmethod
+    def class_report_incident_for_user(cls, details, event_type="info", level=1, request=None, **context):
+        """
+        Class-level audit/event reporting for a specific user.
+        details: Human description.
+        event_type: Category/kind (e.g. "permission_denied", "security_alert").
+        level: Numeric severity.
+        request: Optional HTTP request or actor.
+        **context: Any additional context.
+        """
+        if ACTIVE_REQUEST and ACTIVE_REQUEST.user.is_authenticated:
+            return request.user.report_incident(details, event_type=event_type, level=level, request=request, **context)
+        return cls.class_report_incident(details, event_type=event_type, level=level, request=request, **context)
 
-    def log(self, log, kind="model_log", level="info", **kwargs):
+    @classmethod
+    def class_report_incident(cls, details, event_type="info", level=1, request=None, **context):
+        """
+        Class-level audit/event reporting.
+        details: Human description.
+        event_type: Category/kind (e.g. "permission_denied", "security_alert").
+        level: Numeric severity.
+        request: Optional HTTP request or actor.
+        **context: Any additional context.
+        """
+        from mojo.apps import incident
+        context = dict(context)
+        context.setdefault("model_name", cls.__name__)
+        incident.report_event(
+            details,
+            title=details[:80],
+            category=event_type,
+            level=level,
+            request=request,
+            **context
+        )
+
+    def log(self, log="", kind="model_log", level="info", **kwargs):
         return self.class_logit(ACTIVE_REQUEST, log, kind, self.id, level, **kwargs)
 
     def model_logit(self, request, log, kind="model_log", level="info", **kwargs):
         return self.class_logit(request, log, kind, self.id, level, **kwargs)
 
+    @classmethod
+    def debug(cls, log, *args):
+        return logger.info(log, *args)
+
+    @classmethod
+    def get_model_string(cls):
+        return f"{ cls._meta.app_label.lower()}.{cls.__name__}"
+
     @classmethod
     def class_logit(cls, request, log, kind="cls_log", model_id=0, level="info", **kwargs):
         from mojo.apps.logit.models import Log
-        return Log.logit(request, log, kind, cls.__name__, model_id, level, **kwargs)
+        return Log.logit(request, log, kind, cls.get_model_string(), model_id, level, **kwargs)
+
+    @classmethod
+    def get_model_field(cls, field_name):
+        """
+        Get a model field by name.
+        """
+        try:
+            return cls._meta.get_field(field_name)
+        except Exception:
+            return None