easyapi-django 0.36__tar.gz → 0.37__tar.gz

{easyapi_django-0.36/easyapi_django.egg-info → easyapi_django-0.37}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: easyapi_django
-Version: 0.36
+Version: 0.37
 Summary: A simple rest api generator for django based on models
 Author-email: Stamatios Stamou Jr <bushier.outsets.0c@icloud.com>
 License-Expression: MIT
@@ -157,48 +157,118 @@ class YourResource(BaseResource):
 | `?field=value` / `?field__gte=...` | Filter on whitelisted fields                    |
 | `?fields=a,b`                      | Restrict returned fields (filtered by `list_fields`) |
 | `?filter=<json>`                   | Advanced filter expression on whitelisted fields |
-| `?segment_id=N`                    | Apply a saved segment (see below)               |
+| `?<stored_filter_param>=N`         | Apply a server-side stored filter expression (see below) |
 | `?page=N&limit=M&order_by=field`   | Pagination + order                              |
 | `?normalize=true`                  | Return list as `{id: {...}}` instead of array   |
 
-## Saved segments
+## Saved filter expressions
 
-A segment is a saved JSON filter expression — the same boolean tree
-`?filter=<json>` accepts, stored under a stable id. Useful for CRM-style
-"saved views", marketing audiences, dashboard filters.
+Layer-2 expressions can be persisted server-side and reapplied by id —
+saved views, marketing audiences, dashboard presets. The framework owns
+the URL plumbing; the project owns the storage, lookup and policy.
 
-Wire it up by pointing `EASYAPI.SEGMENT_MODEL` at a model that exposes a
-`.conditions` attribute returning the Layer-2 dict:
+Two pieces on the resource:
 
 ```python
-# settings.py
-EASYAPI = {
-    'SEGMENT_MODEL': 'modules.segment.models.Segment',
-}
+class ClientResource(BaseResource):
+    model = Client
+    filter_fields = ['active', 'name']
+
+    stored_filter_param = 'segment_id'   # any name — view_id, audience_id, …
+
+    async def resolve_stored_filter(self, value):
+        seg = await Segment.objects.filter(
+            id=value, account=self.account_id   # tenant scoping etc.
+        ).afirst()
+        return seg.conditions if seg else None
+```
+
+When a request carries `?segment_id=42`, easyapi calls the hook, trusts
+its return value, and applies it through the same Layer-2 pipeline.
+Returning `None` raises `404`. The hook can raise `HTTPException(403,
+...)` itself for "exists but you can't access it."
+
+`?segment_id=` and `?filter=` compose with AND — saved view *plus*
+ad-hoc narrowing. The URL JSON still validates against `filter_fields`;
+the stored conditions skip that check because the hook owns them.
+
+For projects that let end users author stored expressions, validate at
+write time with the public helper:
+
+```python
+from easyapi import validate_conditions
+
+class SegmentResource(BaseResource):
+    model = Segment
+    create_fields = ['name', 'conditions', 'context_id']
+
+    async def hydrate(self, body):
+        conditions = body.get('conditions')
+        if conditions:
+            allowed = ALLOWED_FIELDS_BY_CONTEXT[body['context_id']]
+            validate_conditions(conditions, allowed)
+        return body
+```
+
+Server-side admin-only expressions can skip the write-time check; only
+user-authored ones need it.
+
+For projects with one `Segment` row type targeting many list resources,
+factor out a mixin so each resource opts in with two lines and the
+`filter_fields` whitelist auto-extends from a project registry:
+
+```python
+# modules/segment/mixin.py
+from django.db.models import Q
+from .constants import INCLUDE_FIELDS
+from .models import Segment, CONTEXT
+
+class SegmentMixin:
+    stored_filter_param = 'segment_id'
+    segment_context_id = None
+
+    def __init__(self):
+        super().__init__()
+        if self.segment_context_id is None:
+            return
+        label = CONTEXT.LABEL[self.segment_context_id]
+        bag = INCLUDE_FIELDS.get(label, {})
+        extra  = list(bag.get('segment_fields') or [])
+        extra += [m.split('__')[0] for m in bag.get('related_models') or []]
+        self.filter_fields = list(
+            dict.fromkeys((self.filter_fields or []) + extra)
+        )
+
+    async def resolve_stored_filter(self, value, **kwargs):
+        is_master = bool(self.user and (
+            self.user.get('is_admin') or self.user.get('is_owner')
+        ))
+        qs = Segment.objects.filter(
+            id=value, context_id=self.segment_context_id,
+        )
+        if not is_master:
+            qs = qs.filter(
+                Q(public=True) | Q(created_by_id=self.user['id'])
+            )
+        seg = await qs.afirst()
+        return seg.conditions if seg else None
+
+class AgentResource(SegmentMixin, BaseResource):
+    segment_context_id = CONTEXT.AGENT
+    model = Agent
+    filter_fields = ['agency_id']    # explicit URL shorthands
+    # The mixin unions in the segment_fields whitelist + related prefixes,
+    # so ?filter=<json> and segment authoring share one source of truth.
+```
+
+The minimum storage model is a JSON column:
 
-# modules/segment/models.py
+```python
 class Segment(models.Model):
     name = models.CharField(max_length=120)
-    conditions = models.JSONField()      # the Layer-2 boolean tree
-
-Segment.objects.create(
-    name='Active demo accounts',
-    conditions={
-        'logical_operator': 'AND',
-        'rules': [
-            {'field': 'active', 'operator': 'exact',     'value': True},
-            {'field': 'name',   'operator': 'icontains', 'value': 'demo'},
-        ],
-    },
-)
+    conditions = models.JSONField()
 ```
 
-Any resource then accepts `GET /clients?segment_id=42`. Conditions are
-validated against the resource's `filter_fields` whitelist; missing rows
-return 404. When `SEGMENT_MODEL` is unset, `?segment_id=` is a no-op. A
-bad path raises `ImportError` at first use — typos fail loudly instead of
-silently disabling segments.
-
 ## Pydantic schemas (optional)
 
 Set any of `create_schema`, `update_schema`, `list_schema` and easyapi
@@ -398,7 +468,7 @@ middleware in effect.
 
 - Session cookie validated against `^[a-zA-Z0-9_\-:]{5,100}$`.
 - `?fields=` is filtered against `list_fields` to prevent attribute leakage.
-- `?filter=` and `segment_id` are validated against `filter_fields`.
+- `?filter=` is validated against `filter_fields`. Stored filter expressions are validated by the project (typically at write time via `validate_conditions`).
 - `owner_field` scopes PATCH/DELETE to rows owned by the authenticated user.
 - Request rate limiting runs inside `BaseResource.dispatch`; edge scanner
   blocking runs in `SecurityMiddleware` before the view.

{easyapi_django-0.36 → easyapi_django-0.37}/README.md

@@ -130,48 +130,118 @@ class YourResource(BaseResource):
 | `?field=value` / `?field__gte=...` | Filter on whitelisted fields                    |
 | `?fields=a,b`                      | Restrict returned fields (filtered by `list_fields`) |
 | `?filter=<json>`                   | Advanced filter expression on whitelisted fields |
-| `?segment_id=N`                    | Apply a saved segment (see below)               |
+| `?<stored_filter_param>=N`         | Apply a server-side stored filter expression (see below) |
 | `?page=N&limit=M&order_by=field`   | Pagination + order                              |
 | `?normalize=true`                  | Return list as `{id: {...}}` instead of array   |
 
-## Saved segments
+## Saved filter expressions
 
-A segment is a saved JSON filter expression — the same boolean tree
-`?filter=<json>` accepts, stored under a stable id. Useful for CRM-style
-"saved views", marketing audiences, dashboard filters.
+Layer-2 expressions can be persisted server-side and reapplied by id —
+saved views, marketing audiences, dashboard presets. The framework owns
+the URL plumbing; the project owns the storage, lookup and policy.
 
-Wire it up by pointing `EASYAPI.SEGMENT_MODEL` at a model that exposes a
-`.conditions` attribute returning the Layer-2 dict:
+Two pieces on the resource:
 
 ```python
-# settings.py
-EASYAPI = {
-    'SEGMENT_MODEL': 'modules.segment.models.Segment',
-}
+class ClientResource(BaseResource):
+    model = Client
+    filter_fields = ['active', 'name']
+
+    stored_filter_param = 'segment_id'   # any name — view_id, audience_id, …
+
+    async def resolve_stored_filter(self, value):
+        seg = await Segment.objects.filter(
+            id=value, account=self.account_id   # tenant scoping etc.
+        ).afirst()
+        return seg.conditions if seg else None
+```
+
+When a request carries `?segment_id=42`, easyapi calls the hook, trusts
+its return value, and applies it through the same Layer-2 pipeline.
+Returning `None` raises `404`. The hook can raise `HTTPException(403,
+...)` itself for "exists but you can't access it."
+
+`?segment_id=` and `?filter=` compose with AND — saved view *plus*
+ad-hoc narrowing. The URL JSON still validates against `filter_fields`;
+the stored conditions skip that check because the hook owns them.
+
+For projects that let end users author stored expressions, validate at
+write time with the public helper:
+
+```python
+from easyapi import validate_conditions
+
+class SegmentResource(BaseResource):
+    model = Segment
+    create_fields = ['name', 'conditions', 'context_id']
+
+    async def hydrate(self, body):
+        conditions = body.get('conditions')
+        if conditions:
+            allowed = ALLOWED_FIELDS_BY_CONTEXT[body['context_id']]
+            validate_conditions(conditions, allowed)
+        return body
+```
+
+Server-side admin-only expressions can skip the write-time check; only
+user-authored ones need it.
+
+For projects with one `Segment` row type targeting many list resources,
+factor out a mixin so each resource opts in with two lines and the
+`filter_fields` whitelist auto-extends from a project registry:
+
+```python
+# modules/segment/mixin.py
+from django.db.models import Q
+from .constants import INCLUDE_FIELDS
+from .models import Segment, CONTEXT
+
+class SegmentMixin:
+    stored_filter_param = 'segment_id'
+    segment_context_id = None
+
+    def __init__(self):
+        super().__init__()
+        if self.segment_context_id is None:
+            return
+        label = CONTEXT.LABEL[self.segment_context_id]
+        bag = INCLUDE_FIELDS.get(label, {})
+        extra  = list(bag.get('segment_fields') or [])
+        extra += [m.split('__')[0] for m in bag.get('related_models') or []]
+        self.filter_fields = list(
+            dict.fromkeys((self.filter_fields or []) + extra)
+        )
+
+    async def resolve_stored_filter(self, value, **kwargs):
+        is_master = bool(self.user and (
+            self.user.get('is_admin') or self.user.get('is_owner')
+        ))
+        qs = Segment.objects.filter(
+            id=value, context_id=self.segment_context_id,
+        )
+        if not is_master:
+            qs = qs.filter(
+                Q(public=True) | Q(created_by_id=self.user['id'])
+            )
+        seg = await qs.afirst()
+        return seg.conditions if seg else None
+
+class AgentResource(SegmentMixin, BaseResource):
+    segment_context_id = CONTEXT.AGENT
+    model = Agent
+    filter_fields = ['agency_id']    # explicit URL shorthands
+    # The mixin unions in the segment_fields whitelist + related prefixes,
+    # so ?filter=<json> and segment authoring share one source of truth.
+```
+
+The minimum storage model is a JSON column:
 
-# modules/segment/models.py
+```python
 class Segment(models.Model):
     name = models.CharField(max_length=120)
-    conditions = models.JSONField()      # the Layer-2 boolean tree
-
-Segment.objects.create(
-    name='Active demo accounts',
-    conditions={
-        'logical_operator': 'AND',
-        'rules': [
-            {'field': 'active', 'operator': 'exact',     'value': True},
-            {'field': 'name',   'operator': 'icontains', 'value': 'demo'},
-        ],
-    },
-)
+    conditions = models.JSONField()
 ```
 
-Any resource then accepts `GET /clients?segment_id=42`. Conditions are
-validated against the resource's `filter_fields` whitelist; missing rows
-return 404. When `SEGMENT_MODEL` is unset, `?segment_id=` is a no-op. A
-bad path raises `ImportError` at first use — typos fail loudly instead of
-silently disabling segments.
-
 ## Pydantic schemas (optional)
 
 Set any of `create_schema`, `update_schema`, `list_schema` and easyapi
@@ -371,7 +441,7 @@ middleware in effect.
 
 - Session cookie validated against `^[a-zA-Z0-9_\-:]{5,100}$`.
 - `?fields=` is filtered against `list_fields` to prevent attribute leakage.
-- `?filter=` and `segment_id` are validated against `filter_fields`.
+- `?filter=` is validated against `filter_fields`. Stored filter expressions are validated by the project (typically at write time via `validate_conditions`).
 - `owner_field` scopes PATCH/DELETE to rows owned by the authenticated user.
 - Request rate limiting runs inside `BaseResource.dispatch`; edge scanner
   blocking runs in `SecurityMiddleware` before the view.

{easyapi_django-0.36 → easyapi_django-0.37}/easyapi/__init__.py

@@ -8,7 +8,7 @@ from easyapi.tenant.db_router import DBRouter  # noqa
 from easyapi.tenant.tenant import aset_tenant, db_state, get_account, get_master_user, get_tenant, set_tenant  # noqa
 # set_default / unset_default are SCRIPT-ONLY (mutate global default DB);
 # import them directly from easyapi.tenant.tenant when really needed.
-from easyapi.filters import Filter as OrmFilter  # noqa
+from easyapi.filters import Filter as OrmFilter, validate_conditions  # noqa
 from easyapi.redis_config import get_cache_stats, reset_cache_stats  # noqa: F401
 from easyapi.schemas import openapi  # noqa: F401
 from easyapi.openapi import build_spec  # noqa: F401

{easyapi_django-0.36 → easyapi_django-0.37}/easyapi/base.py

@@ -23,7 +23,7 @@ from .auth import validate_token_async
 from .blocking import block as block_identifier
 from .blocking import is_blocked
 from .client_ip import get_client_ip
-from .filters import Filter as OrmFilter
+from .filters import Filter as OrmFilter, validate_conditions
 from .exception import HTTPException
 from .helpers import (
     LOCAL_HOST,
@@ -71,28 +71,6 @@ RATE_LIMITS = get_setting('RATE_LIMITS', default={
 logger = logging.getLogger(__name__)
 
 
-_SEGMENT_MODEL_PATH = get_setting('SEGMENT_MODEL')
-_segment_model_cache = False  # sentinel; resolved lazily on first use
-
-
-def _get_segment_model():
-    """Lazy-resolve the project's Segment model.
-
-    Reads the dotted path from ``EASYAPI = {'SEGMENT_MODEL': ...}``.
-    When unset, ``?segment_id=`` is a no-op. Bad path raises so a typo
-    fails loudly instead of silently disabling segments.
-    """
-    global _segment_model_cache
-    if _segment_model_cache is not False:
-        return _segment_model_cache
-    if not _SEGMENT_MODEL_PATH:
-        _segment_model_cache = None
-        return None
-    module_path, attr = _SEGMENT_MODEL_PATH.rsplit('.', 1)
-    _segment_model_cache = getattr(import_module(module_path), attr)
-    return _segment_model_cache
-
-
 class BaseResource(View):
     authenticated = True
     allowed_methods = ['delete', 'get', 'patch', 'post']
@@ -146,6 +124,13 @@ class BaseResource(View):
     filter_fields = None
     queryset_filter = None
 
+    # Querystring param that resolves to a server-side stored filter
+    # expression (e.g. ``'segment_id'``, ``'view_id'``). When set, the
+    # framework reads ``request.GET[stored_filter_param]`` and calls
+    # ``resolve_stored_filter(value)`` to load the conditions dict.
+    # Combines with ``?filter=<json>`` via AND when both are present.
+    stored_filter_param = None
+
     # When set (e.g. owner_field='owner_id'), DELETE/PATCH only operate on
     # rows whose value of this field matches the authenticated user's id.
     # Default None disables the check (consumer is responsible for
@@ -663,14 +648,18 @@ class BaseResource(View):
 
                 if field in self.filter_fields:
                     param = params[key][0]
-                    is_bool_field = False
-                    if self.model:
+                    # Coerce ``true``/``false`` into bools only when the
+                    # lookup actually expects a boolean — boolean model
+                    # fields, or the ``__isnull`` lookup which Django
+                    # rejects with a string.
+                    coerce_bool = key.endswith('__isnull')
+                    if not coerce_bool and self.model:
                         try:
                             model_field = self.model._meta.get_field(field)
-                            is_bool_field = isinstance(model_field, models.BooleanField)
+                            coerce_bool = isinstance(model_field, models.BooleanField)
                         except Exception:
-                            is_bool_field = False
-                    if is_bool_field:
+                            pass
+                    if coerce_bool:
                         if param.lower() == 'false':
                             param = False
                         elif param.lower() == 'true':
@@ -859,30 +848,18 @@ class BaseResource(View):
         self.count_results = {'count': count}
 
     def _validate_filter_fields(self, conditions):
-        if not self.filter_fields:
-            raise HTTPException(403, 'Filtering not allowed')
-
-        allowed = set(self.filter_fields)
-
-        def check(node):
-            if isinstance(node, dict):
-                if 'logical_operator' in node:
-                    for rule in node.get('rules') or []:
-                        check(rule)
-                    return
-                field = node.get('field')
-                if not field:
-                    return
-                if field.startswith('custom_attributes__') or field.endswith('generated_creation_date'):
-                    return
-                root = field.split('__')[0]
-                if field not in allowed and root not in allowed:
-                    raise HTTPException(403, f'Filter on field "{field}" is not allowed')
-            elif isinstance(node, list):
-                for item in node:
-                    check(item)
-
-        check(conditions)
+        validate_conditions(conditions, self.filter_fields)
+
+    async def resolve_stored_filter(self, value, **kwargs):
+        """Hook: turn a stored-filter id into a Layer-2 conditions dict.
+
+        Override on resources that declare ``stored_filter_param``. The
+        return value is trusted verbatim — apply tenant/RBAC scoping,
+        soft-delete filters and any policy check inside the override.
+        Return ``None`` to signal not-found (framework raises 404), or a
+        conditions dict shaped like the ``?filter=<json>`` payload.
+        """
+        return None
 
     async def get_filters(self, request):
         if self.filters:
@@ -894,25 +871,39 @@ class BaseResource(View):
         if normalize_list:
             self.normalize_list = normalize_list.lower() == 'true'
 
-        segment_id = request.GET.get('segment_id')
+        stored_value = (
+            request.GET.get(self.stored_filter_param)
+            if self.stored_filter_param else None
+        )
 
-        if segment_id is None and filter_ is None:
+        if filter_ is None and stored_value is None:
             return
 
-        Segment = _get_segment_model()
-        if Segment and segment_id:
-            segment = await Segment.objects.filter(id=segment_id).afirst()
-            if not segment:
-                raise HTTPException(404, 'Segment not found')
-            conditions = segment.conditions
-
-        elif filter_:
-            conditions = json.loads(filter_)
-
-        if not conditions:
+        groups = []
+
+        if stored_value is not None:
+            stored_conditions = await self.resolve_stored_filter(stored_value)
+            if stored_conditions is None:
+                raise HTTPException(404, 'Stored filter not found')
+            if stored_conditions:
+                groups.append(stored_conditions)
+
+        if filter_:
+            url_conditions = json.loads(filter_)
+            if url_conditions:
+                # ``?filter=`` is caller-controlled — must pass the
+                # whitelist. Stored filters are trusted because the hook
+                # owns the lookup (and any validation, scoping, RBAC).
+                self._validate_filter_fields(url_conditions)
+                groups.append(url_conditions)
+
+        if not groups:
             return
 
-        self._validate_filter_fields(conditions)
+        if len(groups) == 1:
+            conditions = groups[0]
+        else:
+            conditions = {'logical_operator': 'AND', 'rules': groups}
 
         orm_filter = OrmFilter(
             self.model,

{easyapi_django-0.36 → easyapi_django-0.37}/easyapi/filters.py

@@ -13,9 +13,50 @@ from pytz import timezone as pytz_timezone
 
 from .constants import CustomAttributePresentations
 from .dates import Dates
+from .exception import HTTPException
 from .util import make_list, normalize_field
 
 
+def validate_conditions(conditions, allowed_fields):
+    """Validate a Layer-2 condition tree against an allowed-fields whitelist.
+
+    ``conditions`` is the JSON tree consumed by :class:`Filter` (dict with
+    ``logical_operator`` + ``rules`` or a flat list of rules). ``allowed_fields``
+    is any iterable of field names. Each rule's ``field`` (or its root segment
+    before ``__``) must appear in the whitelist; otherwise raises
+    ``HTTPException(403)``. Custom-attribute fields and the
+    ``generated_creation_date`` annotation are exempt.
+
+    Use this from a segment-creation resource's ``hydrate`` (or equivalent
+    write hook) to make the segment row safe before persisting — read paths
+    can then trust ``segment.conditions`` without re-validating.
+    """
+    if not allowed_fields:
+        raise HTTPException(403, 'Filtering not allowed')
+
+    allowed = set(allowed_fields)
+
+    def check(node):
+        if isinstance(node, dict):
+            if 'logical_operator' in node:
+                for rule in node.get('rules') or []:
+                    check(rule)
+                return
+            field = node.get('field')
+            if not field:
+                return
+            if field.startswith('custom_attributes__') or field.endswith('generated_creation_date'):
+                return
+            root = field.split('__')[0]
+            if field not in allowed and root not in allowed:
+                raise HTTPException(403, f'Filter on field "{field}" is not allowed')
+        elif isinstance(node, list):
+            for item in node:
+                check(item)
+
+    check(conditions)
+
+
 CHAR = [
     'CharField', 'BinaryField', 'FileField', 'FilePathField', 'IPAddressField',
     'GenericIPAddressField', 'SlugField', 'TextField', 'UUIDField'

{easyapi_django-0.36 → easyapi_django-0.37/easyapi_django.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: easyapi_django
-Version: 0.36
+Version: 0.37
 Summary: A simple rest api generator for django based on models
 Author-email: Stamatios Stamou Jr <bushier.outsets.0c@icloud.com>
 License-Expression: MIT
@@ -157,48 +157,118 @@ class YourResource(BaseResource):
 | `?field=value` / `?field__gte=...` | Filter on whitelisted fields                    |
 | `?fields=a,b`                      | Restrict returned fields (filtered by `list_fields`) |
 | `?filter=<json>`                   | Advanced filter expression on whitelisted fields |
-| `?segment_id=N`                    | Apply a saved segment (see below)               |
+| `?<stored_filter_param>=N`         | Apply a server-side stored filter expression (see below) |
 | `?page=N&limit=M&order_by=field`   | Pagination + order                              |
 | `?normalize=true`                  | Return list as `{id: {...}}` instead of array   |
 
-## Saved segments
+## Saved filter expressions
 
-A segment is a saved JSON filter expression — the same boolean tree
-`?filter=<json>` accepts, stored under a stable id. Useful for CRM-style
-"saved views", marketing audiences, dashboard filters.
+Layer-2 expressions can be persisted server-side and reapplied by id —
+saved views, marketing audiences, dashboard presets. The framework owns
+the URL plumbing; the project owns the storage, lookup and policy.
 
-Wire it up by pointing `EASYAPI.SEGMENT_MODEL` at a model that exposes a
-`.conditions` attribute returning the Layer-2 dict:
+Two pieces on the resource:
 
 ```python
-# settings.py
-EASYAPI = {
-    'SEGMENT_MODEL': 'modules.segment.models.Segment',
-}
+class ClientResource(BaseResource):
+    model = Client
+    filter_fields = ['active', 'name']
+
+    stored_filter_param = 'segment_id'   # any name — view_id, audience_id, …
+
+    async def resolve_stored_filter(self, value):
+        seg = await Segment.objects.filter(
+            id=value, account=self.account_id   # tenant scoping etc.
+        ).afirst()
+        return seg.conditions if seg else None
+```
+
+When a request carries `?segment_id=42`, easyapi calls the hook, trusts
+its return value, and applies it through the same Layer-2 pipeline.
+Returning `None` raises `404`. The hook can raise `HTTPException(403,
+...)` itself for "exists but you can't access it."
+
+`?segment_id=` and `?filter=` compose with AND — saved view *plus*
+ad-hoc narrowing. The URL JSON still validates against `filter_fields`;
+the stored conditions skip that check because the hook owns them.
+
+For projects that let end users author stored expressions, validate at
+write time with the public helper:
+
+```python
+from easyapi import validate_conditions
+
+class SegmentResource(BaseResource):
+    model = Segment
+    create_fields = ['name', 'conditions', 'context_id']
+
+    async def hydrate(self, body):
+        conditions = body.get('conditions')
+        if conditions:
+            allowed = ALLOWED_FIELDS_BY_CONTEXT[body['context_id']]
+            validate_conditions(conditions, allowed)
+        return body
+```
+
+Server-side admin-only expressions can skip the write-time check; only
+user-authored ones need it.
+
+For projects with one `Segment` row type targeting many list resources,
+factor out a mixin so each resource opts in with two lines and the
+`filter_fields` whitelist auto-extends from a project registry:
+
+```python
+# modules/segment/mixin.py
+from django.db.models import Q
+from .constants import INCLUDE_FIELDS
+from .models import Segment, CONTEXT
+
+class SegmentMixin:
+    stored_filter_param = 'segment_id'
+    segment_context_id = None
+
+    def __init__(self):
+        super().__init__()
+        if self.segment_context_id is None:
+            return
+        label = CONTEXT.LABEL[self.segment_context_id]
+        bag = INCLUDE_FIELDS.get(label, {})
+        extra  = list(bag.get('segment_fields') or [])
+        extra += [m.split('__')[0] for m in bag.get('related_models') or []]
+        self.filter_fields = list(
+            dict.fromkeys((self.filter_fields or []) + extra)
+        )
+
+    async def resolve_stored_filter(self, value, **kwargs):
+        is_master = bool(self.user and (
+            self.user.get('is_admin') or self.user.get('is_owner')
+        ))
+        qs = Segment.objects.filter(
+            id=value, context_id=self.segment_context_id,
+        )
+        if not is_master:
+            qs = qs.filter(
+                Q(public=True) | Q(created_by_id=self.user['id'])
+            )
+        seg = await qs.afirst()
+        return seg.conditions if seg else None
+
+class AgentResource(SegmentMixin, BaseResource):
+    segment_context_id = CONTEXT.AGENT
+    model = Agent
+    filter_fields = ['agency_id']    # explicit URL shorthands
+    # The mixin unions in the segment_fields whitelist + related prefixes,
+    # so ?filter=<json> and segment authoring share one source of truth.
+```
+
+The minimum storage model is a JSON column:
 
-# modules/segment/models.py
+```python
 class Segment(models.Model):
     name = models.CharField(max_length=120)
-    conditions = models.JSONField()      # the Layer-2 boolean tree
-
-Segment.objects.create(
-    name='Active demo accounts',
-    conditions={
-        'logical_operator': 'AND',
-        'rules': [
-            {'field': 'active', 'operator': 'exact',     'value': True},
-            {'field': 'name',   'operator': 'icontains', 'value': 'demo'},
-        ],
-    },
-)
+    conditions = models.JSONField()
 ```
 
-Any resource then accepts `GET /clients?segment_id=42`. Conditions are
-validated against the resource's `filter_fields` whitelist; missing rows
-return 404. When `SEGMENT_MODEL` is unset, `?segment_id=` is a no-op. A
-bad path raises `ImportError` at first use — typos fail loudly instead of
-silently disabling segments.
-
 ## Pydantic schemas (optional)
 
 Set any of `create_schema`, `update_schema`, `list_schema` and easyapi
@@ -398,7 +468,7 @@ middleware in effect.
 
 - Session cookie validated against `^[a-zA-Z0-9_\-:]{5,100}$`.
 - `?fields=` is filtered against `list_fields` to prevent attribute leakage.
-- `?filter=` and `segment_id` are validated against `filter_fields`.
+- `?filter=` is validated against `filter_fields`. Stored filter expressions are validated by the project (typically at write time via `validate_conditions`).
 - `owner_field` scopes PATCH/DELETE to rows owned by the authenticated user.
 - Request rate limiting runs inside `BaseResource.dispatch`; edge scanner
   blocking runs in `SecurityMiddleware` before the view.

{easyapi_django-0.36 → easyapi_django-0.37}/pyproject.toml

@@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "easyapi_django"
-version = "0.36"
+version = "0.37"
 authors = [
   { name="Stamatios Stamou Jr", email="bushier.outsets.0c@icloud.com" },
 ]