goodmap 1.1.14__py3-none-any.whl → 1.2.0__py3-none-any.whl

goodmap/data_models/location.py

@@ -1,29 +1,36 @@
-from typing import Any, Type, cast
+"""Pydantic models for location data validation and schema generation."""
 
+import warnings
+from typing import Annotated, Any, Type, cast
+
+from annotated_types import Ge, Le
 from pydantic import (
+    AfterValidator,
     BaseModel,
     Field,
     ValidationError,
     create_model,
-    field_validator,
     model_validator,
 )
 
 from goodmap.exceptions import LocationValidationError
 
+Latitude = Annotated[float, Ge(-90), Le(90)]
+Longitude = Annotated[float, Ge(-180), Le(180)]
+
 
 class LocationBase(BaseModel, extra="allow"):
-    position: tuple[float, float]
-    uuid: str
+    """Base model for location data with position validation and error enrichment.
 
-    @field_validator("position")
-    @classmethod
-    def position_must_be_valid(cls, v):
-        if v[0] < -90 or v[0] > 90:
-            raise ValueError("latitude must be in range -90 to 90")
-        if v[1] < -180 or v[1] > 180:
-            raise ValueError("longitude must be in range -180 to 180")
-        return v
+    Attributes:
+        position: Tuple of (latitude, longitude) coordinates
+        uuid: Unique identifier for the location
+        remark: Optional remark text for the location
+    """
+
+    position: tuple[Latitude, Longitude]
+    uuid: str = Field(..., max_length=100)  # TODO make this UUID and deprecate string
+    remark: str | None = None
 
     @model_validator(mode="before")
     @classmethod
@@ -43,22 +50,146 @@ class LocationBase(BaseModel, extra="allow"):
             uuid = data.get("uuid") if isinstance(data, dict) else None
             raise LocationValidationError(e, uuid=uuid) from e
 
-    def basic_info(self):
-        return {
-            "uuid": self.uuid,
-            "position": self.position,
-            "remark": bool(getattr(self, "remark", False)),
-        }
+    def model_dump(self, **kwargs) -> dict[str, Any]:
+        """Serialize model, excluding None values by default for backward compatibility."""
+        kwargs.setdefault("exclude_none", True)
+        return super().model_dump(**kwargs)
+
+    def basic_info(self) -> dict[str, Any]:
+        """Get basic location information summary."""
+        data = self.model_dump(include={"uuid", "position"})
+        data["remark"] = bool(self.remark)
+        return data
+
+
+_TYPE_MAPPING: dict[str, type] = {
+    "str": str,
+    "list": list,
+    "int": int,
+    "float": float,
+    "bool": bool,
+    "dict": dict,
+}
+
+_MAX_LIST_ITEM_LENGTH = 100
+
+
+def _make_list_validator(allowed: list[str] | None):
+    """Create a validator for list items with optional enum constraint."""
+
+    def validate(v: list[Any]) -> list[Any]:
+        for item in v:
+            if allowed is not None and item not in allowed:
+                raise ValueError(f"must be one of {allowed}, got '{item}'")
+            if isinstance(item, str) and len(item) > _MAX_LIST_ITEM_LENGTH:
+                raise ValueError(
+                    f"list item too long (max {_MAX_LIST_ITEM_LENGTH} chars), got {len(item)}"
+                )
+        return v
+
+    return validate
+
+
+def _make_str_validator(allowed: list[str]):
+    """Create a validator that checks string value is in allowed list."""
+
+    def validate(v: str) -> str:
+        if v not in allowed:
+            raise ValueError(f"must be one of {allowed}, got '{v}'")
+        return v
+
+    return validate
+
+
+def _normalize_field_type(field_type_input: str | Type[Any]) -> str:
+    """Convert field type input to string, emitting deprecation warning for type objects."""
+    if isinstance(field_type_input, type):
+        warnings.warn(
+            f"Passing Python type objects to create_location_model is deprecated. "
+            f"Use string type names instead: '{field_type_input.__name__}' "
+            f"instead of {field_type_input}. "
+            f"Support for type objects will be removed in version 2.0.0.",
+            DeprecationWarning,
+            stacklevel=3,
+        )
+        return field_type_input.__name__
+    return field_type_input
+
+
+def _build_field_definition(
+    field_type_str: str, allowed_values: list[str] | None
+) -> tuple[Any, Any]:
+    """Build a complete field definition based on type and constraints."""
+    is_list = field_type_str.startswith("list")
+
+    if is_list:
+        field_type = Annotated[list[Any], AfterValidator(_make_list_validator(allowed_values))]
+        if allowed_values:
+            return (
+                field_type,
+                Field(
+                    ...,
+                    description=f"Allowed values: {', '.join(allowed_values)}",
+                    max_length=20,
+                    json_schema_extra=cast(Any, {"enum_items": allowed_values}),
+                ),
+            )
+        return (field_type, Field(..., max_length=20))
+
+    if allowed_values:
+        field_type = Annotated[str, AfterValidator(_make_str_validator(allowed_values))]
+        return (
+            field_type,
+            Field(
+                ...,
+                description=f"Allowed values: {', '.join(allowed_values)}",
+                max_length=200,
+                json_schema_extra=cast(Any, {"enum": allowed_values}),
+            ),
+        )
+
+    base_type = _TYPE_MAPPING.get(field_type_str, str)
+    if base_type is str:
+        return (base_type, Field(..., max_length=200))
+    return (base_type, Field(...))
+
+
+def create_location_model(
+    obligatory_fields: list[tuple[str, str]] | list[tuple[str, Type[Any]]],
+    categories: dict[str, list[str]] | None = None,
+) -> Type[BaseModel]:
+    """Dynamically create a Location model with additional required fields.
+
+    Supports both string type names (recommended) and Python type objects (deprecated).
+
+    Args:
+        obligatory_fields: List of (field_name, field_type) tuples for required fields.
+                          field_type can be either:
+                          - String type name: "str", "list", "int", "float", "bool", "dict"
+                          - Python type object: str, list, int, etc. (deprecated)
+        categories: Optional dict mapping field names to allowed values (enums)
+
+    Returns:
+        A Location model class extending LocationBase with additional fields
+
+    Examples:
+        >>> # Recommended: String type names
+        >>> model = create_location_model([("name", "str"), ("tags", "list")])
 
+        >>> # Deprecated: Python type objects (supported for backward compatibility)
+        >>> model = create_location_model([("name", str), ("tags", list)])
+    """
+    categories = categories or {}
+    fields: dict[str, Any] = {}
 
-def create_location_model(obligatory_fields: list[tuple[str, Type[Any]]]) -> Type[BaseModel]:
-    fields = {
-        field_name: (field_type, Field(...)) for (field_name, field_type) in obligatory_fields
-    }
+    for field_name, field_type_input in obligatory_fields:
+        field_type_str = _normalize_field_type(field_type_input)
+        allowed_values = categories.get(field_name)
+        fields[field_name] = _build_field_definition(field_type_str, allowed_values)
 
     return create_model(
         "Location",
         __base__=LocationBase,
         __module__="goodmap.data_models.location",
-        **cast(dict[str, Any], fields),
+        **fields,
     )

goodmap/formatter.py

@@ -1,7 +1,17 @@
+"""Formatters for translating and preparing location data for display."""
+
 from flask_babel import gettext, lazy_gettext
 
 
 def safe_gettext(text):
+    """Safely apply gettext translation to various data types.
+
+    Args:
+        text: Text to translate (str, list, or dict)
+
+    Returns:
+        Translated text in same format as input
+    """
     if isinstance(text, list):
         return list(map(gettext, text))
     elif isinstance(text, dict):
@@ -11,6 +21,16 @@ def safe_gettext(text):
 
 
 def prepare_pin(place, visible_fields, meta_data):
+    """Prepare location data for map pin display with translations.
+
+    Args:
+        place: Location data dictionary
+        visible_fields: List of field names to display in pin
+        meta_data: List of metadata field names
+
+    Returns:
+        dict: Formatted pin data with title, subtitle, position, metadata, and translated fields
+    """
     pin_data = {
         "title": place["name"],
         "subtitle": lazy_gettext(place["type_of_place"]),  # TODO this should not be obligatory

goodmap/goodmap.py

@@ -1,3 +1,5 @@
+"""Goodmap engine with location management and admin interface."""
+
 import os
 
 from flask import Blueprint, redirect, render_template, session
@@ -9,34 +11,88 @@ from platzky.models import CmsModule
 from goodmap.config import GoodmapConfig
 from goodmap.core_api import core_pages
 from goodmap.data_models.location import create_location_model
-from goodmap.db import extend_db_with_goodmap_queries, get_location_obligatory_fields
+from goodmap.db import (
+    extend_db_with_goodmap_queries,
+    get_location_obligatory_fields,
+)
 
 
 def create_app(config_path: str) -> platzky.Engine:
+    """Create Goodmap application from YAML configuration file.
+
+    Args:
+        config_path: Path to YAML configuration file
+
+    Returns:
+        platzky.Engine: Configured Flask application
+    """
     config = GoodmapConfig.parse_yaml(config_path)
     return create_app_from_config(config)
 
 
 # TODO Checking if there is a feature flag secition should be part of configs logic not client app
 def is_feature_enabled(config: GoodmapConfig, feature: str) -> bool:
+    """Check if a feature flag is enabled in the configuration.
+
+    Args:
+        config: Goodmap configuration object
+        feature: Name of the feature flag to check
+
+    Returns:
+        bool: True if feature is enabled, False otherwise
+    """
     return config.feature_flags.get(feature, False) if config.feature_flags else False
 
 
 def create_app_from_config(config: GoodmapConfig) -> platzky.Engine:
+    """Create and configure Goodmap application from config object.
+
+    Sets up location models, database queries, CSRF protection, API blueprints,
+    and admin interface based on the provided configuration.
+
+    Args:
+        config: Goodmap configuration object
+
+    Returns:
+        platzky.Engine: Fully configured Flask application with Goodmap features
+    """
     directory = os.path.dirname(os.path.realpath(__file__))
 
     locale_dir = os.path.join(directory, "locale")
     config.translation_directories.append(locale_dir)
     app = platzky.create_app_from_config(config)
 
+    # SECURITY: Set maximum request body size to 100KB (prevents memory exhaustion)
+    # This protects against large file uploads and JSON payloads
+    # Based on calculation: ~6.5KB max legitimate payload + multipart overhead
+    if "MAX_CONTENT_LENGTH" not in app.config:
+        app.config["MAX_CONTENT_LENGTH"] = 100 * 1024  # 100KB
+
     if is_feature_enabled(config, "USE_LAZY_LOADING"):
         location_obligatory_fields = get_location_obligatory_fields(app.db)
+        # Extend db with goodmap queries first so we can use the bound method
+        location_model = create_location_model(location_obligatory_fields, {})
+        app.db = extend_db_with_goodmap_queries(app.db, location_model)
+
+        # Use the extended db method directly (already bound by extend_db_with_goodmap_queries)
+        try:
+            category_data = app.db.get_category_data()
+            categories = category_data.get("categories", {})
+        except (KeyError, AttributeError):
+            # Handle case where categories don't exist in the data
+            categories = {}
+
+        # Recreate location model with categories if we got them
+        if categories:
+            location_model = create_location_model(location_obligatory_fields, categories)
+            app.db = extend_db_with_goodmap_queries(app.db, location_model)
     else:
         location_obligatory_fields = []
+        categories = {}
+        location_model = create_location_model(location_obligatory_fields, categories)
+        app.db = extend_db_with_goodmap_queries(app.db, location_model)
 
-    location_model = create_location_model(location_obligatory_fields)
-
-    app.db = extend_db_with_goodmap_queries(app.db, location_model)
+    app.extensions["goodmap"] = {"location_obligatory_fields": location_obligatory_fields}
 
     CSRFProtect(app)
 
@@ -53,14 +109,34 @@ def create_app_from_config(config: GoodmapConfig) -> platzky.Engine:
 
     @goodmap.route("/")
     def index():
+        """Render main map interface with location schema.
+
+        Prepares and passes location schema including obligatory fields and
+        categories to the frontend for dynamic form generation.
+
+        Returns:
+            Rendered map.html template with feature flags and location schema
+        """
         # Prepare location schema for frontend dynamic forms
-        # Convert categories dict_keys to a proper dict for JSON serialization
+        # Include full schema from Pydantic model for better type information
         category_data = app.db.get_category_data()
         categories = category_data.get("categories", {})
 
-        location_schema = {
-            "obligatory_fields": location_obligatory_fields,
-            "categories": categories,
+        # Get full JSON schema from Pydantic model
+        model_json_schema = location_model.model_json_schema()
+        properties = model_json_schema.get("properties", {})
+
+        # Filter out uuid and position from properties for frontend form
+        form_fields = {
+            name: spec for name, spec in properties.items() if name not in ("uuid", "position")
+        }
+
+        location_schema = {  # TODO remove backward compatibility - deprecation
+            "obligatory_fields": app.extensions["goodmap"][
+                "location_obligatory_fields"
+            ],  # Backward compatibility
+            "categories": categories,  # Backward compatibility
+            "fields": form_fields,
         }
 
         return render_template(
@@ -72,6 +148,14 @@ def create_app_from_config(config: GoodmapConfig) -> platzky.Engine:
 
     @goodmap.route("/goodmap-admin")
     def admin():
+        """Render admin interface for managing map data.
+
+        Requires user to be logged in (redirects to /admin if not).
+        Provides admin panel for managing locations, suggestions, and reports.
+
+        Returns:
+            Rendered goodmap-admin.html template or redirect to login
+        """
         user = session.get("user", None)
         if not user:
             return redirect("/admin")

goodmap/json_security.py

@@ -0,0 +1,102 @@
+"""Secure JSON parsing utilities to prevent DoS attacks."""
+
+import json
+from typing import Any
+
+# Security constants
+MAX_JSON_DEPTH = 10  # Default max depth for general JSON parsing
+# Strict limit for location data: primitives and arrays/objects of primitives (depth 0-2)
+MAX_JSON_DEPTH_LOCATION = 2
+MAX_JSON_SIZE = 50 * 1024  # 50KB in bytes (reasonable for individual form fields)
+MAX_STRING_LENGTH = 1_000  # 1000 chars per string
+MAX_ARRAY_ITEMS = 100  # 100 items per array
+MAX_OBJECT_KEYS = 50  # 50 keys per object
+
+
+class JSONDepthError(ValueError):
+    """Raised when JSON nesting exceeds maximum depth."""
+
+    pass
+
+
+class JSONSizeError(ValueError):
+    """Raised when JSON size exceeds maximum allowed size."""
+
+    pass
+
+
+def safe_json_loads(
+    json_string: str,
+    max_depth: int = MAX_JSON_DEPTH,
+    max_size: int = MAX_JSON_SIZE,
+) -> Any:
+    """Parse JSON with depth and size limits to prevent DoS attacks.
+
+    Args:
+        json_string: JSON string to parse
+        max_depth: Maximum nesting depth allowed (default: 10)
+        max_size: Maximum string size in bytes (default: 50KB)
+
+    Returns:
+        Parsed JSON object
+
+    Raises:
+        JSONSizeError: If input exceeds max_size
+        JSONDepthError: If nesting exceeds max_depth
+        ValueError: If JSON is invalid
+
+    Example:
+        >>> safe_json_loads('{"key": "value"}')
+        {'key': 'value'}
+        >>> safe_json_loads('{"a":' * 20 + '1' + '}' * 20)  # Too deep
+        Traceback: JSONDepthError
+    """
+    # Size check before parsing
+    byte_size = len(json_string.encode("utf-8"))
+    if byte_size > max_size:
+        raise JSONSizeError(
+            f"JSON payload size ({byte_size} bytes) exceeds maximum "
+            f"allowed size ({max_size} bytes)"
+        )
+
+    # Parse JSON
+    try:
+        parsed = json.loads(json_string)
+    except json.JSONDecodeError as e:
+        # Re-raise with original error message
+        raise ValueError(f"Invalid JSON: {e}") from e
+
+    # Depth check after parsing
+    _check_depth(parsed, max_depth, current_depth=0)
+
+    return parsed
+
+
+def _check_depth(obj: Any, max_depth: int, current_depth: int) -> None:
+    """Recursively check JSON depth.
+
+    Args:
+        obj: Object to check (dict, list, or primitive)
+        max_depth: Maximum allowed depth
+        current_depth: Current recursion depth
+
+    Raises:
+        JSONDepthError: If depth exceeds max_depth
+    """
+    if current_depth > max_depth:
+        raise JSONDepthError(
+            f"JSON nesting depth ({current_depth}) exceeds maximum allowed depth ({max_depth})"
+        )
+
+    if isinstance(obj, dict):
+        if len(obj) > MAX_OBJECT_KEYS:
+            raise JSONDepthError(f"Object has {len(obj)} keys, exceeding maximum {MAX_OBJECT_KEYS}")
+        for value in obj.values():
+            _check_depth(value, max_depth, current_depth + 1)
+    elif isinstance(obj, list):
+        if len(obj) > MAX_ARRAY_ITEMS:
+            raise JSONDepthError(f"Array has {len(obj)} items, exceeding maximum {MAX_ARRAY_ITEMS}")
+        for item in obj:
+            _check_depth(item, max_depth, current_depth + 1)
+    elif isinstance(obj, str) and len(obj) > MAX_STRING_LENGTH:
+        raise JSONDepthError(f"String length {len(obj)} exceeds maximum {MAX_STRING_LENGTH}")

{goodmap-1.1.14.dist-info → goodmap-1.2.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: goodmap
-Version: 1.1.14
+Version: 1.2.0
 Summary: Map engine to serve all the people :)
 Author: Krzysztof Kolodzinski
 Author-email: krzysztof.kolodzinski@problematy.pl
@@ -18,7 +18,6 @@ Requires-Dist: Flask-WTF (>=1.2.1,<2.0.0)
 Requires-Dist: PyYAML (>=6.0,<7.0)
 Requires-Dist: aiohttp (>=3.8.4,<4.0.0)
 Requires-Dist: deprecation (>=2.1.0,<3.0.0)
-Requires-Dist: flask-restx (>=1.3.0,<2.0.0)
 Requires-Dist: google-cloud-storage (>=2.7.0,<3.0.0)
 Requires-Dist: gql (>=3.4.0,<4.0.0)
 Requires-Dist: gunicorn (>=20.1,<24.0)
@@ -29,6 +28,7 @@ Requires-Dist: platzky (>=1.0.0,<2.0.0)
 Requires-Dist: pydantic (>=2.7.1,<3.0.0)
 Requires-Dist: pysupercluster-problematy (>=0.7.8,<0.8.0)
 Requires-Dist: scipy (>=1.15.1,<2.0.0)
+Requires-Dist: spectree (>=2.0.1,<3.0.0)
 Requires-Dist: sphinx (>=8.0.0,<9.0.0) ; extra == "docs"
 Requires-Dist: sphinx-rtd-theme (>=3.0.0,<4.0.0) ; extra == "docs"
 Requires-Dist: tomli (>=2.0.0,<3.0.0) ; extra == "docs"

goodmap-1.2.0.dist-info/RECORD

@@ -0,0 +1,19 @@
+goodmap/__init__.py,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+goodmap/api_models.py,sha256=Bv4OTGuckNneCrxaQ1Y_PMeu7YFLvGUqU2EorvDlUjY,3438
+goodmap/clustering.py,sha256=ULB-fPNOUDblgpBK4vzuo0o2yqIcvG84F3R6Za2X_l4,2905
+goodmap/config.py,sha256=CsmC1zuvVab90VW50dtARHbFJpy2vfsIfbque8Zgc-U,1313
+goodmap/core.py,sha256=AgdGLfeJvL7TlTX893NR2YdCS8EuXx93Gx6ndvWws7s,2673
+goodmap/core_api.py,sha256=KuCj--d058t46uGrpapyuIQfVrzHp9TR2qLFzSR78SU,25097
+goodmap/data_models/location.py,sha256=_I27R06ovEL9ctv_SZ3yoLL-RwmyE3VDsVOG4a89q50,6798
+goodmap/data_validator.py,sha256=lBmVAPxvSmEOdUGeVYSjUvVVmKfPyq4CWoHfczTtEMM,4090
+goodmap/db.py,sha256=TcqYGbK5yk6S735Si1AzjNqcbB1nsd9pFGOy5qN9Vec,46589
+goodmap/exceptions.py,sha256=jkFAUoc5LHk8iPjxHxbcRp8W6qFCSEA25A8XaSwxwyo,2906
+goodmap/formatter.py,sha256=4rqcg9A9Y9opAi7eb8kMDdUC03M3uzZgCxx29cvvIag,1403
+goodmap/goodmap.py,sha256=0DrebQhbdYSxf7Aac4tZ-z0pkZs-FClTT89NNHc0W0Y,6808
+goodmap/json_security.py,sha256=EHAxNlb16AVwphgf4F7yObtMZpbR9M538dwn_STRcMo,3275
+goodmap/templates/goodmap-admin.html,sha256=LSiOZ9-n29CnlfVNwdgmXwT7Xe7t5gvGh1xSrFGqOIY,35669
+goodmap/templates/map.html,sha256=Uk7FFrZwvHZvG0DDaQrGW5ZrIMD21XrJzMub76uIlAg,4348
+goodmap-1.2.0.dist-info/LICENSE.md,sha256=nkCQOR7uheLRvHRfXmwx9LhBnMcPeBU9d4ebLojDiQU,1067
+goodmap-1.2.0.dist-info/METADATA,sha256=qpiCIiQvKk6OxOQ8zbNwKjvBBiQtti85ALIn5pdP7hI,5798
+goodmap-1.2.0.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+goodmap-1.2.0.dist-info/RECORD,,

goodmap-1.1.14.dist-info/RECORD

@@ -1,17 +0,0 @@
-goodmap/__init__.py,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-goodmap/clustering.py,sha256=ULB-fPNOUDblgpBK4vzuo0o2yqIcvG84F3R6Za2X_l4,2905
-goodmap/config.py,sha256=CsmC1zuvVab90VW50dtARHbFJpy2vfsIfbque8Zgc-U,1313
-goodmap/core.py,sha256=rzMhOIYnR1jxTX6uHQJKIPLYxdUm4_v2d6LrtHtJpHU,1465
-goodmap/core_api.py,sha256=Xzr9x89-K0gURcFvAypjKaboExdTKq1KfLfnGTvNG-Q,21144
-goodmap/data_models/location.py,sha256=E2vUD9Sfr02eLbe-W0mBNtvGnqs7WqBP3XVyB-IgKq4,1951
-goodmap/data_validator.py,sha256=lBmVAPxvSmEOdUGeVYSjUvVVmKfPyq4CWoHfczTtEMM,4090
-goodmap/db.py,sha256=TcqYGbK5yk6S735Si1AzjNqcbB1nsd9pFGOy5qN9Vec,46589
-goodmap/exceptions.py,sha256=jkFAUoc5LHk8iPjxHxbcRp8W6qFCSEA25A8XaSwxwyo,2906
-goodmap/formatter.py,sha256=VlUHcK1HtM_IEU0VE3S5TOkZLVheMdakvUeW2tCKdq0,783
-goodmap/goodmap.py,sha256=LbmzYn4FHaP-Y5ZtQhMncGO2h18k2WYAsP5Hzw4oGUw,3392
-goodmap/templates/goodmap-admin.html,sha256=LSiOZ9-n29CnlfVNwdgmXwT7Xe7t5gvGh1xSrFGqOIY,35669
-goodmap/templates/map.html,sha256=Uk7FFrZwvHZvG0DDaQrGW5ZrIMD21XrJzMub76uIlAg,4348
-goodmap-1.1.14.dist-info/LICENSE.md,sha256=nkCQOR7uheLRvHRfXmwx9LhBnMcPeBU9d4ebLojDiQU,1067
-goodmap-1.1.14.dist-info/METADATA,sha256=00trO1OenoKs-zPIHz4aH4aciBZVqGy35XgP2DNF6Og,5802
-goodmap-1.1.14.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
-goodmap-1.1.14.dist-info/RECORD,,