plain 0.4.1__py3-none-any.whl → 0.6.0__py3-none-any.whl

plain/cli/cli.py

@@ -14,7 +14,9 @@ from click.core import Command, Context
 import plain.runtime
 from plain import preflight
 from plain.assets.compile import compile_assets, get_compiled_path
+from plain.exceptions import ImproperlyConfigured
 from plain.packages import packages
+from plain.utils.crypto import get_random_string
 
 from .formatting import PlainContext
 from .packages import EntryPointGroup, InstalledPackagesGroup
@@ -406,6 +408,18 @@ def setting(setting_name):
         click.secho(f'Setting "{setting_name}" not found', fg="red")
 
 
+@plain_cli.group()
+def utils():
+    pass
+
+
+@utils.command()
+def generate_secret_key():
+    """Generate a new secret key"""
+    new_secret_key = get_random_string(50)
+    click.echo(new_secret_key)
+
+
 class AppCLIGroup(click.Group):
     """
     Loads app.cli if it exists as `plain app`
@@ -459,16 +473,31 @@ class PlainCommandCollection(click.CommandCollection):
                 EntryPointGroup(),
                 plain_cli,
             ]
-        except Exception as e:
+        except ImproperlyConfigured as e:
             click.secho(
-                f"Error setting up Plain CLI\n{e}",
+                str(e),
                 fg="red",
                 err=True,
             )
+
+            # None of these require the app to be setup
+            sources = [
+                EntryPointGroup(),
+                AppCLIGroup(),
+                plain_cli,
+            ]
+        except Exception as e:
             print("---")
             print(traceback.format_exc())
             print("---")
 
+            click.secho(
+                f"Error: {e}",
+                fg="red",
+                err=True,
+            )
+
+            # None of these require the app to be setup
             sources = [
                 EntryPointGroup(),
                 AppCLIGroup(),

plain/forms/fields.py

@@ -14,7 +14,6 @@ from urllib.parse import urlsplit, urlunsplit
 
 from plain import validators
 from plain.exceptions import ValidationError
-from plain.runtime import settings
 from plain.utils import timezone
 from plain.utils.dateparse import parse_datetime, parse_duration
 from plain.utils.duration import duration_string
@@ -1001,7 +1000,7 @@ def from_current_timezone(value):
     When time zone support is enabled, convert naive datetimes
     entered in the current time zone to aware datetimes.
     """
-    if settings.USE_TZ and value is not None and timezone.is_naive(value):
+    if value is not None and timezone.is_naive(value):
         current_timezone = timezone.get_current_timezone()
         try:
             if timezone._datetime_ambiguous_or_imaginary(value, current_timezone):
@@ -1025,6 +1024,6 @@ def to_current_timezone(value):
     When time zone support is enabled, convert aware datetimes
     to naive datetimes in the current time zone for display.
     """
-    if settings.USE_TZ and value is not None and timezone.is_aware(value):
+    if value is not None and timezone.is_aware(value):
         return timezone.make_naive(value)
     return value

plain/forms/forms.py

@@ -203,7 +203,8 @@ class BaseForm:
             self._errors[field].extend(error_list)
 
             # The field had an error, so removed it from the final data
-            if field in self.cleaned_data:
+            # (we use getattr here so errors can be added to uncleaned forms)
+            if field in getattr(self, "cleaned_data", {}):
                 del self.cleaned_data[field]
 
     def full_clean(self):

plain/middleware/security.py

@@ -7,15 +7,11 @@ from plain.runtime import settings
 class SecurityMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
-        self.sts_seconds = settings.SECURE_HSTS_SECONDS
-        self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS
-        self.sts_preload = settings.SECURE_HSTS_PRELOAD
-        self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF
         self.redirect = settings.SECURE_SSL_REDIRECT
         self.redirect_host = settings.SECURE_SSL_HOST
         self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
-        self.referrer_policy = settings.SECURE_REFERRER_POLICY
-        self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
+
+        self.default_headers = settings.SECURE_DEFAULT_HEADERS
 
     def __call__(self, request):
         path = request.path.lstrip("/")
@@ -29,36 +25,7 @@ class SecurityMiddleware:
 
         response = self.get_response(request)
 
-        if (
-            self.sts_seconds
-            and request.is_secure()
-            and "Strict-Transport-Security" not in response
-        ):
-            sts_header = "max-age=%s" % self.sts_seconds
-            if self.sts_include_subdomains:
-                sts_header += "; includeSubDomains"
-            if self.sts_preload:
-                sts_header += "; preload"
-            response.headers["Strict-Transport-Security"] = sts_header
-
-        if self.content_type_nosniff:
-            response.headers.setdefault("X-Content-Type-Options", "nosniff")
-
-        if self.referrer_policy:
-            # Support a comma-separated string or iterable of values to allow
-            # fallback.
-            response.headers.setdefault(
-                "Referrer-Policy",
-                ",".join(
-                    [v.strip() for v in self.referrer_policy.split(",")]
-                    if isinstance(self.referrer_policy, str)
-                    else self.referrer_policy
-                ),
-            )
+        for header, value in self.default_headers.items():
+            response.headers.setdefault(header, value)
 
-        if self.cross_origin_opener_policy:
-            response.setdefault(
-                "Cross-Origin-Opener-Policy",
-                self.cross_origin_opener_policy,
-            )
         return response

plain/preflight/security/base.py

@@ -1,23 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .. import Error, Warning, register
-
-CROSS_ORIGIN_OPENER_POLICY_VALUES = {
-    "same-origin",
-    "same-origin-allow-popups",
-    "unsafe-none",
-}
-REFERRER_POLICY_VALUES = {
-    "no-referrer",
-    "no-referrer-when-downgrade",
-    "origin",
-    "origin-when-cross-origin",
-    "same-origin",
-    "strict-origin",
-    "strict-origin-when-cross-origin",
-    "unsafe-url",
-}
+from .. import Warning, register
 
 SECRET_KEY_INSECURE_PREFIX = "plain-insecure-"
 SECRET_KEY_MIN_LENGTH = 50
@@ -41,43 +25,6 @@ W001 = Warning(
     id="security.W001",
 )
 
-W002 = Warning(
-    "You do not have "
-    "'plain.middleware.clickjacking.XFrameOptionsMiddleware' in your "
-    "MIDDLEWARE, so your pages will not be served with an "
-    "'x-frame-options' header. Unless there is a good reason for your "
-    "site to be served in a frame, you should consider enabling this "
-    "header to help prevent clickjacking attacks.",
-    id="security.W002",
-)
-
-W004 = Warning(
-    "You have not set a value for the SECURE_HSTS_SECONDS setting. "
-    "If your entire site is served only over SSL, you may want to consider "
-    "setting a value and enabling HTTP Strict Transport Security. "
-    "Be sure to read the documentation first; enabling HSTS carelessly "
-    "can cause serious, irreversible problems.",
-    id="security.W004",
-)
-
-W005 = Warning(
-    "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "
-    "Without this, your site is potentially vulnerable to attack "
-    "via an insecure connection to a subdomain. Only set this to True if "
-    "you are certain that all subdomains of your domain should be served "
-    "exclusively via SSL.",
-    id="security.W005",
-)
-
-W006 = Warning(
-    "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
-    "so your pages will not be served with an "
-    "'X-Content-Type-Options: nosniff' header. "
-    "You should consider enabling this header to prevent the "
-    "browser from identifying content types incorrectly.",
-    id="security.W006",
-)
-
 W008 = Warning(
     "Your SECURE_SSL_REDIRECT setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
@@ -102,34 +49,6 @@ W020 = Warning(
     id="security.W020",
 )
 
-W021 = Warning(
-    "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
-    "your site cannot be submitted to the browser preload list.",
-    id="security.W021",
-)
-
-W022 = Warning(
-    "You have not set the SECURE_REFERRER_POLICY setting. Without this, your "
-    "site will not send a Referrer-Policy header. You should consider "
-    "enabling this header to protect user privacy.",
-    id="security.W022",
-)
-
-E023 = Error(
-    "You have set the SECURE_REFERRER_POLICY setting to an invalid value.",
-    hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))),
-    id="security.E023",
-)
-
-E024 = Error(
-    "You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid "
-    "value.",
-    hint="Valid values are: {}.".format(
-        ", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),
-    ),
-    id="security.E024",
-)
-
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
@@ -137,58 +56,12 @@ def _security_middleware():
     return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
 
 
-def _xframe_middleware():
-    return (
-        "plain.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE
-    )
-
-
 @register(deploy=True)
 def check_security_middleware(package_configs, **kwargs):
     passed_check = _security_middleware()
     return [] if passed_check else [W001]
 
 
-@register(deploy=True)
-def check_xframe_options_middleware(package_configs, **kwargs):
-    passed_check = _xframe_middleware()
-    return [] if passed_check else [W002]
-
-
-@register(deploy=True)
-def check_sts(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS
-    return [] if passed_check else [W004]
-
-
-@register(deploy=True)
-def check_sts_include_subdomains(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware()
-        or not settings.SECURE_HSTS_SECONDS
-        or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True
-    )
-    return [] if passed_check else [W005]
-
-
-@register(deploy=True)
-def check_sts_preload(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware()
-        or not settings.SECURE_HSTS_SECONDS
-        or settings.SECURE_HSTS_PRELOAD is True
-    )
-    return [] if passed_check else [W021]
-
-
-@register(deploy=True)
-def check_content_type_nosniff(package_configs, **kwargs):
-    passed_check = (
-        not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True
-    )
-    return [] if passed_check else [W006]
-
-
 @register(deploy=True)
 def check_ssl_redirect(package_configs, **kwargs):
     passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
@@ -239,30 +112,3 @@ def check_debug(package_configs, **kwargs):
 @register(deploy=True)
 def check_allowed_hosts(package_configs, **kwargs):
     return [] if settings.ALLOWED_HOSTS else [W020]
-
-
-@register(deploy=True)
-def check_referrer_policy(package_configs, **kwargs):
-    if _security_middleware():
-        if settings.SECURE_REFERRER_POLICY is None:
-            return [W022]
-        # Support a comma-separated string or iterable of values to allow fallback.
-        if isinstance(settings.SECURE_REFERRER_POLICY, str):
-            values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")}
-        else:
-            values = set(settings.SECURE_REFERRER_POLICY)
-        if not values <= REFERRER_POLICY_VALUES:
-            return [E023]
-    return []
-
-
-@register(deploy=True)
-def check_cross_origin_opener_policy(package_configs, **kwargs):
-    if (
-        _security_middleware()
-        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None
-        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
-        not in CROSS_ORIGIN_OPENER_POLICY_VALUES
-    ):
-        return [E024]
-    return []

plain/runtime/README.md

@@ -59,7 +59,6 @@ MIDDLEWARE = [
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 if DEBUG:

plain/runtime/__init__.py

@@ -5,7 +5,7 @@ from pathlib import Path
 
 from dotenv import load_dotenv
 
-from .user_settings import LazySettings
+from .user_settings import Settings
 
 try:
     __version__ = importlib.metadata.version("plain")
@@ -18,7 +18,7 @@ APP_PATH = Path.cwd() / "app"
 
 
 # from plain.runtime import settings
-settings = LazySettings()
+settings = Settings()
 
 
 class AppPathNotFound(RuntimeError):

plain/runtime/global_settings.py

@@ -20,12 +20,9 @@ ALLOWED_HOSTS: list[str] = []
 
 # Local time zone for this installation. All choices can be found here:
 # https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
-# systems may support all possibilities). When USE_TZ is True, this is
-# interpreted as the default user time zone.
-TIME_ZONE = "America/Chicago"
-
-# If you set this to True, Plain will use timezone-aware datetimes.
-USE_TZ = True
+# systems may support all possibilities). This is interpreted as the default
+# user time zone.
+TIME_ZONE: str = "UTC"
 
 # Default charset to use for all Response objects, if a MIME type isn't
 # manually specified. It's used to construct the Content-Type header.
@@ -75,19 +72,6 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-# The numeric mode to set newly-uploaded files to. The value should be a mode
-# you'd pass directly to os.chmod; see
-# https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_PERMISSIONS = 0o644
-
-# The numeric mode to assign to newly-created directories, when uploading files.
-# The value should be a mode as you'd pass to os.chmod;
-# see https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_DIRECTORY_PERMISSIONS = None
-
-# Default X-Frame-Options header value
-X_FRAME_OPTIONS = "DENY"
-
 USE_X_FORWARDED_HOST = False
 USE_X_FORWARDED_PORT = False
 
@@ -114,14 +98,13 @@ MIDDLEWARE = [
     "plain.middleware.security.SecurityMiddleware",
     "plain.middleware.common.CommonMiddleware",
     "plain.csrf.middleware.CsrfViewMiddleware",
-    "plain.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 ###########
 # SIGNING #
 ###########
 
-SIGNING_BACKEND = "plain.signing.TimestampSigner"
+COOKIE_SIGNING_BACKEND = "plain.signing.TimestampSigner"
 
 ########
 # CSRF #
@@ -132,7 +115,7 @@ CSRF_COOKIE_NAME = "csrftoken"
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
 CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
@@ -170,15 +153,19 @@ SILENCED_PREFLIGHT_CHECKS = []
 #######################
 # SECURITY MIDDLEWARE #
 #######################
-SECURE_CONTENT_TYPE_NOSNIFF = True
-SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin"
-SECURE_HSTS_INCLUDE_SUBDOMAINS = False
-SECURE_HSTS_PRELOAD = False
-SECURE_HSTS_SECONDS = 0
 SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = "same-origin"
 SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = False
+SECURE_SSL_REDIRECT = True
+
+SECURE_DEFAULT_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
 
 #############
 # Templates #

plain/runtime/user_settings.py

@@ -1,13 +1,5 @@
-"""
-Settings and configuration for Plain.
-
-Read values from the module specified by the PLAIN_SETTINGS_MODULE environment
-variable, and then from plain.global_settings; see the global_settings.py
-for a list of all possible variables.
-"""
 import importlib
 import json
-import logging
 import os
 import time
 import types
@@ -16,106 +8,256 @@ from pathlib import Path
 
 from plain.exceptions import ImproperlyConfigured
 from plain.packages import PackageConfig
-from plain.utils.functional import LazyObject, empty
 
 ENVIRONMENT_VARIABLE = "PLAIN_SETTINGS_MODULE"
 ENV_SETTINGS_PREFIX = "PLAIN_"
-
-logger = logging.getLogger("plain.runtime")
+CUSTOM_SETTINGS_PREFIX = "APP_"
 
 
-class SettingsReference(str):
+class Settings:
     """
-    String subclass which references a current settings value. It's treated as
-    the value in memory but serializes to a settings.NAME attribute reference.
+    Settings and configuration for Plain.
+
+    This class handles loading settings from the module specified by the
+    PLAIN_SETTINGS_MODULE environment variable, as well as from default settings,
+    environment variables, and explicit settings in the settings module.
+
+    Lazy initialization is implemented to defer loading until settings are first accessed.
     """
 
-    def __new__(self, value, setting_name):
-        return str.__new__(self, value)
+    def __init__(self, settings_module=None):
+        self._settings_module = settings_module
+        self._settings = {}
+        self._errors = []  # Collect configuration errors
+        self.configured = False
 
-    def __init__(self, value, setting_name):
-        self.setting_name = setting_name
+    def _setup(self):
+        if self.configured:
+            return
+        else:
+            self.configured = True
 
+        self._settings = {}  # Maps setting names to SettingDefinition instances
 
-class LazySettings(LazyObject):
-    """
-    A lazy proxy for either global Plain settings or a custom settings object.
-    The user can manually configure settings prior to using them. Otherwise,
-    Plain uses the settings module pointed to by PLAIN_SETTINGS_MODULE.
-    """
+        # Determine the settings module
+        if self._settings_module is None:
+            self._settings_module = os.environ.get(ENVIRONMENT_VARIABLE, "settings")
+
+        # First load the global settings from plain
+        self._load_module_settings(
+            importlib.import_module("plain.runtime.global_settings")
+        )
 
-    def _setup(self, name=None):
-        """
-        Load the settings module pointed to by the environment variable. This
-        is used the first time settings are needed, if the user hasn't
-        configured settings manually.
-        """
-        settings_module = os.environ.get(ENVIRONMENT_VARIABLE, "settings")
-        self._wrapped = Settings(settings_module)
+        # Import the user's settings module
+        try:
+            mod = importlib.import_module(self._settings_module)
+        except ImportError as e:
+            raise ImproperlyConfigured(
+                f"Could not import settings '{self._settings_module}': {e}"
+            )
 
-    def __repr__(self):
-        # Hardcode the class name as otherwise it yields 'Settings'.
-        if self._wrapped is empty:
-            return "<LazySettings [Unevaluated]>"
-        return f'<LazySettings "{self._wrapped.SETTINGS_MODULE}">'
+        # Keep a reference to the settings.py module path
+        self.path = Path(mod.__file__).resolve()
+
+        # Load default settings from installed packages
+        self._load_default_settings(mod)
+        # Load environment settings
+        self._load_env_settings()
+        # Load explicit settings from the settings module
+        self._load_explicit_settings(mod)
+        # Check for any required settings that are missing
+        self._check_required_settings()
+        # Check for any collected errors
+        self._raise_errors_if_any()
+
+    def _load_module_settings(self, module):
+        annotations = getattr(module, "__annotations__", {})
+        settings = dir(module)
+
+        for setting in settings:
+            if setting.isupper():
+                if setting in self._settings:
+                    self._errors.append(f"Duplicate setting '{setting}'.")
+                    continue
+
+                setting_value = getattr(module, setting)
+                self._settings[setting] = SettingDefinition(
+                    name=setting,
+                    default_value=setting_value,
+                    annotation=annotations.get(setting, None),
+                    module=module,
+                )
+
+        # Store any annotations that didn't have a value (these are required settings)
+        for setting, annotation in annotations.items():
+            if setting not in self._settings:
+                self._settings[setting] = SettingDefinition(
+                    name=setting,
+                    default_value=None,
+                    annotation=annotation,
+                    module=module,
+                    required=True,
+                )
+
+    def _load_default_settings(self, settings_module):
+        for entry in getattr(settings_module, "INSTALLED_PACKAGES", []):
+            try:
+                if isinstance(entry, PackageConfig):
+                    app_settings = entry.module.default_settings
+                else:
+                    app_settings = importlib.import_module(f"{entry}.default_settings")
+            except ModuleNotFoundError:
+                continue
+
+            self._load_module_settings(app_settings)
+
+    def _load_env_settings(self):
+        env_settings = {
+            k[len(ENV_SETTINGS_PREFIX) :]: v
+            for k, v in os.environ.items()
+            if k.startswith(ENV_SETTINGS_PREFIX) and k.isupper()
+        }
+        for setting, value in env_settings.items():
+            if setting in self._settings:
+                setting_def = self._settings[setting]
+                try:
+                    parsed_value = _parse_env_value(value, setting_def.annotation)
+                    setting_def.set_value(parsed_value, "env")
+                except ImproperlyConfigured as e:
+                    self._errors.append(str(e))
+
+    def _load_explicit_settings(self, settings_module):
+        for setting in dir(settings_module):
+            if setting.isupper():
+                setting_value = getattr(settings_module, setting)
+
+                if setting in self._settings:
+                    setting_def = self._settings[setting]
+                    try:
+                        setting_def.set_value(setting_value, "explicit")
+                    except ImproperlyConfigured as e:
+                        self._errors.append(str(e))
+                        continue
+
+                elif setting.startswith(CUSTOM_SETTINGS_PREFIX):
+                    # Accept custom settings prefixed with '{CUSTOM_SETTINGS_PREFIX}'
+                    setting_def = SettingDefinition(
+                        name=setting,
+                        default_value=None,
+                        annotation=None,
+                        required=False,
+                    )
+                    try:
+                        setting_def.set_value(setting_value, "explicit")
+                    except ImproperlyConfigured as e:
+                        self._errors.append(str(e))
+                        continue
+                    self._settings[setting] = setting_def
+                else:
+                    # Collect unrecognized settings individually
+                    self._errors.append(
+                        f"Unknown setting '{setting}'. Custom settings must start with '{CUSTOM_SETTINGS_PREFIX}'."
+                    )
+
+        if hasattr(time, "tzset") and self.TIME_ZONE:
+            zoneinfo_root = Path("/usr/share/zoneinfo")
+            zone_info_file = zoneinfo_root.joinpath(*self.TIME_ZONE.split("/"))
+            if zoneinfo_root.exists() and not zone_info_file.exists():
+                self._errors.append(
+                    f"Invalid TIME_ZONE setting '{self.TIME_ZONE}'. Timezone file not found."
+                )
+            else:
+                os.environ["TZ"] = self.TIME_ZONE
+                time.tzset()
+
+    def _check_required_settings(self):
+        missing = [k for k, v in self._settings.items() if v.required and not v.is_set]
+        if missing:
+            self._errors.append(f"Missing required setting(s): {', '.join(missing)}.")
+
+    def _raise_errors_if_any(self):
+        if self._errors:
+            errors = ["- " + e for e in self._errors]
+            raise ImproperlyConfigured(
+                "Settings configuration errors:\n" + "\n".join(errors)
+            )
 
     def __getattr__(self, name):
-        """Return the value of a setting and cache it in self.__dict__."""
-        if (_wrapped := self._wrapped) is empty:
-            self._setup(name)
-            _wrapped = self._wrapped
-        val = getattr(_wrapped, name)
+        # Avoid recursion by directly returning internal attributes
+        if not name.isupper():
+            return object.__getattribute__(self, name)
 
-        # Special case some settings which require further modification.
-        # This is done here for performance reasons so the modified value is cached.
-        if name == "SECRET_KEY" and not val:
-            raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")
+        self._setup()
 
-        self.__dict__[name] = val
-        return val
+        if name in self._settings:
+            return self._settings[name].value
+        else:
+            raise AttributeError(f"'Settings' object has no attribute '{name}'")
 
     def __setattr__(self, name, value):
-        """
-        Set the value of setting. Clear all cached values if _wrapped changes
-        (@override_settings does this) or clear single values when set.
-        """
-        if name == "_wrapped":
-            self.__dict__.clear()
+        # Handle internal attributes without recursion
+        if not name.isupper():
+            object.__setattr__(self, name, value)
         else:
-            self.__dict__.pop(name, None)
-        super().__setattr__(name, value)
-
-    def __delattr__(self, name):
-        """Delete a setting and clear it from cache if needed."""
-        super().__delattr__(name)
-        self.__dict__.pop(name, None)
+            if name in self._settings:
+                self._settings[name].set_value(value, "runtime")
+                self._raise_errors_if_any()
+            else:
+                object.__setattr__(self, name, value)
 
-    @property
-    def configured(self):
-        """Return True if the settings have already been configured."""
-        return self._wrapped is not empty
+    def __repr__(self):
+        if not self.configured:
+            return "<Settings [Unevaluated]>"
+        return f'<Settings "{self._settings_module}">'
+
+
+def _parse_env_value(value, annotation):
+    if not annotation:
+        raise ImproperlyConfigured("Type hint required to set from environment.")
+
+    if annotation is bool:
+        # Special case for bools
+        return value.lower() in ("true", "1", "yes")
+    elif annotation is str:
+        return value
+    else:
+        # Parse other types using JSON
+        try:
+            return json.loads(value)
+        except json.JSONDecodeError as e:
+            raise ImproperlyConfigured(
+                f"Invalid JSON value for setting: {e.msg}"
+            ) from e
 
 
 class SettingDefinition:
-    """Store some basic info about default settings and where they came from"""
+    """Store detailed information about settings."""
 
-    def __init__(self, name, value, annotation, module, required=False):
+    def __init__(
+        self, name, default_value=None, annotation=None, module=None, required=False
+    ):
         self.name = name
-        self.value = value
+        self.default_value = default_value
         self.annotation = annotation
         self.module = module
         self.required = required
+        self.value = default_value
+        self.source = "default"  # 'default', 'env', 'explicit', or 'runtime'
+        self.is_set = False  # Indicates if the value was set explicitly
 
-    def __str__(self):
-        return self.name
+    def set_value(self, value, source):
+        self.check_type(value)
+        self.value = value
+        self.source = source
+        self.is_set = True
 
     def check_type(self, obj):
         if not self.annotation:
             return
 
         if not SettingDefinition._is_instance_of_type(obj, self.annotation):
-            raise ValueError(
-                f"The {self.name} setting must be of type {self.annotation}"
+            raise ImproperlyConfigured(
+                f"'{self.name}': Expected type {self.annotation}, but got {type(obj)}."
             )
 
     @staticmethod
@@ -152,153 +294,20 @@ class SettingDefinition:
                 for i, item in enumerate(value)
             )
 
-        raise ValueError("Unsupported type hint: %s" % type_hint)
-
-
-class Settings:
-    def __init__(self, settings_module):
-        self._default_settings = {}
-        self._explicit_settings = set()
-
-        # First load the global settings from plain
-        self._load_module_settings(
-            importlib.import_module("plain.runtime.global_settings")
-        )
-
-        # store the settings module in case someone later cares
-        self.SETTINGS_MODULE = settings_module
-
-        mod = importlib.import_module(self.SETTINGS_MODULE)
-
-        # Keep a reference to the settings.py module path
-        # so we can find files next to it (assume it's at the app root)
-        self.path = Path(mod.__file__).resolve()
-
-        # First, get all the default_settings from the INSTALLED_PACKAGES and set those values
-        self._load_default_settings(mod)
-        # Second, look at the environment variables and overwrite with those
-        self._load_env_settings()
-        # Finally, load the explicit settings from the settings module
-        self._load_explicit_settings(mod)
-        # Check for any required settings that are missing
-        self._check_required_settings()
-
-    def _load_default_settings(self, settings_module):
-        # Get INSTALLED_PACKAGES from mod,
-        # then (without populating packages) do a check for default_settings in each
-        # app and load those now too.
-        for entry in getattr(settings_module, "INSTALLED_PACKAGES", []):
-            try:
-                if isinstance(entry, PackageConfig):
-                    app_settings = entry.module.default_settings
-                else:
-                    app_settings = importlib.import_module(f"{entry}.default_settings")
-            except ModuleNotFoundError:
-                continue
-
-            self._load_module_settings(app_settings)
-
-    def _load_module_settings(self, module):
-        annotations = getattr(module, "__annotations__", {})
-        settings = dir(module)
-
-        for setting in settings:
-            if setting.isupper():
-                if hasattr(self, setting):
-                    raise ImproperlyConfigured("The %s setting is duplicated" % setting)
+        raise ValueError(f"Unsupported type hint: {type_hint}")
 
-                setting_value = getattr(module, setting)
-
-                # Set a simple attr on the settings object
-                setattr(self, setting, setting_value)
-
-                # Store a more complex setting reference for more detail
-                self._default_settings[setting] = SettingDefinition(
-                    name=setting,
-                    value=setting_value,
-                    annotation=annotations.get(setting, ""),
-                    module=module,
-                )
-
-        # Store any annotations that didn't have a value (these are required settings)
-        for setting, annotation in annotations.items():
-            if setting not in self._default_settings:
-                self._default_settings[setting] = SettingDefinition(
-                    name=setting,
-                    value=None,
-                    annotation=annotation,
-                    module=module,
-                    required=True,
-                )
-
-    def _load_env_settings(self):
-        env_settings = {
-            k[len(ENV_SETTINGS_PREFIX) :]: v
-            for k, v in os.environ.items()
-            if k.startswith(ENV_SETTINGS_PREFIX)
-        }
-        logger.debug("Loading environment settings: %s", env_settings)
-        for setting, value in env_settings.items():
-            if setting not in self._default_settings:
-                # Ignore anything not defined in the default settings
-                continue
-
-            default_setting = self._default_settings[setting]
-            if not default_setting.annotation:
-                raise ValueError(
-                    f"Setting {setting} needs a type hint to be set from the environment"
-                )
-
-            if default_setting.annotation is bool:
-                # Special case for bools
-                parsed_value = value.lower() in ("true", "1", "yes")
-            elif default_setting.annotation is str:
-                parsed_value = value
-            else:
-                # Anything besides a string will be parsed as JSON
-                # (works for ints, lists, etc.)
-                parsed_value = json.loads(value)
-
-            default_setting.check_type(parsed_value)
-
-            setattr(self, setting, parsed_value)
-            self._explicit_settings.add(setting)
-
-    def _load_explicit_settings(self, settings_module):
-        for setting in dir(settings_module):
-            if setting.isupper():
-                setting_value = getattr(settings_module, setting)
-
-                if setting in self._default_settings:
-                    self._default_settings[setting].check_type(setting_value)
-
-                setattr(self, setting, setting_value)
-                self._explicit_settings.add(setting)
+    def __str__(self):
+        return f"SettingDefinition(name={self.name}, value={self.value}, source={self.source})"
 
-        if hasattr(time, "tzset") and self.TIME_ZONE:
-            # When we can, attempt to validate the timezone. If we can't find
-            # this file, no check happens and it's harmless.
-            zoneinfo_root = Path("/usr/share/zoneinfo")
-            zone_info_file = zoneinfo_root.joinpath(*self.TIME_ZONE.split("/"))
-            if zoneinfo_root.exists() and not zone_info_file.exists():
-                raise ValueError("Incorrect timezone setting: %s" % self.TIME_ZONE)
-            # Move the time zone info into os.environ. See ticket #2315 for why
-            # we don't do this unconditionally (breaks Windows).
-            os.environ["TZ"] = self.TIME_ZONE
-            time.tzset()
 
-    def _check_required_settings(self):
-        # Required settings have to be explicitly defined (there is no default)
-        # so we can check whether they have been set by the user
-        required_settings = {k for k, v in self._default_settings.items() if v.required}
-        if missing := required_settings - self._explicit_settings:
-            raise ImproperlyConfigured(
-                "The following settings are required: %s" % ", ".join(missing)
-            )
+class SettingsReference(str):
+    """
+    String subclass which references a current settings value. It's treated as
+    the value in memory but serializes to a settings.NAME attribute reference.
+    """
 
-    # Seems like this could almost be removed
-    def is_overridden(self, setting):
-        return setting in self._explicit_settings
+    def __new__(self, value, setting_name):
+        return str.__new__(self, value)
 
-    def __repr__(self):
-        return f'<{self.__class__.__name__} "{self.SETTINGS_MODULE}">'
+    def __init__(self, value, setting_name):
+        self.setting_name = setting_name

plain/signing.py

@@ -37,12 +37,10 @@ import base64
 import datetime
 import json
 import time
-import warnings
 import zlib
 
 from plain.runtime import settings
 from plain.utils.crypto import constant_time_compare, salted_hmac
-from plain.utils.deprecation import RemovedInDjango51Warning
 from plain.utils.encoding import force_bytes
 from plain.utils.module_loading import import_string
 from plain.utils.regex_helper import _lazy_re_compile
@@ -109,7 +107,7 @@ def _cookie_signer_key(key):
 
 
 def get_cookie_signer(salt="plain.signing.get_cookie_signer"):
-    Signer = import_string(settings.SIGNING_BACKEND)
+    Signer = import_string(settings.COOKIE_SIGNING_BACKEND)
     return Signer(
         key=_cookie_signer_key(settings.SECRET_KEY),
         fallback_keys=map(_cookie_signer_key, settings.SECRET_KEY_FALLBACKS),
@@ -177,17 +175,13 @@ def loads(
 
 
 class Signer:
-    # RemovedInDjango51Warning: When the deprecation ends, replace with:
-    # def __init__(
-    #   self, *, key=None, sep=":", salt=None, algorithm=None, fallback_keys=None
-    # ):
     def __init__(
         self,
-        *args,
+        *,
         key=None,
         sep=":",
         salt=None,
-        algorithm=None,
+        algorithm="sha256",
         fallback_keys=None,
     ):
         self.key = key or settings.SECRET_KEY
@@ -198,20 +192,8 @@ class Signer:
         )
         self.sep = sep
         self.salt = salt or f"{self.__class__.__module__}.{self.__class__.__name__}"
-        self.algorithm = algorithm or "sha256"
-        # RemovedInDjango51Warning.
-        if args:
-            warnings.warn(
-                f"Passing positional arguments to {self.__class__.__name__} is "
-                f"deprecated.",
-                RemovedInDjango51Warning,
-                stacklevel=2,
-            )
-            for arg, attr in zip(
-                args, ["key", "sep", "salt", "algorithm", "fallback_keys"]
-            ):
-                if arg or attr == "sep":
-                    setattr(self, attr, arg)
+        self.algorithm = algorithm
+
         if _SEP_UNSAFE.match(self.sep):
             raise ValueError(
                 "Unsafe Signer separator: %r (cannot be empty or consist of "

plain/utils/timezone.py

@@ -138,27 +138,6 @@ class override(ContextDecorator):
             _active.value = self.old_timezone
 
 
-# Templates
-
-
-def template_localtime(value, use_tz=None):
-    """
-    Check if value is a datetime and converts it to local time if necessary.
-
-    If use_tz is provided and is not None, that will force the value to
-    be converted (or not), overriding the value of settings.USE_TZ.
-
-    This function is designed for use by the template engine.
-    """
-    should_convert = (
-        isinstance(value, datetime)
-        and (settings.USE_TZ if use_tz is None else use_tz)
-        and not is_naive(value)
-        and getattr(value, "convert_to_local_time", True)
-    )
-    return localtime(value) if should_convert else value
-
-
 # Utilities
 
 
@@ -184,9 +163,9 @@ def localtime(value=None, timezone=None):
 
 def now():
     """
-    Return an aware or naive datetime.datetime, depending on settings.USE_TZ.
+    Return a timezone aware datetime.
     """
-    return datetime.now(tz=timezone.utc if settings.USE_TZ else None)
+    return datetime.now(tz=timezone.utc)
 
 
 # By design, these four functions don't perform any checks on their arguments.

{plain-0.4.1.dist-info → plain-0.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.4.1
+Version: 0.6.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev

{plain-0.4.1.dist-info → plain-0.6.0.dist-info}/RECORD

@@ -9,7 +9,7 @@ plain/assets/urls.py,sha256=ZTIoM1Zq35JaXZ3wFhXhfGa7VoITDNlH9i5RS0R5xow,933
 plain/assets/views.py,sha256=dhjIpMu0GDR_VGbXM90_6RnC84C2C4bFv1RxDVklGBk,9173
 plain/cli/README.md,sha256=xjr1K-sIMTi5OWxdxL--O7aoo16Pd1xdawIZtz6BL7Q,2464
 plain/cli/__init__.py,sha256=9ByBOIdM8DebChjNz-RH2atdz4vWe8somlwNEsbhwh4,40
-plain/cli/cli.py,sha256=z2BoAdb5IF_WpPdbSsS1lc2GMsCOrb2y-ZgUfa6NmaE,14416
+plain/cli/cli.py,sha256=myxXjRRLt8GQdJ4m3wOgW383D4Z1t1v07PABU0IQ6RM,15095
 plain/cli/formatting.py,sha256=1hZH13y1qwHcU2K2_Na388nw9uvoeQH8LrWL-O9h8Yc,2207
 plain/cli/packages.py,sha256=69VH1bIi1-5N5l2jlBcR5EP0pt-v16sPar9arO3gCSE,2052
 plain/cli/print.py,sha256=XraUYrgODOJquIiEv78wSCYGRBplHXtXSS9QtFG5hqY,217
@@ -23,8 +23,8 @@ plain/forms/README.md,sha256=fglB9MmHiEgfGGdZmcRstNl6eYaFljrElu2mzapK52M,377
 plain/forms/__init__.py,sha256=UxqPwB8CiYPCQdHmUc59jadqaXqDmXBH8y4bt9vTPms,226
 plain/forms/boundfield.py,sha256=LhydhCVR0okrli0-QBMjGjAJ8-06gTCXVEaBZhBouQk,1741
 plain/forms/exceptions.py,sha256=XCLDRl5snIEDu5-8mLB0NnU_tegcBfyIHMiJxqvbxnc,164
-plain/forms/fields.py,sha256=nyL1-NLAIt2jvEhGt4VwUy7xsXrVuU_wMuMzRXVhleA,35178
-plain/forms/forms.py,sha256=QgIV4JDLXzM8wfLYVZUUNH5kmJlQYQVG6UAENrxFIBo,10357
+plain/forms/fields.py,sha256=86ZE9jac6Zyg5vKsYGgyOUOIQLKxO--UomGXwA65tk4,35103
+plain/forms/forms.py,sha256=-EcS2QVpAy4H95Y-RL108LnWnHLSyCGgEnUCdIIXnjg,10451
 plain/http/README.md,sha256=00zLFQ-FPjYXu3A8QsLhCCXxaT0ImvI5I-8xd3dp8WA,7
 plain/http/__init__.py,sha256=DIsDRbBsCGa4qZgq-fUuQS0kkxfbTU_3KpIM9VvH04w,1067
 plain/http/cookie.py,sha256=11FnSG3Plo6T3jZDbPoCw7SKh9ExdBio3pTmIO03URg,597
@@ -53,10 +53,9 @@ plain/logs/loggers.py,sha256=iz9SYcwP9w5QAuwpULl48SFkVyJuuMoQ_fdLgdCHpNg,2121
 plain/logs/utils.py,sha256=9UzdCCQXJinGDs71Ngw297mlWkhgZStSd67ya4NOW98,1257
 plain/middleware/README.md,sha256=MgiLHwAfP8ooBSlDi1JhTwIHMlwphOqAkeWglYRbe8s,52
 plain/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/middleware/clickjacking.py,sha256=MJOHWSDqJB8K6YE6XTh34uyr2LNKuE9XsywZRRsljFk,1764
 plain/middleware/common.py,sha256=-YySkYUyaRujYA5Yg7GRD3xFjlQOZpeJP1Stpt6pias,3631
 plain/middleware/gzip.py,sha256=2NogLO6hPxVc3otxkhMDl7-r2Zw3vcIkAP29fx4j2eU,2383
-plain/middleware/security.py,sha256=r9UatFEaKVL1eZ5AxAuVX9uf5eLKwImEZmjL2t1slaY,2477
+plain/middleware/security.py,sha256=WZRn5F9qx33wFTqh4CkBEtHrTuyr7RCt4Gwq4W2mBgE,1043
 plain/packages/README.md,sha256=Vq1Nw3mmEmZ2IriQavuVi4BjcQC2nb8k7YIbnm8QjIg,799
 plain/packages/__init__.py,sha256=DnHN1wwHXiXib4Y9BV__x9WrbUaTovoTIxW-tVyScTU,106
 plain/packages/config.py,sha256=6Vdf1TEQllZkkEvK0WK__zHJYT9nxmS3EyYrbuq0GkM,11201
@@ -68,19 +67,19 @@ plain/preflight/files.py,sha256=wbHCNgps7o1c1zQNBd8FDCaVaqX90UwuvLgEQ_DbUpY,510
 plain/preflight/messages.py,sha256=u0oc7q7YmBlKYJRcF5SQpzncfOkEzDhZTcpyclQDfHg,2427
 plain/preflight/registry.py,sha256=ZpxnZPIklXuT8xZVTxCUp_IER3zhd7DdfsmqIpAbLj4,2306
 plain/preflight/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/preflight/security/base.py,sha256=MjY1HXfUD4fsGz1kGs0eI2hpoSmD57x_30CMbLpw3h4,8445
+plain/preflight/security/base.py,sha256=EY9rgXi8qdzLY1mMq9lMqYJmIV2OhN66Vt96meblxoE,3541
 plain/preflight/security/csrf.py,sha256=EZy_DkVqc1kUmBA-UbNmhVsKhRINfmqgWSRlatKy5AA,1237
 plain/preflight/urls.py,sha256=O4PQ_v205VA2872fQlhPfxaihDDRCsVp0ZVKQ92aX4k,3019
-plain/runtime/README.md,sha256=F5USETg445RX1RxC13y_1NrbOs3GHQI2Jl9idGdVFnk,2270
-plain/runtime/__init__.py,sha256=jKak9tK8MfcGNYOzqCOEmwSRAGOoji8r7e2IAwOymzE,1392
-plain/runtime/global_settings.py,sha256=PrJ5IAPk1nEr8U_XM3gLrItIVA4v2ig1t1bx_fV0NPE,6118
-plain/runtime/user_settings.py,sha256=3016w7YiOkG85L1Y5BsobgxgCOAaRbZzFaBadzmHSZg,11315
+plain/runtime/README.md,sha256=wR0XrWAb4FGnOON2-O9ySSZCSMZmPkKGx-4DQXd_2h4,2209
+plain/runtime/__init__.py,sha256=vIh77lL4e5CoQZz-HxvXeJL5329s8VfPFpNxx9rHgxs,1384
+plain/runtime/global_settings.py,sha256=cVwGcdpDFf2OoYeGD3Lfv-mxGF48aKSGzZlLKwp8UKI,5566
+plain/runtime/user_settings.py,sha256=JhxmCCOmEMk0QHh82l5iTpEie-UdZh13aXGsLhE5PBw,11255
 plain/signals/README.md,sha256=cd3tKEgH-xc88CUWyDxl4-qv-HBXx8VT32BXVwA5azA,230
 plain/signals/__init__.py,sha256=eAs0kLqptuP6I31dWXeAqRNji3svplpAV4Ez6ktjwXM,131
 plain/signals/dispatch/__init__.py,sha256=FzEygqV9HsM6gopio7O2Oh_X230nA4d5Q9s0sUjMq0E,292
 plain/signals/dispatch/dispatcher.py,sha256=VxSlqn9PCOTghPPJLOqZPs6FNQZfV2BJpMfFMSg6Dtc,11531
 plain/signals/dispatch/license.txt,sha256=o9EhDhsC4Q5HbmD-IfNGVTEkXtNE33r5rIt3lleJ8gc,1727
-plain/signing.py,sha256=rCsizsluW-lt8ihwicf19kU-sOewMvkIbeI9MrFNwOw,9491
+plain/signing.py,sha256=V6A6PTDYWekuwtQRI1iFD8dud5OHPZTv4EkeoZEHoXo,8737
 plain/templates/README.md,sha256=VfA2HmrklG5weE1md85q9g84cWnMBEiXAynKzM7S1Sk,464
 plain/templates/__init__.py,sha256=Jh1jit55UR4dRpklQ6qAN2ixzYZBVoDi0AOdfD4Nh4E,106
 plain/templates/core.py,sha256=iw58EAmyyv8N5HDA-Sq4-fLgz_qx8v8WJfurgR116jw,625
@@ -129,7 +128,7 @@ plain/utils/safestring.py,sha256=SHGhpbX6FFDKSYOY9zYAgAQX0g0exzRba7dM2bJalWs,187
 plain/utils/termcolors.py,sha256=78MimQMp4Etoh1X1lokOJ6ucxErHtg8z9rxeTtV5nhk,7394
 plain/utils/text.py,sha256=QxhJsk_4VrNVUtwwo0DXGTMHJ1x_hrKOqJOxlPB33qc,16596
 plain/utils/timesince.py,sha256=essdb0XWBKWmKtIprs-4rO0qKTtsFqZ0Fwn-RTDyhOc,4758
-plain/utils/timezone.py,sha256=tFd4NfQNwTiHKExNxTc0wWKUpDZximHlcN0Ykv-wQ6k,6910
+plain/utils/timezone.py,sha256=AZ7lcmUjofUTfQUb08pHXu0u7TDuPJpMRB5lgvE4E0w,6212
 plain/utils/tree.py,sha256=wdWzmfsgc26YDF2wxhAY3yVxXTixQYqYDKE9mL3L3ZY,4383
 plain/validators.py,sha256=L9v9KtTe4iZhZVramZdKGf33R5Tt95FCdg2AJD2-2n0,19963
 plain/views/README.md,sha256=qndsXKyNMnipPlLaAvgQeGxqXknNQwlFh31Yxk8rHp8,5994
@@ -143,8 +142,8 @@ plain/views/objects.py,sha256=9QBYyb8PgkRirXCQ8-Pms4_yMzP37dfeL30hWRYmtZg,7909
 plain/views/redirect.py,sha256=KLnlktzK6ZNMTlaEiZpMKQMEP5zeTgGLJ9BIkIJfwBo,1733
 plain/views/templates.py,sha256=nF9CcdhhjAyp3LB0RrSYnBaHpHzMfPSw719RCdcXk7o,2007
 plain/wsgi.py,sha256=R6k5FiAElvGDApEbMPTT0MPqSD7n2e2Az5chQqJZU0I,236
-plain-0.4.1.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.4.1.dist-info/METADATA,sha256=l7Q6qWK98LKLVsoQ4Fr5Apb5YimjLkIzhUwAO4PSjPE,2716
-plain-0.4.1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-plain-0.4.1.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
-plain-0.4.1.dist-info/RECORD,,
+plain-0.6.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.6.0.dist-info/METADATA,sha256=QbORBVO36VHvPSJS5waroaoHUkGHP8wZ5Q22GO1ocaM,2716
+plain-0.6.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+plain-0.6.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
+plain-0.6.0.dist-info/RECORD,,

plain/middleware/clickjacking.py

@@ -1,52 +0,0 @@
-"""
-Clickjacking Protection Middleware.
-
-This module provides a middleware that implements protection against a
-malicious site loading resources from your site in a hidden frame.
-"""
-
-from plain.runtime import settings
-
-
-class XFrameOptionsMiddleware:
-    """
-    Set the X-Frame-Options HTTP header in HTTP responses.
-
-    Do not set the header if it's already set or if the response contains
-    a xframe_options_exempt value set to True.
-
-    By default, set the X-Frame-Options header to 'DENY', meaning the response
-    cannot be displayed in a frame, regardless of the site attempting to do so.
-    To enable the response to be loaded on a frame within the same site, set
-    X_FRAME_OPTIONS in your project's Plain settings to 'SAMEORIGIN'.
-    """
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-
-        # Don't set it if it's already in the response
-        if response.get("X-Frame-Options") is not None:
-            return response
-
-        # Don't set it if they used @xframe_options_exempt
-        if getattr(response, "xframe_options_exempt", False):
-            return response
-
-        response.headers["X-Frame-Options"] = self.get_xframe_options_value(
-            request,
-            response,
-        )
-        return response
-
-    def get_xframe_options_value(self, request, response):
-        """
-        Get the value to set for the X_FRAME_OPTIONS header. Use the value from
-        the X_FRAME_OPTIONS setting, or 'DENY' if not set.
-
-        This method can be overridden if needed, allowing it to vary based on
-        the request or response.
-        """
-        return getattr(settings, "X_FRAME_OPTIONS", "DENY").upper()