plain 0.56.1__py3-none-any.whl → 0.58.0__py3-none-any.whl

plain/exceptions.py

@@ -6,6 +6,23 @@ import operator
 
 from plain.utils.hashable import make_hashable
 
+# MARK: Configuration and Registry
+
+
+class PackageRegistryNotReady(Exception):
+    """The plain.packages registry is not populated yet"""
+
+    pass
+
+
+class ImproperlyConfigured(Exception):
+    """Plain is somehow improperly configured"""
+
+    pass
+
+
+# MARK: Model and Field Errors
+
 
 class FieldDoesNotExist(Exception):
     """The requested model field does not exist"""
@@ -13,8 +30,8 @@ class FieldDoesNotExist(Exception):
     pass
 
 
-class PackageRegistryNotReady(Exception):
-    """The plain.packages registry is not populated yet"""
+class FieldError(Exception):
+    """Some kind of problem with a model field."""
 
     pass
 
@@ -31,6 +48,9 @@ class MultipleObjectsReturned(Exception):
     pass
 
 
+# MARK: Security and Suspicious Operations
+
+
 class SuspiciousOperation(Exception):
     """The user did something suspicious"""
 
@@ -53,12 +73,6 @@ class DisallowedHost(SuspiciousOperation):
     pass
 
 
-class DisallowedRedirect(SuspiciousOperation):
-    """Redirect to scheme not in allowed list"""
-
-    pass
-
-
 class TooManyFieldsSent(SuspiciousOperation):
     """
     The number of fields in a GET or POST request exceeded
@@ -86,6 +100,9 @@ class RequestDataTooBig(SuspiciousOperation):
     pass
 
 
+# MARK: HTTP and Request Errors
+
+
 class BadRequest(Exception):
     """The request is malformed and cannot be processed."""
 
@@ -98,17 +115,7 @@ class PermissionDenied(Exception):
     pass
 
 
-class ImproperlyConfigured(Exception):
-    """Plain is somehow improperly configured"""
-
-    pass
-
-
-class FieldError(Exception):
-    """Some kind of problem with a model field."""
-
-    pass
-
+# MARK: Validation
 
 NON_FIELD_ERRORS = "__all__"
 
@@ -211,6 +218,9 @@ class ValidationError(Exception):
         return hash(tuple(sorted(self.error_list, key=operator.attrgetter("message"))))
 
 
+# MARK: Database
+
+
 class EmptyResultSet(Exception):
     """A database query predicate is impossible."""
 

plain/forms/README.md

@@ -33,8 +33,6 @@ Then in your template, you can render the form fields.
 {% block content %}
 
 <form method="post">
-    {{ csrf_input }}
-
     <!-- Render general form errors -->
     {% for error in form.non_field_errors %}
     <div>{{ error }}</div>

plain/http/__init__.py

@@ -19,7 +19,6 @@ from plain.http.response import (
     ResponseNotAllowed,
     ResponseNotFound,
     ResponseNotModified,
-    ResponsePermanentRedirect,
     ResponseRedirect,
     ResponseServerError,
     StreamingResponse,
@@ -36,7 +35,6 @@ __all__ = [
     "ResponseBase",
     "StreamingResponse",
     "ResponseRedirect",
-    "ResponsePermanentRedirect",
     "ResponseNotModified",
     "ResponseBadRequest",
     "ResponseForbidden",

plain/http/response.py

@@ -10,10 +10,8 @@ from email.header import Header
 from functools import cached_property
 from http.client import responses
 from http.cookies import SimpleCookie
-from urllib.parse import urlparse
 
 from plain import signals
-from plain.exceptions import DisallowedRedirect
 from plain.http.cookie import sign_cookie_value
 from plain.json import PlainJSONEncoder
 from plain.runtime import settings
@@ -566,19 +564,18 @@ class FileResponse(StreamingResponse):
             self.headers["Content-Disposition"] = content_disposition
 
 
-class ResponseRedirectBase(Response):
-    allowed_schemes = ["http", "https", "ftp"]
+class ResponseRedirect(Response):
+    """HTTP redirect response"""
+
+    status_code = 302
 
     def __init__(self, redirect_to, **kwargs):
         super().__init__(**kwargs)
         self.headers["Location"] = iri_to_uri(redirect_to)
-        parsed = urlparse(str(redirect_to))
-        if parsed.scheme and parsed.scheme not in self.allowed_schemes:
-            raise DisallowedRedirect(
-                f"Unsafe redirect to URL with protocol '{parsed.scheme}'"
-            )
 
-    url = property(lambda self: self.headers["Location"])
+    @property
+    def url(self):
+        return self.headers["Location"]
 
     def __repr__(self):
         return (
@@ -592,18 +589,6 @@ class ResponseRedirectBase(Response):
         )
 
 
-class ResponseRedirect(ResponseRedirectBase):
-    """HTTP 302 response"""
-
-    status_code = 302
-
-
-class ResponsePermanentRedirect(ResponseRedirectBase):
-    """HTTP 301 response"""
-
-    status_code = 301
-
-
 class ResponseNotModified(Response):
     """HTTP 304 response"""
 

plain/internal/middleware/https.py

@@ -1,6 +1,6 @@
 import re
 
-from plain.http import ResponsePermanentRedirect
+from plain.http import ResponseRedirect
 from plain.runtime import settings
 
 
@@ -12,7 +12,7 @@ class HttpsRedirectMiddleware:
         self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
         self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
         self.https_redirect_exempt = [
-            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT_PATHS
         ]
 
     def __call__(self, request):
@@ -26,11 +26,15 @@ class HttpsRedirectMiddleware:
         return self.get_response(request)
 
     def maybe_https_redirect(self, request):
-        path = request.path.lstrip("/")
         if (
             self.https_redirect_enabled
             and not request.is_https()
-            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+            and not any(
+                pattern.search(request.path_info)
+                for pattern in self.https_redirect_exempt
+            )
         ):
             host = self.https_redirect_host or request.get_host()
-            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
+            return ResponseRedirect(
+                f"https://{host}{request.get_full_path()}", status_code=301
+            )

plain/internal/middleware/slash.py

@@ -1,4 +1,4 @@
-from plain.http import ResponsePermanentRedirect
+from plain.http import ResponseRedirect
 from plain.runtime import settings
 from plain.urls import Resolver404, get_resolver
 from plain.utils.http import escape_leading_slashes
@@ -22,7 +22,9 @@ class RedirectSlashMiddleware:
         # If the given URL is "Not Found", then check if we should redirect to
         # a path with a slash appended.
         if response.status_code == 404 and self.should_redirect_with_slash(request):
-            return ResponsePermanentRedirect(self.get_full_path_with_slash(request))
+            return ResponseRedirect(
+                self.get_full_path_with_slash(request), status_code=301
+            )
 
         return response
 

plain/runtime/global_settings.py

@@ -3,31 +3,20 @@ Default Plain settings. Override these with settings in the module pointed to
 by the PLAIN_SETTINGS_MODULE environment variable.
 """
 
-####################
-# CORE             #
-####################
+# MARK: Core Settings
 
 DEBUG: bool = False
 
-# Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-ALLOWED_HOSTS: list[str] = []
-
-# Local time zone for this installation. All choices can be found here:
-# https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
-# systems may support all possibilities). This is interpreted as the default
-# user time zone.
-TIME_ZONE: str = "UTC"
-
-# Default charset to use for all Response objects, if a MIME type isn't
-# manually specified. It's used to construct the Content-Type header.
-DEFAULT_CHARSET = "utf-8"
-
 # List of strings representing installed packages.
 INSTALLED_PACKAGES: list[str] = []
 
-# Whether to append trailing slashes to URLs.
-APPEND_SLASH = True
+URLS_ROUTER: str
+
+# MARK: HTTP and Security
+
+# Hosts/domain names that are valid for this site.
+# "*" matches anything, ".example.com" matches example.com and all subdomains
+ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.
 DEFAULT_RESPONSE_HEADERS = {
@@ -42,7 +31,13 @@ DEFAULT_RESPONSE_HEADERS = {
 
 # Whether to redirect all non-HTTPS requests to HTTPS.
 HTTPS_REDIRECT_ENABLED = True
-HTTPS_REDIRECT_EXEMPT = []
+
+# Regex patterns for paths that should be exempt from HTTPS redirect
+# Examples: [r"^/health$", r"/api/internal/.*", r"/dev/.*"]
+HTTPS_REDIRECT_EXEMPT_PATHS: list[str] = []
+
+# Custom host to redirect to for HTTPS. If None, uses the same host as the request.
+# Useful for redirecting to a different domain (e.g., "secure.example.com")
 HTTPS_REDIRECT_HOST = None
 
 # If your Plain app is behind a proxy that sets a header to specify secure
@@ -68,7 +63,24 @@ SECRET_KEY: str
 # secret key rotation.
 SECRET_KEY_FALLBACKS: list[str] = []
 
-URLS_ROUTER: str
+# MARK: Internationalization
+
+# Local time zone for this installation. All choices can be found here:
+# https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
+# systems may support all possibilities). This is interpreted as the default
+# user time zone.
+TIME_ZONE: str = "UTC"
+
+# Default charset to use for all Response objects, if a MIME type isn't
+# manually specified. It's used to construct the Content-Type header.
+DEFAULT_CHARSET = "utf-8"
+
+# MARK: URL Configuration
+
+# Whether to append trailing slashes to URLs.
+APPEND_SLASH = True
+
+# MARK: File Uploads
 
 # List of upload handler classes to be applied in order.
 FILE_UPLOAD_HANDLERS = [
@@ -100,41 +112,30 @@ FILE_UPLOAD_TEMP_DIR = None
 # User-defined overrides for error views by status code
 HTTP_ERROR_VIEWS: dict[int] = {}
 
-##############
-# MIDDLEWARE #
-##############
+# MARK: Middleware
 
 # List of middleware to use. Order is important; in the request phase, these
 # middleware will be applied in the order given, and in the response
 # phase the middleware will be applied in reverse order.
 MIDDLEWARE: list[str] = []
 
-########
-# CSRF #
-########
-
-# Settings for CSRF cookie.
-CSRF_COOKIE_NAME = "csrftoken"
-CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52  # 1 year
-CSRF_COOKIE_DOMAIN = None
-CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = False
-CSRF_COOKIE_SAMESITE = "Lax"
-CSRF_HEADER_NAME = "CSRF-Token"
-CSRF_FIELD_NAME = "_csrftoken"
+# MARK: CSRF
+
+# A list of trusted origins for unsafe (POST/PUT/DELETE etc.) requests.
+# These origins will be allowed regardless of the normal CSRF checks.
+# Each origin should be a full origin like "https://example.com" or "https://sub.example.com:8080"
 CSRF_TRUSTED_ORIGINS: list[str] = []
 
-###########
-# LOGGING #
-###########
+# Regex patterns for paths that should be exempt from CSRF protection
+# Examples: [r"^/api/", r"/webhooks/.*", r"/health$"]
+CSRF_EXEMPT_PATHS: list[str] = []
+
+# MARK: Logging
 
 # Custom logging configuration.
 LOGGING = {}
 
-###############
-# ASSETS #
-###############
+# MARK: Assets
 
 # Whether to redirect the original asset path to the fingerprinted path.
 ASSETS_REDIRECT_ORIGINAL = True
@@ -143,9 +144,7 @@ ASSETS_REDIRECT_ORIGINAL = True
 # Ex. "https://cdn.example.com/assets/"
 ASSETS_BASE_URL: str = ""
 
-####################
-# PREFLIGHT CHECKS #
-####################
+# MARK: Preflight Checks
 
 # List of all issues generated by system checks that should be silenced. Light
 # issues like warnings, infos or debugs will not generate a message. Silencing
@@ -153,14 +152,10 @@ ASSETS_BASE_URL: str = ""
 # message, but Plain will not stop you from e.g. running server.
 PREFLIGHT_SILENCED_CHECKS = []
 
-#############
-# Templates #
-#############
+# MARK: Templates
 
 TEMPLATES_JINJA_ENVIRONMENT = "plain.templates.jinja.DefaultEnvironment"
 
-#########
-# Shell #
-#########
+# MARK: Shell
 
 SHELL_IMPORT: str = ""

plain/templates/README.md

@@ -70,7 +70,6 @@ class HTMXJSExtension(InclusionTagExtension):
 
     def get_context(self, context, *args, **kwargs):
         return {
-            "csrf_token": context["csrf_token"],
             "DEBUG": settings.DEBUG,
             "extensions": kwargs.get("extensions", []),
         }

plain/test/client.py

@@ -114,8 +114,7 @@ class ClientHandler(BaseHandler):
     the originating WSGIRequest attached to its ``wsgi_request`` attribute.
     """
 
-    def __init__(self, enforce_csrf_checks=True, *args, **kwargs):
-        self.enforce_csrf_checks = enforce_csrf_checks
+    def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
     def __call__(self, environ):
@@ -126,12 +125,6 @@ class ClientHandler(BaseHandler):
 
         request_started.send(sender=self.__class__, environ=environ)
         request = WSGIRequest(environ)
-        # sneaky little hack so that we can easily get round
-        # CsrfViewMiddleware.  This makes life easier, and is probably
-        # required for backwards compatibility with external tests against
-        # admin views.
-        if not self.enforce_csrf_checks:
-            request.csrf_exempt = True
 
         # Request goes through middleware.
         response = self.get_response(request)
@@ -420,14 +413,13 @@ class Client(RequestFactory):
 
     def __init__(
         self,
-        enforce_csrf_checks=False,
         raise_request_exception=True,
         *,
         headers=None,
         **defaults,
     ):
         super().__init__(headers=headers, **defaults)
-        self.handler = ClientHandler(enforce_csrf_checks)
+        self.handler = ClientHandler()
         self.raise_request_exception = raise_request_exception
         self.exc_info = None
         self.extra = None

plain/views/README.md

@@ -142,8 +142,6 @@ Rendering forms is done directly in the HTML.
 {% block content %}
 
 <form method="post">
-    {{ csrf_input }}
-
     <!-- Render general form errors -->
     {% for error in form.non_field_errors %}
     <div>{{ error }}</div>

plain/views/redirect.py

@@ -1,29 +1,29 @@
-import logging
-
-from plain.http import (
-    ResponseGone,
-    ResponsePermanentRedirect,
-    ResponseRedirect,
-)
+from plain.http import ResponseRedirect
 from plain.urls import reverse
 
 from .base import View
 
-logger = logging.getLogger("plain.request")
-
 
 class RedirectView(View):
     """Provide a redirect on any GET request."""
 
-    permanent = False
+    status_code = 302
     url: str | None = None
-    pattern_name: str | None = None
-    query_string = False
+    url_name: str | None = None
+    preserve_query_params = False
 
-    def __init__(self, url=None, permanent=None):
-        # Allow url and permanent to be set in RedirectView.as_view(url="...", permanent=True)
+    def __init__(
+        self, url=None, status_code=None, url_name=None, preserve_query_params=None
+    ):
+        # Allow attributes to be set in RedirectView.as_view(url="...", status_code=301, etc.)
         self.url = url or self.url
-        self.permanent = permanent if permanent is not None else self.permanent
+        self.status_code = status_code if status_code is not None else self.status_code
+        self.url_name = url_name or self.url_name
+        self.preserve_query_params = (
+            preserve_query_params
+            if preserve_query_params is not None
+            else self.preserve_query_params
+        )
 
     def get_redirect_url(self):
         """
@@ -33,30 +33,19 @@ class RedirectView(View):
         """
         if self.url:
             url = self.url % self.url_kwargs
-        elif self.pattern_name:
-            url = reverse(self.pattern_name, *self.url_args, **self.url_kwargs)
+        elif self.url_name:
+            url = reverse(self.url_name, *self.url_args, **self.url_kwargs)
         else:
-            return None
+            raise ValueError("RedirectView requires either url or url_name to be set")
 
         args = self.request.meta.get("QUERY_STRING", "")
-        if args and self.query_string:
+        if args and self.preserve_query_params:
             url = f"{url}?{args}"
         return url
 
     def get(self):
         url = self.get_redirect_url()
-        if url:
-            if self.permanent:
-                return ResponsePermanentRedirect(url)
-            else:
-                return ResponseRedirect(url)
-        else:
-            logger.warning(
-                "Gone: %s",
-                self.request.path,
-                extra={"status_code": 410, "request": self.request},
-            )
-            return ResponseGone()
+        return ResponseRedirect(url, status_code=self.status_code)
 
     def head(self):
         return self.get()

plain/views/templates.py

@@ -1,27 +1,11 @@
-from plain.csrf.middleware import get_token
 from plain.exceptions import ImproperlyConfigured
 from plain.http import Response
 from plain.runtime import settings
 from plain.templates import Template, TemplateFileMissing
-from plain.utils.functional import lazy
-from plain.utils.html import format_html
-from plain.utils.safestring import SafeString
 
 from .base import View
 
 
-def csrf_input(request):
-    return format_html(
-        '<input type="hidden" name="{}" value="{}">',
-        settings.CSRF_FIELD_NAME,
-        get_token(request),
-    )
-
-
-csrf_input_lazy = lazy(csrf_input, SafeString, str)
-csrf_token_lazy = lazy(get_token, str)
-
-
 class TemplateView(View):
     """
     Render a template.
@@ -37,8 +21,6 @@ class TemplateView(View):
         return {
             "request": self.request,
             "template_names": self.get_template_names(),
-            "csrf_input": csrf_input_lazy(self.request),
-            "csrf_token": csrf_token_lazy(self.request),
             "DEBUG": settings.DEBUG,
         }
 

{plain-0.56.1.dist-info → plain-0.58.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.56.1
+Version: 0.58.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE