PyPI - plain - Versions diffs - 0.57.0__py3-none-any.whl → 0.59.0__py3-none-any.whl - Mend

plain 0.57.0py3-none-any.whl → 0.59.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

plain/CHANGELOG.md +28 -0
plain/cli/agent.py +6 -0
plain/cli/upgrade.py +1 -0
plain/csrf/README.md +61 -9
plain/csrf/middleware.py +95 -406
plain/exceptions.py +29 -13
plain/forms/README.md +0 -2
plain/internal/middleware/https.py +5 -3
plain/runtime/global_settings.py +51 -52
plain/runtime/utils.py +20 -0
plain/templates/README.md +0 -1
plain/test/client.py +2 -10
plain/views/README.md +0 -2
plain/views/objects.py +39 -66
plain/views/templates.py +6 -18
{plain-0.57.0.dist-info → plain-0.59.0.dist-info}/METADATA +1 -1
{plain-0.57.0.dist-info → plain-0.59.0.dist-info}/RECORD +20 -20
plain/views/csrf.py +0 -4
{plain-0.57.0.dist-info → plain-0.59.0.dist-info}/WHEEL +0 -0
{plain-0.57.0.dist-info → plain-0.59.0.dist-info}/entry_points.txt +0 -0
{plain-0.57.0.dist-info → plain-0.59.0.dist-info}/licenses/LICENSE +0 -0

plain/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,33 @@
 # plain changelog
+## [0.59.0](https://github.com/dropseed/plain/releases/plain@0.59.0) (2025-08-22)
+### What's changed
+- Added new `APP_NAME` setting that defaults to the project name from `pyproject.toml` ([1a4d60e](https://github.com/dropseed/plain/commit/1a4d60e787))
+- Template views now validate that `get_template_names()` returns a list instead of a string ([428a64f](https://github.com/dropseed/plain/commit/428a64f8cc))
+- Object views now use cached properties for `.object` and `.objects` to improve performance ([bd0507a](https://github.com/dropseed/plain/commit/bd0507a72c))
+- Improved `plain upgrade` command to suggest using subagents when there are more than 3 package updates ([497c30d](https://github.com/dropseed/plain/commit/497c30d445))
+### Upgrade instructions
+- In object views, `self.load_object()` is no longer necessary as `self.object` is now a cached property.
+## [0.58.0](https://github.com/dropseed/plain/releases/plain@0.58.0) (2025-08-19)
+### What's changed
+- Complete rewrite of CSRF protection using modern Sec-Fetch-Site headers and origin validation ([955150800c](https://github.com/dropseed/plain/commit/955150800c))
+- Replaced CSRF view mixin with path-based exemptions using `CSRF_EXEMPT_PATHS` setting ([2a50a9154e](https://github.com/dropseed/plain/commit/2a50a9154e))
+- Renamed `HTTPS_REDIRECT_EXEMPT` to `HTTPS_REDIRECT_EXEMPT_PATHS` with leading slash requirement ([b53d3bb7a7](https://github.com/dropseed/plain/commit/b53d3bb7a7))
+- Agent commands now print prompts directly when running in Claude Code or Codex Sandbox environments ([6eaed8ae3b](https://github.com/dropseed/plain/commit/6eaed8ae3b))
+### Upgrade instructions
+- Remove any usage of `CsrfExemptViewMixin` and `request.csrf_exempt` and add exempt paths to the `CSRF_EXEMPT_PATHS` setting instead (ex. `CSRF_EXEMPT_PATHS = [r"^/api/", r"/webhooks/.*"]` -- but consider first whether the view still needs CSRF exemption under the new implementation)
+- Replace `HTTPS_REDIRECT_EXEMPT` with `HTTPS_REDIRECT_EXEMPT_PATHS` and ensure patterns include leading slash (ex. `[r"^/health$", r"/api/internal/.*"]`)
+- Remove all CSRF cookie and token related settings - the new implementation doesn't use cookies or tokens (ex. `{{ csrf_input }}` and `{{ csrf_token }}`)
 ## [0.57.0](https://github.com/dropseed/plain/releases/plain@0.57.0) (2025-08-15)
 ### What's changed

plain/cli/agent.py CHANGED Viewed

@@ -1,3 +1,4 @@
+import os
 import shlex
 import subprocess
@@ -20,6 +21,11 @@ def prompt_agent(
         True if the agent command succeeded (or no agent command was provided),
         False if the agent command failed.
     """
+    # Check if running inside an agent and just print the prompt if so
+    if os.environ.get("CLAUDECODE") or os.environ.get("CODEX_SANDBOX"):
+        click.echo(prompt)
+        return True
     if print_only or not agent_command:
         click.echo(prompt)
         if not print_only:

plain/cli/upgrade.py CHANGED Viewed

@@ -158,6 +158,7 @@ def build_prompt(before_after: dict[str, tuple[str | None, str | None]]) -> str:
             "",
             "3. **Available tools:**",
             "   - Python shell: `uv run python`",
+            "   - If you have a subagents feature and there are more than three packages here, use subagents",
             "",
             "4. **Workflow:**",
             "   - Review changelog for each package → Apply changes → Move to next package",

plain/csrf/README.md CHANGED Viewed

@@ -1,23 +1,75 @@
 # CSRF
-**Cross-Site Request Forgery (CSRF) protection.**
+**Cross-Site Request Forgery (CSRF) protection using modern request headers.**
 - [Overview](#overview)
 - [Usage](#usage)
+- [CSRF Exempt Paths](#csrf-exempt-paths)
+- [Trusted Origins](#trusted-origins)
 ## Overview
-Plain protects against [CSRF attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery) through a [middleware](./middleware.py#CsrfViewMiddleware) that compares the generated `csrftoken` cookie with the CSRF token from the request (either `_csrftoken` in form data or the `CSRF-Token` header).
+Plain provides modern CSRF protection based on [Filippo Valsorda's 2025 research](https://words.filippo.io/csrf/) using `Sec-Fetch-Site` headers and origin validation.
 ## Usage
-The `CsrfViewMiddleware` is [automatically installed](../internal/handlers/base.py#BUILTIN_BEFORE_MIDDLEWARE), so you don't need to add it to your `settings.MIDDLEWARE`.
+The `CsrfViewMiddleware` is [automatically installed](../internal/handlers/base.py#BUILTIN_BEFORE_MIDDLEWARE) and works transparently. **No changes to your forms or templates are needed.**
-When you use HTML forms, you should include the CSRF token in the form data via a hidden input:
+## CSRF Exempt Paths
-```html
-<form method="post">
-    {{ csrf_input }}
-    <!-- other form fields here -->
-</form>
+In some cases, you may need to disable CSRF protection for specific paths (like API endpoints or webhooks). Configure exempt paths using regex patterns in your settings:
+```python
+# settings.py
+CSRF_EXEMPT_PATHS = [
+    r"^/api/",             # All API endpoints
+    r"^/api/v\d+/",        # Versioned APIs: /api/v1/, /api/v2/, etc.
+    r"/webhooks/.*",       # All webhook paths
+    r"/webhooks/github/",  # Specific webhook
+    r"/health$",           # Exact match for /health endpoint
+]
 ```
+**Pattern Matching**: Exempt paths use Python regex patterns with `re.search()` against the full URL path including the leading slash.
+**Examples:**
+- `r"^/api/"` - matches `/api/users/`, `/api/posts/`
+- `r"/webhooks/.*"` - matches `/webhooks/github/push`, `/webhooks/stripe/payment`
+- `r"/health$"` - matches `/health` but not `/health-check`
+- `r"^/api/v\d+/"` - matches `/api/v1/users/`, `/api/v2/posts/`
+**Common Use Cases:**
+```python
+CSRF_EXEMPT_PATHS = [
+    # API endpoints (often consumed by JavaScript/mobile apps)
+    r"^/api/",
+    # Webhooks (external services posting data)
+    r"/webhooks/.*",
+    # Health checks and monitoring
+    r"/health$",
+    r"/status$",
+    r"/metrics$",
+    # File uploads (if using direct POST)
+    r"/upload/",
+]
+```
+## Trusted Origins
+In some cases, you may need to allow requests from specific external origins (like API clients or mobile apps). You can configure trusted origins in your settings:
+```python
+# settings.py
+CSRF_TRUSTED_ORIGINS = [
+    "https://api.example.com",
+    "https://mobile.example.com:8443",
+    "https://trusted-partner.com",
+]
+```
+**Important**: Trusted origins bypass **all** CSRF protection. Only add origins you completely trust, as they can make requests that appear to come from your users.

plain 0.57.0__py3-none-any.whl → 0.59.0__py3-none-any.whl

plain 0.57.0py3-none-any.whl → 0.59.0py3-none-any.whl