statezero 0.1.0b14__tar.gz → 0.1.0b20__tar.gz

{statezero-0.1.0b14 → statezero-0.1.0b20}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b14
+Version: 0.1.0b20
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev

{statezero-0.1.0b14 → statezero-0.1.0b20}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "statezero"
-version = "0.1.0b14"
+version = "0.1.0b20"
 description = "Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity."
 readme = "README.md"
 license = { file = "LICENSE" }

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/actions.py

@@ -125,6 +125,14 @@ class DjangoActionSchemaGenerator:
                 return "string"
             return "integer"
 
+        # Handle nested serializers (many=True creates a ListSerializer)
+        if isinstance(field, serializers.ListSerializer):
+            return "array"
+
+        # Handle nested serializers (single nested serializer)
+        if isinstance(field, serializers.Serializer):
+            return "object"
+
         type_mapping = {
             fields.BooleanField: "boolean",
             fields.CharField: "string",

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/orm.py

@@ -763,6 +763,7 @@ class DjangoORMAdapter(AbstractORMProvider):
     def get_fields(self, model: models.Model) -> Set[str]:
         """
         Return a set of the model fields.
+        Includes both database fields and additional_fields (computed fields).
         """
         model_config = registry.get_config(model)
         if model_config.fields and "__all__" != model_config.fields:
@@ -775,6 +776,14 @@ class DjangoORMAdapter(AbstractORMProvider):
             resolved_fields = resolved_fields.union(additional_fields)
         return resolved_fields
 
+    def get_db_fields(self, model: models.Model) -> Set[str]:
+        """
+        Return only actual database fields for the model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
+        """
+        return set(field.name for field in model._meta.get_fields())
+
     def build_model_graph(
         self, model: Type[models.Model], model_graph: nx.DiGraph = None
     ) -> nx.DiGraph:

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/schemas.py

@@ -41,9 +41,9 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         all_field_names: Set[str] = set()
         db_field_names: Set[str] = set()
 
-        if model_config.frontend_fields != "__all__":
+        if model_config.fields != "__all__":
             all_fields = [
-                field for field in all_fields if field.name in model_config.frontend_fields
+                field for field in all_fields if field.name in model_config.fields
             ]
 
         for field in all_fields:
@@ -178,6 +178,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.ID,
                 description=description,
+                read_only=True,
             )
         elif isinstance(field, models.UUIDField):
             return SchemaFieldMetadata(
@@ -187,6 +188,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.UUID,
                 description=description,
+                read_only=True,
             )
         elif isinstance(field, models.CharField):
             return SchemaFieldMetadata(
@@ -197,6 +199,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 format=FieldFormat.ID,
                 max_length=field.max_length,
                 description=description,
+                read_only=True,
             )
         else:
             return SchemaFieldMetadata(
@@ -206,6 +209,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.ID,
                 description=description,
+                read_only=True,
             )
 
     def get_field_metadata(
@@ -256,6 +260,9 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         elif isinstance(field, models.DateField):
             field_type = FieldType.STRING
             field_format = FieldFormat.DATE
+        elif isinstance(field, models.TimeField):
+            field_type = FieldType.STRING
+            field_format = FieldFormat.TIME
         elif isinstance(field, (models.ForeignKey, models.OneToOneField)):
             field_type = self.get_pk_type(field)
             field_format = self.get_relation_type(field)
@@ -286,6 +293,12 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         elif callable(default):
             default = default()
 
+        # Check if field should be read-only (auto_now or auto_now_add)
+        read_only = False
+        if isinstance(field, (models.DateTimeField, models.DateField, models.TimeField)):
+            if getattr(field, "auto_now", False) or getattr(field, "auto_now_add", False):
+                read_only = True
+
         return SchemaFieldMetadata(
             type=field_type,
             title=title,
@@ -299,6 +312,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
             max_digits=max_digits,
             decimal_places=decimal_places,
             description=description,
+            read_only=read_only,
         )
 
     def get_field_title(self, field: models.Field) -> str:
@@ -309,8 +323,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
     @staticmethod
     def is_field_required(field: models.Field) -> bool:
         return (
-            not field.blank
-            and not field.null
+            not field.null
             and field.default == models.fields.NOT_PROVIDED
         )
 

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/serializers.py

@@ -6,7 +6,7 @@ from rest_framework import serializers
 import contextvars
 from contextlib import contextmanager
 import logging
-from cytoolz import pluck
+from cytoolz import pluck, keyfilter
 from zen_queries import queries_disabled
 
 from statezero.adaptors.django.config import config, registry
@@ -484,33 +484,48 @@ class DRFDynamicSerializer(AbstractDataSerializer):
         # Serious security issue if fields_map is None
         assert fields_map is not None, "fields_map is required and cannot be None"
 
-        # Use the context manager for the duration of deserialization
-        with fields_map_context(fields_map):
-            # Create serializer class
-            serializer_class = DynamicModelSerializer.for_model(model)
-            available_fields = set(serializer_class().fields.keys())
+        # Get model name and allowed fields from fields_map
+        model_name = config.orm_provider.get_model_name(model)
+        allowed_fields = fields_map.get(model_name, set())
 
-            try:
-                model_config = registry.get_config(model)
-                if model_config.pre_hooks:
-                    for hook in model_config.pre_hooks:
-                        hook_result = hook(data, request=request)
-                        if settings.DEBUG:
-                            data = _check_pre_hook_result(
-                                original_data=data,
-                                result_data=hook_result,
-                                model=model,
-                                serializer_fields=available_fields
-                            )
-                        else:
-                            data = hook_result or data
-            except ValueError:
-                # No model config available
-                model_config = None
+        # Filter user input to only allowed fields (security boundary)
+        data = dict(keyfilter(lambda k: k in allowed_fields, data))
+
+        try:
+            model_config = registry.get_config(model)
+        except ValueError:
+            # No model config available
+            model_config = None
+
+        # Run pre-hooks on filtered data (hooks can add any DB fields)
+        if model_config and model_config.pre_hooks:
+            for hook in model_config.pre_hooks:
+                hook_result = hook(data, request=request)
+                if settings.DEBUG:
+                    # Note: available_fields check removed since hooks can add any DB field
+                    data = hook_result or data
+                else:
+                    data = hook_result or data
+
+        # Expand fields_map to include fields that hooks may have added
+        # For partial updates, only include allowed_fields + any fields in the data
+        # This prevents validation errors on required fields that were filtered out
+        if partial:
+            # For partial updates: only include fields that are either allowed or in the data
+            expanded_fields = allowed_fields | set(data.keys())
+        else:
+            # For creates: include all DB fields to allow hooks to add any field
+            expanded_fields = config.orm_provider.get_db_fields(model)
+        expanded_fields_map = {model_name: expanded_fields}
+
+        # Use the context manager with expanded fields map
+        with fields_map_context(expanded_fields_map):
+            # Create serializer class with all DB fields available
+            serializer_class = DynamicModelSerializer.for_model(model)
 
             # Create serializer
             serializer = serializer_class(
-                data=data, 
+                data=data,
                 partial=partial,
                 request=request
             )

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/urls.py

@@ -1,6 +1,6 @@
 from django.urls import path
 
-from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView
+from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView, FieldPermissionsView
 
 app_name = "statezero"
 
@@ -12,6 +12,7 @@ urlpatterns = [
     path("actions/<str:action_name>/", ActionView.as_view(), name="action"),
     path("actions-schema/", ActionSchemaView.as_view(), name="actions_schema"),
     path("<str:model_name>/validate/", ValidateView.as_view(), name="validate"),
+    path("<str:model_name>/field-permissions/", FieldPermissionsView.as_view(), name="field_permissions"),
     path("<str:model_name>/get-schema/", SchemaView.as_view(), name="schema_view"),
     path("<str:model_name>/", ModelView.as_view(), name="model_view"),
 ]

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/adaptors/django/views.py

@@ -485,3 +485,104 @@ class ValidateView(APIView):
         except Exception as original_exception:
             # Let StateZero's exception handler deal with ValidationError, PermissionDenied, etc.
             return explicit_exception_handler(original_exception)
+
+
+class FieldPermissionsView(APIView):
+    """
+    Returns user-specific field permissions for a given model.
+    Used by frontend forms to determine which fields to show/enable at runtime.
+    """
+
+    permission_classes = [permission_class]
+
+    def get(self, request, model_name):
+        """Get field permissions for the current user."""
+        try:
+            # Create processor following the same pattern as other views
+            processor = RequestProcessor(config=config, registry=registry)
+
+            # Get model using the processor's ORM provider
+            try:
+                model = processor.orm_provider.get_model_by_name(model_name)
+            except (LookupError, ValueError):
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+
+            if not model:
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+
+            try:
+                model_config = processor.registry.get_config(model)
+            except ValueError:
+                return Response(
+                    {"error": f"Model {model_name} not registered"}, status=404
+                )
+
+            # Compute field permissions using the same logic as ASTParser._get_operation_fields
+            all_fields = processor.orm_provider.get_fields(model)
+
+            visible_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "read"
+            )
+            creatable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "create"
+            )
+            editable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "update"
+            )
+
+            return Response(
+                {
+                    "visible_fields": list(visible_fields),
+                    "creatable_fields": list(creatable_fields),
+                    "editable_fields": list(editable_fields),
+                },
+                status=200,
+            )
+
+        except Exception as original_exception:
+            # Let StateZero's exception handler deal with errors
+            return explicit_exception_handler(original_exception)
+
+    def _compute_operation_fields(self, model, model_config, all_fields, request, operation_type):
+        """
+        Compute allowed fields for a specific operation type.
+        Replicates the logic from ASTParser._get_operation_fields.
+        """
+        from typing import Union, Set, Literal
+
+        allowed_fields = set()
+
+        for permission_cls in model_config.permissions:
+            permission = permission_cls()
+
+            # Get the appropriate field set based on operation
+            if operation_type == "read":
+                fields = permission.visible_fields(request, model)
+            elif operation_type == "create":
+                fields = permission.create_fields(request, model)
+            elif operation_type == "update":
+                fields = permission.editable_fields(request, model)
+            else:
+                fields = set()
+
+            # If any permission allows all fields
+            if fields == "__all__":
+                # For read operations, default "__all__" to frontend_fields
+                if operation_type == "read":
+                    # If frontend_fields is also "__all__", then return all fields
+                    if model_config.fields == "__all__":
+                        return all_fields
+                    # Otherwise, use frontend_fields as the default for "__all__"
+                    else:
+                        fields = model_config.fields
+                        fields &= all_fields  # Ensure fields actually exist
+                        allowed_fields |= fields
+                else:
+                    # For create/update operations, "__all__" means truly all fields
+                    return all_fields
+            else:
+                # Add allowed fields from this permission
+                fields &= all_fields  # Ensure fields actually exist
+                allowed_fields |= fields
+
+        return allowed_fields

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/core/ast_parser.py

@@ -386,19 +386,8 @@ class ASTParser:
 
                 # If any permission allows all fields
                 if fields == "__all__":
-                    # NEW: For read operations, default "__all__" to frontend_fields
-                    if operation_type == "read":
-                        # If frontend_fields is also "__all__", then return all fields
-                        if model_config.frontend_fields == "__all__":
-                            return all_fields
-                        # Otherwise, use frontend_fields as the default for "__all__"
-                        else:
-                            fields = model_config.frontend_fields
-                            fields &= all_fields  # Ensure fields actually exist
-                            allowed_fields |= fields
-                    else:
-                        # For create/update operations, "__all__" means truly all fields
-                        return all_fields
+                    return all_fields
+
                 # Add allowed fields from this permission
                 else:  # Ensure we're not operating on the string "__all__"
                     fields &= all_fields  # Ensure fields actually exist

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/core/classes.py

@@ -71,6 +71,7 @@ class FieldFormat(str, Enum):
     TEXT = "text"
     DATE = "date"
     DATETIME = "date-time"
+    TIME = "time"
     FOREIGN_KEY = "foreign-key"
     ONE_TO_ONE = "one-to-one"
     MANY_TO_MANY = "many-to-many"

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/core/config.py

@@ -181,7 +181,6 @@ class ModelConfig:
         searchable_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         ordering_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
-        frontend_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         display: Optional[Any] = None,
         DEBUG: bool = False,
     ):
@@ -196,7 +195,6 @@ class ModelConfig:
         self.searchable_fields = searchable_fields or set()
         self.ordering_fields = ordering_fields or set()
         self.fields = fields or "__all__"
-        self.frontend_fields = frontend_fields or self.fields
         self.display = display
         self.DEBUG = DEBUG or False
 

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero/core/interfaces.py

@@ -70,6 +70,16 @@ class AbstractORMProvider(ABC):
     def get_fields(self, model: ORMModel) -> Set[str]:
         """
         Get all of the model fields - doesn't apply permissions check.
+        Includes both database fields and additional_fields (computed fields).
+        """
+        pass
+
+    @abstractmethod
+    def get_db_fields(self, model: ORMModel) -> Set[str]:
+        """
+        Get only the actual database fields for a model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
         """
         pass
 

{statezero-0.1.0b14 → statezero-0.1.0b20}/statezero.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b14
+Version: 0.1.0b20
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev