PyPI - statezero - Versions diffs - 0.1.0b16__tar.gz → 0.1.0b18__tar.gz - Mend

statezero 0.1.0b16tar.gz → 0.1.0b18tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of statezero might be problematic. Click here for more details.

Files changed (54) hide show

{statezero-0.1.0b16 → statezero-0.1.0b18}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b16
+Version: 0.1.0b18
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev

{statezero-0.1.0b16 → statezero-0.1.0b18}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "statezero"
-version = "0.1.0b16"
+version = "0.1.0b18"
 description = "Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity."
 readme = "README.md"
 license = { file = "LICENSE" }

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/adaptors/django/orm.py RENAMED Viewed

@@ -763,6 +763,7 @@ class DjangoORMAdapter(AbstractORMProvider):
     def get_fields(self, model: models.Model) -> Set[str]:
         """
         Return a set of the model fields.
+        Includes both database fields and additional_fields (computed fields).
         """
         model_config = registry.get_config(model)
         if model_config.fields and "__all__" != model_config.fields:
@@ -775,6 +776,14 @@ class DjangoORMAdapter(AbstractORMProvider):
             resolved_fields = resolved_fields.union(additional_fields)
         return resolved_fields
+    def get_db_fields(self, model: models.Model) -> Set[str]:
+        """
+        Return only actual database fields for the model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
+        """
+        return set(field.name for field in model._meta.get_fields())
     def build_model_graph(
         self, model: Type[models.Model], model_graph: nx.DiGraph = None
     ) -> nx.DiGraph:

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/adaptors/django/schemas.py RENAMED Viewed

@@ -41,9 +41,9 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         all_field_names: Set[str] = set()
         db_field_names: Set[str] = set()
-        if model_config.frontend_fields != "__all__":
+        if model_config.fields != "__all__":
             all_fields = [
-                field for field in all_fields if field.name in model_config.frontend_fields
+                field for field in all_fields if field.name in model_config.fields
             ]
         for field in all_fields:
@@ -323,8 +323,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
     @staticmethod
     def is_field_required(field: models.Field) -> bool:
         return (
-            not field.blank
-            and not field.null
+            not field.null
             and field.default == models.fields.NOT_PROVIDED
         )

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/adaptors/django/serializers.py RENAMED Viewed

@@ -6,7 +6,7 @@ from rest_framework import serializers
 import contextvars
 from contextlib import contextmanager
 import logging
-from cytoolz import pluck
+from cytoolz import pluck, keyfilter
 from zen_queries import queries_disabled
 from statezero.adaptors.django.config import config, registry
@@ -484,33 +484,42 @@ class DRFDynamicSerializer(AbstractDataSerializer):
         # Serious security issue if fields_map is None
         assert fields_map is not None, "fields_map is required and cannot be None"
-        # Use the context manager for the duration of deserialization
-        with fields_map_context(fields_map):
-            # Create serializer class
-            serializer_class = DynamicModelSerializer.for_model(model)
-            available_fields = set(serializer_class().fields.keys())
+        # Get model name and allowed fields from fields_map
+        model_name = config.orm_provider.get_model_name(model)
+        allowed_fields = fields_map.get(model_name, set())
-            try:
-                model_config = registry.get_config(model)
-                if model_config.pre_hooks:
-                    for hook in model_config.pre_hooks:
-                        hook_result = hook(data, request=request)
-                        if settings.DEBUG:
-                            data = _check_pre_hook_result(
-                                original_data=data,
-                                result_data=hook_result,
-                                model=model,
-                                serializer_fields=available_fields
-                            )
-                        else:
-                            data = hook_result or data
-            except ValueError:
-                # No model config available
-                model_config = None
+        # Filter user input to only allowed fields (security boundary)
+        data = dict(keyfilter(lambda k: k in allowed_fields, data))
+        try:
+            model_config = registry.get_config(model)
+        except ValueError:
+            # No model config available
+            model_config = None
+        # Run pre-hooks on filtered data (hooks can add any DB fields)
+        if model_config and model_config.pre_hooks:
+            for hook in model_config.pre_hooks:
+                hook_result = hook(data, request=request)
+                if settings.DEBUG:
+                    # Note: available_fields check removed since hooks can add any DB field
+                    data = hook_result or data
+                else:
+                    data = hook_result or data
+        # Expand fields_map to all DB fields for serializer validation
+        # This allows hooks to add fields that aren't in the original fields_map
+        all_db_fields = config.orm_provider.get_db_fields(model)
+        expanded_fields_map = {model_name: all_db_fields}
+        # Use the context manager with expanded fields map
+        with fields_map_context(expanded_fields_map):
+            # Create serializer class with all DB fields available
+            serializer_class = DynamicModelSerializer.for_model(model)
             # Create serializer
             serializer = serializer_class(
-                data=data,
+                data=data,
                 partial=partial,
                 request=request
             )

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/adaptors/django/urls.py RENAMED Viewed

@@ -1,6 +1,6 @@
 from django.urls import path
-from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView
+from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView, FieldPermissionsView
 app_name = "statezero"
@@ -12,6 +12,7 @@ urlpatterns = [
     path("actions/<str:action_name>/", ActionView.as_view(), name="action"),
     path("actions-schema/", ActionSchemaView.as_view(), name="actions_schema"),
     path("<str:model_name>/validate/", ValidateView.as_view(), name="validate"),
+    path("<str:model_name>/field-permissions/", FieldPermissionsView.as_view(), name="field_permissions"),
     path("<str:model_name>/get-schema/", SchemaView.as_view(), name="schema_view"),
     path("<str:model_name>/", ModelView.as_view(), name="model_view"),
 ]

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/adaptors/django/views.py RENAMED Viewed

@@ -485,3 +485,104 @@ class ValidateView(APIView):
         except Exception as original_exception:
             # Let StateZero's exception handler deal with ValidationError, PermissionDenied, etc.
             return explicit_exception_handler(original_exception)
+class FieldPermissionsView(APIView):
+    """
+    Returns user-specific field permissions for a given model.
+    Used by frontend forms to determine which fields to show/enable at runtime.
+    """
+    permission_classes = [permission_class]
+    def get(self, request, model_name):
+        """Get field permissions for the current user."""
+        try:
+            # Create processor following the same pattern as other views
+            processor = RequestProcessor(config=config, registry=registry)
+            # Get model using the processor's ORM provider
+            try:
+                model = processor.orm_provider.get_model_by_name(model_name)
+            except (LookupError, ValueError):
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+            if not model:
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+            try:
+                model_config = processor.registry.get_config(model)
+            except ValueError:
+                return Response(
+                    {"error": f"Model {model_name} not registered"}, status=404
+                )
+            # Compute field permissions using the same logic as ASTParser._get_operation_fields
+            all_fields = processor.orm_provider.get_fields(model)
+            visible_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "read"
+            )
+            creatable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "create"
+            )
+            editable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "update"
+            )
+            return Response(
+                {
+                    "visible_fields": list(visible_fields),
+                    "creatable_fields": list(creatable_fields),
+                    "editable_fields": list(editable_fields),
+                },
+                status=200,
+            )
+        except Exception as original_exception:
+            # Let StateZero's exception handler deal with errors
+            return explicit_exception_handler(original_exception)
+    def _compute_operation_fields(self, model, model_config, all_fields, request, operation_type):
+        """
+        Compute allowed fields for a specific operation type.
+        Replicates the logic from ASTParser._get_operation_fields.
+        """
+        from typing import Union, Set, Literal
+        allowed_fields = set()
+        for permission_cls in model_config.permissions:
+            permission = permission_cls()
+            # Get the appropriate field set based on operation
+            if operation_type == "read":
+                fields = permission.visible_fields(request, model)
+            elif operation_type == "create":
+                fields = permission.create_fields(request, model)
+            elif operation_type == "update":
+                fields = permission.editable_fields(request, model)
+            else:
+                fields = set()
+            # If any permission allows all fields
+            if fields == "__all__":
+                # For read operations, default "__all__" to frontend_fields
+                if operation_type == "read":
+                    # If frontend_fields is also "__all__", then return all fields
+                    if model_config.fields == "__all__":
+                        return all_fields
+                    # Otherwise, use frontend_fields as the default for "__all__"
+                    else:
+                        fields = model_config.fields
+                        fields &= all_fields  # Ensure fields actually exist
+                        allowed_fields |= fields
+                else:
+                    # For create/update operations, "__all__" means truly all fields
+                    return all_fields
+            else:
+                # Add allowed fields from this permission
+                fields &= all_fields  # Ensure fields actually exist
+                allowed_fields |= fields
+        return allowed_fields

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/core/ast_parser.py RENAMED Viewed

@@ -386,19 +386,8 @@ class ASTParser:
                 # If any permission allows all fields
                 if fields == "__all__":
-                    # NEW: For read operations, default "__all__" to frontend_fields
-                    if operation_type == "read":
-                        # If frontend_fields is also "__all__", then return all fields
-                        if model_config.frontend_fields == "__all__":
-                            return all_fields
-                        # Otherwise, use frontend_fields as the default for "__all__"
-                        else:
-                            fields = model_config.frontend_fields
-                            fields &= all_fields  # Ensure fields actually exist
-                            allowed_fields |= fields
-                    else:
-                        # For create/update operations, "__all__" means truly all fields
-                        return all_fields
+                    return all_fields
                 # Add allowed fields from this permission
                 else:  # Ensure we're not operating on the string "__all__"
                     fields &= all_fields  # Ensure fields actually exist

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/core/config.py RENAMED Viewed

@@ -181,7 +181,6 @@ class ModelConfig:
         searchable_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         ordering_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
-        frontend_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         display: Optional[Any] = None,
         DEBUG: bool = False,
     ):
@@ -196,7 +195,6 @@ class ModelConfig:
         self.searchable_fields = searchable_fields or set()
         self.ordering_fields = ordering_fields or set()
         self.fields = fields or "__all__"
-        self.frontend_fields = frontend_fields or self.fields
         self.display = display
         self.DEBUG = DEBUG or False

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero/core/interfaces.py RENAMED Viewed

@@ -70,6 +70,16 @@ class AbstractORMProvider(ABC):
     def get_fields(self, model: ORMModel) -> Set[str]:
         """
         Get all of the model fields - doesn't apply permissions check.
+        Includes both database fields and additional_fields (computed fields).
+        """
+        pass
+    @abstractmethod
+    def get_db_fields(self, model: ORMModel) -> Set[str]:
+        """
+        Get only the actual database fields for a model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
         """
         pass

{statezero-0.1.0b16 → statezero-0.1.0b18}/statezero.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b16
+Version: 0.1.0b18
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev