PyPI - statezero - Versions diffs - 0.1.0b17__tar.gz → 0.1.0b18__tar.gz - Mend

statezero 0.1.0b17tar.gz → 0.1.0b18tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of statezero might be problematic. Click here for more details.

Files changed (54) hide show

{statezero-0.1.0b17 → statezero-0.1.0b18}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b17
+Version: 0.1.0b18
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev

{statezero-0.1.0b17 → statezero-0.1.0b18}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "statezero"
-version = "0.1.0b17"
+version = "0.1.0b18"
 description = "Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity."
 readme = "README.md"
 license = { file = "LICENSE" }

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/adaptors/django/orm.py RENAMED Viewed

@@ -763,6 +763,7 @@ class DjangoORMAdapter(AbstractORMProvider):
     def get_fields(self, model: models.Model) -> Set[str]:
         """
         Return a set of the model fields.
+        Includes both database fields and additional_fields (computed fields).
         """
         model_config = registry.get_config(model)
         if model_config.fields and "__all__" != model_config.fields:
@@ -775,6 +776,14 @@ class DjangoORMAdapter(AbstractORMProvider):
             resolved_fields = resolved_fields.union(additional_fields)
         return resolved_fields
+    def get_db_fields(self, model: models.Model) -> Set[str]:
+        """
+        Return only actual database fields for the model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
+        """
+        return set(field.name for field in model._meta.get_fields())
     def build_model_graph(
         self, model: Type[models.Model], model_graph: nx.DiGraph = None
     ) -> nx.DiGraph:

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/adaptors/django/schemas.py RENAMED Viewed

@@ -41,9 +41,9 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         all_field_names: Set[str] = set()
         db_field_names: Set[str] = set()
-        if model_config.frontend_fields != "__all__":
+        if model_config.fields != "__all__":
             all_fields = [
-                field for field in all_fields if field.name in model_config.frontend_fields
+                field for field in all_fields if field.name in model_config.fields
             ]
         for field in all_fields:

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/adaptors/django/serializers.py RENAMED Viewed

@@ -6,7 +6,7 @@ from rest_framework import serializers
 import contextvars
 from contextlib import contextmanager
 import logging
-from cytoolz import pluck
+from cytoolz import pluck, keyfilter
 from zen_queries import queries_disabled
 from statezero.adaptors.django.config import config, registry
@@ -484,33 +484,42 @@ class DRFDynamicSerializer(AbstractDataSerializer):
         # Serious security issue if fields_map is None
         assert fields_map is not None, "fields_map is required and cannot be None"
-        # Use the context manager for the duration of deserialization
-        with fields_map_context(fields_map):
-            # Create serializer class
-            serializer_class = DynamicModelSerializer.for_model(model)
-            available_fields = set(serializer_class().fields.keys())
+        # Get model name and allowed fields from fields_map
+        model_name = config.orm_provider.get_model_name(model)
+        allowed_fields = fields_map.get(model_name, set())
-            try:
-                model_config = registry.get_config(model)
-                if model_config.pre_hooks:
-                    for hook in model_config.pre_hooks:
-                        hook_result = hook(data, request=request)
-                        if settings.DEBUG:
-                            data = _check_pre_hook_result(
-                                original_data=data,
-                                result_data=hook_result,
-                                model=model,
-                                serializer_fields=available_fields
-                            )
-                        else:
-                            data = hook_result or data
-            except ValueError:
-                # No model config available
-                model_config = None
+        # Filter user input to only allowed fields (security boundary)
+        data = dict(keyfilter(lambda k: k in allowed_fields, data))
+        try:
+            model_config = registry.get_config(model)
+        except ValueError:
+            # No model config available
+            model_config = None
+        # Run pre-hooks on filtered data (hooks can add any DB fields)
+        if model_config and model_config.pre_hooks:
+            for hook in model_config.pre_hooks:
+                hook_result = hook(data, request=request)
+                if settings.DEBUG:
+                    # Note: available_fields check removed since hooks can add any DB field
+                    data = hook_result or data
+                else:
+                    data = hook_result or data
+        # Expand fields_map to all DB fields for serializer validation
+        # This allows hooks to add fields that aren't in the original fields_map
+        all_db_fields = config.orm_provider.get_db_fields(model)
+        expanded_fields_map = {model_name: all_db_fields}
+        # Use the context manager with expanded fields map
+        with fields_map_context(expanded_fields_map):
+            # Create serializer class with all DB fields available
+            serializer_class = DynamicModelSerializer.for_model(model)
             # Create serializer
             serializer = serializer_class(
-                data=data,
+                data=data,
                 partial=partial,
                 request=request
             )

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/adaptors/django/views.py RENAMED Viewed

@@ -570,11 +570,11 @@ class FieldPermissionsView(APIView):
                 # For read operations, default "__all__" to frontend_fields
                 if operation_type == "read":
                     # If frontend_fields is also "__all__", then return all fields
-                    if model_config.frontend_fields == "__all__":
+                    if model_config.fields == "__all__":
                         return all_fields
                     # Otherwise, use frontend_fields as the default for "__all__"
                     else:
-                        fields = model_config.frontend_fields
+                        fields = model_config.fields
                         fields &= all_fields  # Ensure fields actually exist
                         allowed_fields |= fields
                 else:

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/core/ast_parser.py RENAMED Viewed

@@ -386,19 +386,8 @@ class ASTParser:
                 # If any permission allows all fields
                 if fields == "__all__":
-                    # NEW: For read operations, default "__all__" to frontend_fields
-                    if operation_type == "read":
-                        # If frontend_fields is also "__all__", then return all fields
-                        if model_config.frontend_fields == "__all__":
-                            return all_fields
-                        # Otherwise, use frontend_fields as the default for "__all__"
-                        else:
-                            fields = model_config.frontend_fields
-                            fields &= all_fields  # Ensure fields actually exist
-                            allowed_fields |= fields
-                    else:
-                        # For create/update operations, "__all__" means truly all fields
-                        return all_fields
+                    return all_fields
                 # Add allowed fields from this permission
                 else:  # Ensure we're not operating on the string "__all__"
                     fields &= all_fields  # Ensure fields actually exist

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/core/config.py RENAMED Viewed

@@ -181,7 +181,6 @@ class ModelConfig:
         searchable_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         ordering_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
-        frontend_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         display: Optional[Any] = None,
         DEBUG: bool = False,
     ):
@@ -196,7 +195,6 @@ class ModelConfig:
         self.searchable_fields = searchable_fields or set()
         self.ordering_fields = ordering_fields or set()
         self.fields = fields or "__all__"
-        self.frontend_fields = frontend_fields or self.fields
         self.display = display
         self.DEBUG = DEBUG or False

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero/core/interfaces.py RENAMED Viewed

@@ -70,6 +70,16 @@ class AbstractORMProvider(ABC):
     def get_fields(self, model: ORMModel) -> Set[str]:
         """
         Get all of the model fields - doesn't apply permissions check.
+        Includes both database fields and additional_fields (computed fields).
+        """
+        pass
+    @abstractmethod
+    def get_db_fields(self, model: ORMModel) -> Set[str]:
+        """
+        Get only the actual database fields for a model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
         """
         pass

{statezero-0.1.0b17 → statezero-0.1.0b18}/statezero.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b17
+Version: 0.1.0b18
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev