Fixed filters

Author: vsdudakov

fastadmin/api/frameworks/flask/api.py

@@ -163,7 +163,7 @@ async def add(model: str) -> dict:
         raise http_exception
 
 
-@api_router.route("/change-password/<string:id>", methods=["PATCH"])
+@api_router.route("/change-password/<string:id>", methods=["PATCH"])  # type: ignore
 async def change_password(id: UUID | int) -> UUID | int:
     """This method is used to change password.
 

fastadmin/api/helpers.py

@@ -4,10 +4,11 @@
 import jwt
 
 from fastadmin.models.helpers import get_admin_model
+from fastadmin.models.schemas import ModelFieldWidgetSchema
 from fastadmin.settings import settings
 
 
-def sanitize(value: str) -> bool | None | str:
+def sanitize_filter_value(value: str) -> bool | None | str:
     """Sanitize value
 
     :params value: a value.
@@ -22,6 +23,23 @@ def sanitize(value: str) -> bool | None | str:
     return value
 
 
+def sanitize_filter_key(key: str, fields: list[ModelFieldWidgetSchema]) -> tuple[str, str]:
+    """Sanitize key.
+
+    :param key: A key.
+    :param fields: A list of fields.
+    :return: A sanitized key.
+    """
+    if "__" not in key:
+        key = f"{key}__exact"
+    field_name = key.split("__", 1)[0]
+    condition = key.split("__", 1)[1]
+    field: ModelFieldWidgetSchema | None = next((field for field in fields if field.name == field_name), None)
+    if field and field.filter_widget_props.get("parentModel") and not field.is_m2m:
+        field_name = f"{field_name}_id"
+    return field_name, condition
+
+
 def is_valid_uuid(uuid_to_test: str) -> bool:
     """Check if uuid_to_test is a valid uuid.
 

fastadmin/api/service.py

@@ -9,7 +9,7 @@
 from asgiref.sync import sync_to_async
 
 from fastadmin.api.exceptions import AdminApiException
-from fastadmin.api.helpers import get_user_id_from_session_id, sanitize
+from fastadmin.api.helpers import get_user_id_from_session_id, sanitize_filter_key, sanitize_filter_value
 from fastadmin.api.schemas import (
     ActionInputSchema,
     ChangePasswordInputSchema,
@@ -88,8 +88,6 @@ async def list(
         if not admin_model:
             raise AdminApiException(404, detail=f"{model} model is not registered.")
 
-        filters = {k: sanitize(v) for k, v in filters.items() if k not in ("search", "sort_by", "offset", "limit")}
-
         # validations
         fields = admin_model.get_fields_for_serialize()
 
@@ -98,11 +96,19 @@ async def list(
                 if field not in fields:
                     raise AdminApiException(422, detail=f"Search by {field} is not allowed")
 
+        exclude_filter_fields = ("search", "sort_by", "offset", "limit")
         if filters:
-            for filter_condition in filters.keys():
-                field = filter_condition.split("__", 1)[0]
+            for k in filters.keys():
+                if k in exclude_filter_fields:
+                    continue
+                field = k.split("__", 1)[0]
                 if field not in fields:
-                    raise AdminApiException(422, detail=f"Filter by {filter_condition} is not allowed")
+                    raise AdminApiException(422, detail=f"Filter by {k} is not allowed")
+            filters = {
+                sanitize_filter_key(k, admin_model.get_model_fields_with_widget_types()): sanitize_filter_value(v)
+                for k, v in filters.items()
+                if k not in exclude_filter_fields
+            }
 
         if sort_by:
             if sort_by.strip("-") not in fields:
@@ -169,7 +175,7 @@ async def change_password(
         if not current_user_id:
             raise AdminApiException(401, detail="User is not authenticated.")
 
-        admin_model = get_admin_or_admin_inline_model(settings.ADMIN_USER_MODEL)
+        admin_model = get_admin_model(settings.ADMIN_USER_MODEL)
         if not admin_model:
             raise AdminApiException(404, detail=f"{settings.ADMIN_USER_MODEL} model is not registered.")
 
@@ -223,7 +229,35 @@ async def export(
         if not admin_model:
             raise AdminApiException(404, detail=f"{model} model is not registered.")
 
-        filters = {k: sanitize(v) for k, v in filters.items() if k not in ("search", "sort_by", "offset", "limit")}
+        # validations
+        fields = admin_model.get_fields_for_serialize()
+
+        if search and admin_model.search_fields:
+            for field in admin_model.search_fields:
+                if field not in fields:
+                    raise AdminApiException(422, detail=f"Search by {field} is not allowed")
+
+        exclude_filter_fields = ("search", "sort_by", "offset", "limit")
+        if filters:
+            for k in filters.keys():
+                if k in exclude_filter_fields:
+                    continue
+                field = k.split("__", 1)[0]
+                if field not in fields:
+                    raise AdminApiException(422, detail=f"Filter by {k} is not allowed")
+            filters = {
+                sanitize_filter_key(k, admin_model.get_model_fields_with_widget_types()): sanitize_filter_value(v)
+                for k, v in filters.items()
+                if k not in exclude_filter_fields
+            }
+
+        if sort_by:
+            if sort_by.strip("-") not in fields:
+                raise AdminApiException(422, detail=f"Sort by {sort_by} is not allowed")
+        elif admin_model.ordering:
+            for ordering_field in admin_model.ordering:
+                if ordering_field.strip("-") not in fields:
+                    raise AdminApiException(422, detail=f"Sort by {ordering_field} is not allowed")
 
         content_type = "text/plain"
         file_name = f"{model}.txt"

fastadmin/models/orms/django.py

@@ -230,8 +230,10 @@ def orm_get_list(
         qs = self.model_cls.objects.all()
 
         if filters:
-            for filter_condition, value in filters.items():
-                qs = qs.filter(**{filter_condition: value})
+            for field_with_condition, value in filters.items():
+                field = field_with_condition[0]
+                condition = field_with_condition[1]
+                qs = qs.filter(**{f"{field}__{condition}" if condition != "exact" else field: value})
 
         if search and self.search_fields:
             ids = []

fastadmin/models/orms/ponyorm.py

@@ -230,28 +230,29 @@ def orm_get_list(
         qs = select(m for m in self.model_cls)
 
         if filters:
-            for filter_condition, value in filters.items():
-                if "__" not in filter_condition:
-                    filter_condition = f"{filter_condition}__exact"
-                field = filter_condition.split("__")[0]
-                cond = filter_condition.split("__")[1]
-                pony_cond = "=="
-                match cond:
+            for field_with_condition, value in filters.items():
+                field = field_with_condition[0]
+                condition = field_with_condition[1]
+                model_pk_name = self.get_model_pk_name(self.model_cls)
+                if field.endswith(f"_{model_pk_name}"):
+                    field = field.replace(f"_{model_pk_name}", f".{model_pk_name}")
+                pony_condition = "=="
+                match condition:
                     case "lte":
-                        pony_cond = ">="
+                        pony_condition = ">="
                     case "gte":
-                        pony_cond = "<="
+                        pony_condition = "<="
                     case "lt":
-                        pony_cond = ">"
+                        pony_condition = ">"
                     case "gt":
-                        pony_cond = "<"
+                        pony_condition = "<"
                     case "exact":
-                        pony_cond = "=="
+                        pony_condition = "=="
                     case "contains":
-                        pony_cond = "in"
+                        pony_condition = "in"
                     case "icontains":
-                        pony_cond = "in"
-                filter_expr = f""""{value}" {pony_cond}  m.{field}"""
+                        pony_condition = "in"
+                filter_expr = f""""{value}" {pony_condition}  m.{field}"""
                 qs = qs.filter(filter_expr)
 
         if search and self.search_fields:

fastadmin/models/orms/sqlalchemy.py

@@ -251,10 +251,24 @@ def convert_sort_by(sort_by: str) -> str:
 
             if filters:
                 q = []
-                for filter_condition, value in filters.items():
-                    if "__icontains" in filter_condition:
-                        field = filter_condition.replace("__icontains", "")
-                        q.append(getattr(self.model_cls, field).ilike(f"%{value}%"))
+                for field_with_condition, value in filters.items():
+                    field = field_with_condition[0]
+                    condition = field_with_condition[1]
+                    match condition:
+                        case "lte":
+                            q.append(getattr(self.model_cls, field) >= value)
+                        case "gte":
+                            q.append(getattr(self.model_cls, field) <= value)
+                        case "lt":
+                            q.append(getattr(self.model_cls, field) > value)
+                        case "gt":
+                            q.append(getattr(self.model_cls, field) < value)
+                        case "exact":
+                            q.append(getattr(self.model_cls, field) == value)
+                        case "contains":
+                            q.append(getattr(self.model_cls, field).like(f"%{value}%"))
+                        case "icontains":
+                            q.append(getattr(self.model_cls, field).ilike(f"%{value}%"))
                 qs = qs.filter(and_(*q))
 
             if search and self.search_fields:

fastadmin/models/orms/tortoise.py

@@ -231,8 +231,10 @@ async def orm_get_list(
         qs = self.model_cls.all()
 
         if filters:
-            for filter_condition, value in filters.items():
-                qs = qs.filter(**{filter_condition: value})
+            for field_with_condition, value in filters.items():
+                field = field_with_condition[0]
+                condition = field_with_condition[1]
+                qs = qs.filter(**{f"{field}__{condition}" if condition != "exact" else field: value})
 
         if search and self.search_fields:
             ids = []

frontend/src/components/inline-widget/index.tsx

@@ -66,7 +66,7 @@ export const InlineWidget: React.FC<IInlineWidget> = ({ modelConfiguration, pare
 
   const onOpenAdd = useCallback(() => {
     formAdd.resetFields();
-    formAdd.setFieldsValue({ [modelConfiguration.fk_name]: parentId });
+    formAdd.setFieldValue(modelConfiguration.fk_name, parentId);
     setOpenAdd(true);
     setOpenChange(undefined);
   }, [formAdd, parentId, modelConfiguration.fk_name]);
@@ -79,7 +79,7 @@ export const InlineWidget: React.FC<IInlineWidget> = ({ modelConfiguration, pare
   const onOpenChange = useCallback(
     (item: any) => {
       formChange.resetFields();
-      formChange.setFieldsValue({ [modelConfiguration.fk_name]: parentId });
+      formChange.setFieldValue(modelConfiguration.fk_name, parentId);
       formChange.setFieldsValue(transformDataFromServer(item));
       setOpenChange(item);
       setOpenAdd(false);
@@ -97,6 +97,7 @@ export const InlineWidget: React.FC<IInlineWidget> = ({ modelConfiguration, pare
     sort_by: sortBy,
     offset: (page - 1) * pageSize,
     limit: pageSize,
+    [modelConfiguration.fk_name]: parentId,
     ...transformFiltersToServer(filters),
   });
 

tests/api/test_helpers.py

@@ -3,15 +3,21 @@
 
 import jwt
 
-from fastadmin.api.helpers import get_user_id_from_session_id, is_digit, is_valid_id, is_valid_uuid, sanitize
+from fastadmin.api.helpers import (
+    get_user_id_from_session_id,
+    is_digit,
+    is_valid_id,
+    is_valid_uuid,
+    sanitize_filter_value,
+)
 from fastadmin.settings import settings
 
 
-async def test_sanitize():
-    assert sanitize("true") is True
-    assert sanitize("false") is False
-    assert sanitize("null") is None
-    assert sanitize("foo") == "foo"
+async def test_sanitize_filter_value():
+    assert sanitize_filter_value("true") is True
+    assert sanitize_filter_value("false") is False
+    assert sanitize_filter_value("null") is None
+    assert sanitize_filter_value("foo") == "foo"
 
 
 async def test_is_valid_uuid():

tests/api/test_list.py

@@ -45,6 +45,22 @@ async def test_list_filters(session_id, event, client):
     )
     assert r.status_code == 422, r.text
 
+    r = await client.get(
+        f"/api/list/{event.get_model_name()}?tournament=-1",
+    )
+    assert r.status_code == 200, r.text
+    data = r.json()
+    assert data
+    assert data["total"] == 0
+
+    r = await client.get(
+        f"/api/list/{event.get_model_name()}?tournament={event.tournament_id if hasattr(event, 'tournament_id') else event.tournament.id}",
+    )
+    assert r.status_code == 200, r.text
+    data = r.json()
+    assert data
+    assert data["total"] > 0
+
 
 async def test_list_search(session_id, admin_models, event, client):
     assert session_id