django-admin-react 0.2.0a4__tar.gz → 0.2.0a6__tar.gz

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: django-admin-react
-Version: 0.2.0a4
+Version: 0.2.0a6
 Summary: A drop-in React single-page admin for Django, driven entirely by ModelAdmin.
 License: MIT
 Keywords: django,admin,react,spa,tailwind
@@ -82,15 +82,15 @@ throwaway example server).
 
 | Sign in (package login)                            | Registry / home                                       |
 | -------------------------------------------------- | ----------------------------------------------------- |
-| ![Sign in](docs/screenshots/01-spa-login.png)      | ![Registry](docs/screenshots/02-spa-registry.png)     |
+| ![Sign in](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/01-spa-login.png)      | ![Registry](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/02-spa-registry.png)     |
 
 | List view (`list_display` + search)                     | Detail view                                          |
 | ------------------------------------------------------- | ---------------------------------------------------- |
-| ![List](docs/screenshots/03-spa-list.png)               | ![Detail](docs/screenshots/05-spa-detail.png)        |
+| ![List](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/03-spa-list.png)               | ![Detail](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/05-spa-detail.png)        |
 
 | Mobile (375 px)                                            | API: `GET /api/v1/registry/`                               |
 | ---------------------------------------------------------- | ---------------------------------------------------------- |
-| ![Mobile](docs/screenshots/04-spa-list-mobile.png)         | ![Registry JSON](docs/screenshots/06-registry-api-json.png) |
+| ![Mobile](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/04-spa-list-mobile.png)         | ![Registry JSON](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/06-registry-api-json.png) |
 
 Screenshots use deterministic synthetic fixtures (no real names,
 emails, account numbers, or PII).
@@ -411,35 +411,41 @@ customisations.
 
 ---
 
-## Feature status (v0.1.0-alpha)
+## Feature status (alpha — currently `0.2.0a*` on PyPI)
 
-| Surface                                                | Status                                                          |
+The **backend** — the `ModelAdmin`-driven REST API — is the stable,
+complete surface and the table below tracks it. The **React SPA** that
+consumes it is in active development; to keep this README from drifting,
+per-feature *SPA* (UI) status is **not** duplicated here — it is tracked
+live in the [frontend implementation tracker (#160)](https://github.com/MartinCastroAlvarez/django-admin-react/issues/160)
+and the [project board](https://github.com/users/MartinCastroAlvarez/projects/3).
+
+| `ModelAdmin` surface                                   | Backend (REST API)                                              |
 | ------------------------------------------------------ | --------------------------------------------------------------- |
-| Registry / list / detail / create / update / delete    | ✅ Backend + SPA contract                                       |
-| `list_display`, `sortable_by`, `search_fields`         | ✅ Backend + SPA contract                                       |
-| `list_filter` (boolean / choice / FK / date / Simple)  | ✅ Backend; SPA implementation pending                          |
-| `date_hierarchy`                                       | ✅ Backend; SPA implementation pending                          |
-| `list_editable` + bulk PATCH                           | ✅ Backend; SPA implementation pending                          |
-| `actions` (custom + bulk runner)                       | ✅ Backend; SPA implementation pending                          |
-| `autocomplete_fields` / `raw_id_fields`                | ✅ Backend + SPA contract                                       |
-| `ManyToManyField` read + write                         | ✅ Backend; SPA implementation pending                          |
-| `inlines` (TabularInline / StackedInline) — read       | ✅ Backend; SPA implementation pending                          |
-| `inlines` — write (formsets)                           | 🟡 Tracked in [#54](https://github.com/MartinCastroAlvarez/django-admin-react/issues/54) |
-| `FileField` / `ImageField` — read                      | ✅ Backend + SPA contract                                       |
-| `FileField` / `ImageField` — multipart upload          | 🟡 Tracked in [#57](https://github.com/MartinCastroAlvarez/django-admin-react/issues/57) |
-| `JSONField` / `ArrayField` / range types               | ✅ Backend                                                      |
-| `register_field_type` + per-model SPA extension hook   | ✅ Backend + extension contract                                 |
-| Session-expiry re-login modal                          | ✅ Wire contract; SPA implementation pending                    |
-| OpenAPI 3.1 schema at `/api/v1/schema/`                | ✅ Backend                                                      |
-| Dark mode (no-flash server-side resolution)            | 🟡 UX contract; tracked in [#84](https://github.com/MartinCastroAlvarez/django-admin-react/issues/84) |
-| Mobile creative patterns (FAB / bottom-sheet / swipe)  | 🟡 UX contract; tracked in [#85](https://github.com/MartinCastroAlvarez/django-admin-react/issues/85) |
-| PWA (manifest + service worker + cache-on-logout)      | 🟡 UX contract; tracked in [#86](https://github.com/MartinCastroAlvarez/django-admin-react/issues/86) |
-
-Status meanings: ✅ ships in the current alpha; 🟡 contract or
-backend lands in the alpha, SPA implementation in flight. See
-[`ACCEPTANCE.md`](ACCEPTANCE.md) for the full criterion-by-criterion
-list and [the issue tracker](https://github.com/MartinCastroAlvarez/django-admin-react/issues)
-for live status.
+| Registry / list / detail / create / update / delete    | ✅                                                              |
+| `list_display`, `sortable_by`, `search_fields`         | ✅                                                              |
+| `list_filter` (boolean / choice / FK / date / Simple)  | ✅                                                              |
+| `date_hierarchy`                                       | ✅                                                              |
+| `list_editable` + bulk PATCH                           | ✅                                                              |
+| `actions` (custom + bulk runner)                       | ✅                                                              |
+| `autocomplete_fields` / `raw_id_fields`                | ✅                                                              |
+| `ManyToManyField` read + write                         | ✅                                                              |
+| `inlines` (TabularInline / StackedInline) — read + write | ✅                                                            |
+| `FileField` / `ImageField` — read                      | ✅                                                              |
+| `FileField` / `ImageField` — multipart upload          | 🟡 [#241](https://github.com/MartinCastroAlvarez/django-admin-react/issues/241) |
+| `JSONField` / `ArrayField` / range — read              | ✅                                                              |
+| range fields — write coercion                          | 🟡 [#238](https://github.com/MartinCastroAlvarez/django-admin-react/issues/238) |
+| `register_field_type` + per-model extension hook       | ✅                                                              |
+| React login / logout (Django session + CSRF)           | ✅                                                              |
+| Password set / change (`UserAdmin` parity)             | ✅                                                              |
+| Session-expiry re-login contract                       | ✅                                                              |
+| OpenAPI 3.1 schema at `/api/v1/schema/`                | ✅                                                              |
+| PWA manifest + service worker (cache-purge on logout)  | ✅                                                              |
+
+✅ = shipped in the current alpha. 🟡 = not yet built (tracked). This
+column is the **backend** capability only — for which surfaces the React
+UI renders today, see the [frontend tracker (#160)](https://github.com/MartinCastroAlvarez/django-admin-react/issues/160).
+[`ACCEPTANCE.md`](ACCEPTANCE.md) carries the full criterion-by-criterion list.
 
 ---
 

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/README.md

@@ -51,15 +51,15 @@ throwaway example server).
 
 | Sign in (package login)                            | Registry / home                                       |
 | -------------------------------------------------- | ----------------------------------------------------- |
-| ![Sign in](docs/screenshots/01-spa-login.png)      | ![Registry](docs/screenshots/02-spa-registry.png)     |
+| ![Sign in](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/01-spa-login.png)      | ![Registry](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/02-spa-registry.png)     |
 
 | List view (`list_display` + search)                     | Detail view                                          |
 | ------------------------------------------------------- | ---------------------------------------------------- |
-| ![List](docs/screenshots/03-spa-list.png)               | ![Detail](docs/screenshots/05-spa-detail.png)        |
+| ![List](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/03-spa-list.png)               | ![Detail](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/05-spa-detail.png)        |
 
 | Mobile (375 px)                                            | API: `GET /api/v1/registry/`                               |
 | ---------------------------------------------------------- | ---------------------------------------------------------- |
-| ![Mobile](docs/screenshots/04-spa-list-mobile.png)         | ![Registry JSON](docs/screenshots/06-registry-api-json.png) |
+| ![Mobile](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/04-spa-list-mobile.png)         | ![Registry JSON](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/06-registry-api-json.png) |
 
 Screenshots use deterministic synthetic fixtures (no real names,
 emails, account numbers, or PII).
@@ -380,35 +380,41 @@ customisations.
 
 ---
 
-## Feature status (v0.1.0-alpha)
+## Feature status (alpha — currently `0.2.0a*` on PyPI)
 
-| Surface                                                | Status                                                          |
+The **backend** — the `ModelAdmin`-driven REST API — is the stable,
+complete surface and the table below tracks it. The **React SPA** that
+consumes it is in active development; to keep this README from drifting,
+per-feature *SPA* (UI) status is **not** duplicated here — it is tracked
+live in the [frontend implementation tracker (#160)](https://github.com/MartinCastroAlvarez/django-admin-react/issues/160)
+and the [project board](https://github.com/users/MartinCastroAlvarez/projects/3).
+
+| `ModelAdmin` surface                                   | Backend (REST API)                                              |
 | ------------------------------------------------------ | --------------------------------------------------------------- |
-| Registry / list / detail / create / update / delete    | ✅ Backend + SPA contract                                       |
-| `list_display`, `sortable_by`, `search_fields`         | ✅ Backend + SPA contract                                       |
-| `list_filter` (boolean / choice / FK / date / Simple)  | ✅ Backend; SPA implementation pending                          |
-| `date_hierarchy`                                       | ✅ Backend; SPA implementation pending                          |
-| `list_editable` + bulk PATCH                           | ✅ Backend; SPA implementation pending                          |
-| `actions` (custom + bulk runner)                       | ✅ Backend; SPA implementation pending                          |
-| `autocomplete_fields` / `raw_id_fields`                | ✅ Backend + SPA contract                                       |
-| `ManyToManyField` read + write                         | ✅ Backend; SPA implementation pending                          |
-| `inlines` (TabularInline / StackedInline) — read       | ✅ Backend; SPA implementation pending                          |
-| `inlines` — write (formsets)                           | 🟡 Tracked in [#54](https://github.com/MartinCastroAlvarez/django-admin-react/issues/54) |
-| `FileField` / `ImageField` — read                      | ✅ Backend + SPA contract                                       |
-| `FileField` / `ImageField` — multipart upload          | 🟡 Tracked in [#57](https://github.com/MartinCastroAlvarez/django-admin-react/issues/57) |
-| `JSONField` / `ArrayField` / range types               | ✅ Backend                                                      |
-| `register_field_type` + per-model SPA extension hook   | ✅ Backend + extension contract                                 |
-| Session-expiry re-login modal                          | ✅ Wire contract; SPA implementation pending                    |
-| OpenAPI 3.1 schema at `/api/v1/schema/`                | ✅ Backend                                                      |
-| Dark mode (no-flash server-side resolution)            | 🟡 UX contract; tracked in [#84](https://github.com/MartinCastroAlvarez/django-admin-react/issues/84) |
-| Mobile creative patterns (FAB / bottom-sheet / swipe)  | 🟡 UX contract; tracked in [#85](https://github.com/MartinCastroAlvarez/django-admin-react/issues/85) |
-| PWA (manifest + service worker + cache-on-logout)      | 🟡 UX contract; tracked in [#86](https://github.com/MartinCastroAlvarez/django-admin-react/issues/86) |
-
-Status meanings: ✅ ships in the current alpha; 🟡 contract or
-backend lands in the alpha, SPA implementation in flight. See
-[`ACCEPTANCE.md`](ACCEPTANCE.md) for the full criterion-by-criterion
-list and [the issue tracker](https://github.com/MartinCastroAlvarez/django-admin-react/issues)
-for live status.
+| Registry / list / detail / create / update / delete    | ✅                                                              |
+| `list_display`, `sortable_by`, `search_fields`         | ✅                                                              |
+| `list_filter` (boolean / choice / FK / date / Simple)  | ✅                                                              |
+| `date_hierarchy`                                       | ✅                                                              |
+| `list_editable` + bulk PATCH                           | ✅                                                              |
+| `actions` (custom + bulk runner)                       | ✅                                                              |
+| `autocomplete_fields` / `raw_id_fields`                | ✅                                                              |
+| `ManyToManyField` read + write                         | ✅                                                              |
+| `inlines` (TabularInline / StackedInline) — read + write | ✅                                                            |
+| `FileField` / `ImageField` — read                      | ✅                                                              |
+| `FileField` / `ImageField` — multipart upload          | 🟡 [#241](https://github.com/MartinCastroAlvarez/django-admin-react/issues/241) |
+| `JSONField` / `ArrayField` / range — read              | ✅                                                              |
+| range fields — write coercion                          | 🟡 [#238](https://github.com/MartinCastroAlvarez/django-admin-react/issues/238) |
+| `register_field_type` + per-model extension hook       | ✅                                                              |
+| React login / logout (Django session + CSRF)           | ✅                                                              |
+| Password set / change (`UserAdmin` parity)             | ✅                                                              |
+| Session-expiry re-login contract                       | ✅                                                              |
+| OpenAPI 3.1 schema at `/api/v1/schema/`                | ✅                                                              |
+| PWA manifest + service worker (cache-purge on logout)  | ✅                                                              |
+
+✅ = shipped in the current alpha. 🟡 = not yet built (tracked). This
+column is the **backend** capability only — for which surfaces the React
+UI renders today, see the [frontend tracker (#160)](https://github.com/MartinCastroAlvarez/django-admin-react/issues/160).
+[`ACCEPTANCE.md`](ACCEPTANCE.md) carries the full criterion-by-criterion list.
 
 ---
 

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/django_admin_react/api/dates.py

@@ -34,6 +34,7 @@ from typing import Final
 from django.contrib.admin.options import ModelAdmin
 from django.db.models import Count
 from django.db.models import QuerySet
+from django.db.models.functions import Extract
 from django.db.models.functions import ExtractDay
 from django.db.models.functions import ExtractMonth
 from django.db.models.functions import ExtractYear
@@ -98,12 +99,13 @@ def apply_filter(
     all handle these natively). No raw SQL.
     """
     lookups: dict[str, int] = {}
-    if active.get("year") is not None:
-        lookups[f"{field}__year"] = active["year"]
-    if active.get("month") is not None:
-        lookups[f"{field}__month"] = active["month"]
-    if active.get("day") is not None:
-        lookups[f"{field}__day"] = active["day"]
+    year, month, day = active.get("year"), active.get("month"), active.get("day")
+    if year is not None:
+        lookups[f"{field}__year"] = year
+    if month is not None:
+        lookups[f"{field}__month"] = month
+    if day is not None:
+        lookups[f"{field}__day"] = day
     if not lookups:
         return queryset
     return queryset.filter(**lookups)
@@ -128,6 +130,7 @@ def build_buckets(
     excluded (they don't appear in any bucket).
     """
     year, month, day = active.get("year"), active.get("month"), active.get("day")
+    extractor: type[Extract]
     if year is None:
         extractor, _name = ExtractYear, "year"
     elif month is None:

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/django_admin_react/api/filters.py

@@ -43,6 +43,7 @@ from django.contrib.admin.sites import AdminSite
 from django.db.models import BooleanField
 from django.db.models import DateField
 from django.db.models import DateTimeField
+from django.db.models import Field
 from django.db.models import ForeignKey
 from django.db.models import Model
 from django.db.models import QuerySet
@@ -78,12 +79,17 @@ def _entry_spec(entry: Any) -> tuple[str | None, type | None]:
     return None, None
 
 
-def _safe_get_field(model: type[Model], name: str):
-    """Return ``model._meta.get_field(name)`` or ``None``."""
+def _safe_get_field(model: type[Model], name: str) -> Field | None:
+    """Return ``model._meta.get_field(name)`` or ``None``.
+
+    Reverse relations / generic FKs (not concrete ``Field``s) collapse to
+    ``None`` — consistent with ``serializers.safe_get_field``.
+    """
     try:
-        return model._meta.get_field(name)
+        field = model._meta.get_field(name)
     except Exception:
         return None
+    return field if isinstance(field, Field) else None
 
 
 def _spec_for_boolean(field_name: str, field: Any) -> dict[str, Any]:
@@ -119,9 +125,12 @@ def _spec_for_fk(
     unregistered model (see issue #89, defense-in-depth).
     """
     related = field.related_model
-    meta = related._meta if related is not None else None
-    if related is None or meta is None:
+    # ``related_model`` is the resolved model class once the admin is
+    # loaded; ``"self"`` is only a definition-time sentinel. Guard both
+    # ``None`` and the str so the type narrows to ``type[Model]``.
+    if related is None or isinstance(related, str):
         return None
+    meta = related._meta
     # #89: drop the descriptor entirely if the related model isn't in
     # the configured admin site. This keeps the closed-vocabulary
     # posture tight (the SPA only learns about FK filters it can
@@ -135,17 +144,30 @@ def _spec_for_fk(
         "to": {"app_label": meta.app_label, "model_name": meta.model_name},
     }
     # Inline up to _FK_FILTER_MAX_OPTIONS choices for tiny tables;
-    # larger tables defer to the autocomplete endpoint (#59).
+    # larger tables defer to the autocomplete endpoint (#59). Respect the
+    # FK's ``limit_choices_to`` so the offered options match Django's
+    # RelatedFieldListFilter, whose choices come from
+    # ``complex_filter(limit_choices_to)`` — a FK declared with, e.g.,
+    # ``limit_choices_to={"is_active": True}`` must not offer the rows it
+    # excludes (#273). An unset / empty / callable-returning-empty limit
+    # is falsy, so the unfiltered manager is used unchanged (and we never
+    # call ``complex_filter(None)``, which would raise).
+    base_qs = related._default_manager.all()
+    limit = field.get_limit_choices_to()
+    if limit:
+        try:
+            base_qs = related._default_manager.complex_filter(limit)
+        except Exception:
+            base_qs = related._default_manager.all()
     try:
-        count = related._default_manager.count()
+        count = base_qs.count()
     except Exception:
         count = _FK_FILTER_MAX_OPTIONS + 1
     if count <= _FK_FILTER_MAX_OPTIONS:
         from django_admin_react.api.serializers import label_for
 
         payload["choices"] = [
-            {"value": obj.pk, "label": label_for(obj)}
-            for obj in related._default_manager.all()[:_FK_FILTER_MAX_OPTIONS]
+            {"value": obj.pk, "label": label_for(obj)} for obj in base_qs[:_FK_FILTER_MAX_OPTIONS]
         ]
     return payload
 
@@ -170,10 +192,22 @@ def _spec_for_simple_filter(
         lookups = list(instance.lookups(request, model_admin) or [])
     except Exception:  # pragma: no cover — admin author error
         lookups = []
+    # The lookup the filter is currently applying — Django's
+    # ``SimpleListFilter.value()``. Crucially this includes a *default*
+    # the filter applies when no querystring param is present (a common
+    # "exclude test tenants unless opted in" pattern): such a filter
+    # returns its default from ``value()``, so the SPA can reflect the
+    # default as selected instead of showing "All" while the backend
+    # silently narrows the rows (#283). ``None`` means no selection.
+    try:
+        selected = instance.value()
+    except Exception:  # pragma: no cover — admin author error
+        selected = None
     return {
         "name": instance.parameter_name,
         "label": str(getattr(instance, "title", "") or instance.parameter_name),
         "type": "custom",
+        "selected": selected,
         "lookups": [{"value": v, "label": str(lbl)} for v, lbl in lookups],
     }
 
@@ -290,7 +324,7 @@ def apply_filters(queryset: QuerySet, model_admin: ModelAdmin, request: HttpRequ
         if field_name is None:
             continue
         raw_value = request.GET.get(field_name)
-        if raw_value in (None, ""):
+        if raw_value is None or raw_value == "":
             continue
 
         field = _safe_get_field(model, field_name)

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/django_admin_react/api/inlines.py

@@ -27,6 +27,7 @@ from typing import Any
 from django.contrib.admin.options import InlineModelAdmin
 from django.contrib.admin.options import ModelAdmin
 from django.contrib.admin.utils import label_for_field
+from django.contrib.admin.utils import lookup_field
 from django.db.models import ForeignKey
 from django.db.models import ManyToManyField
 from django.db.models import Model
@@ -42,7 +43,10 @@ from django_admin_react.api.serializers import serialize_value
 
 
 def inlines_payload(
-    model_admin: ModelAdmin, parent: Model, request: HttpRequest
+    model_admin: ModelAdmin,
+    parent: Model,
+    request: HttpRequest,
+    admin_site: Any = None,
 ) -> list[dict[str, Any]]:
     """Build the ``inlines`` block of the detail response.
 
@@ -74,7 +78,7 @@ def inlines_payload(
     out: list[dict[str, Any]] = []
     inline_instances = _get_inline_instances(model_admin, parent, request)
     for inline in inline_instances:
-        entry = _spec_for_inline(inline, parent, request)
+        entry = _spec_for_inline(inline, parent, request, admin_site)
         if entry is not None:
             out.append(entry)
     return out
@@ -96,8 +100,31 @@ def _get_inline_instances(
         return []
 
 
+def _show_change_link_allowed(
+    admin_site: Any, child_model: type[Model], request: HttpRequest
+) -> bool:
+    """Whether to advertise an inline row's link to the child's change page.
+
+    Mirrors ``serialize_fk_value``'s ``to`` gate (#301): only when the child
+    model is registered on this admin site **and** the requesting user has
+    ``has_view_permission`` for it. Registration alone isn't enough — without
+    the per-user check the SPA would render a link the detail endpoint 404s
+    on and leak the adjacency / identity of a model the user can't view
+    (extends the #89 registry guard to a per-user check).
+    """
+    if admin_site is None:
+        return False
+    target_admin = getattr(admin_site, "_registry", {}).get(child_model)
+    if target_admin is None:
+        return False
+    return bool(target_admin.has_view_permission(request))
+
+
 def _spec_for_inline(
-    inline: InlineModelAdmin, parent: Model, request: HttpRequest
+    inline: InlineModelAdmin,
+    parent: Model,
+    request: HttpRequest,
+    admin_site: Any = None,
 ) -> dict[str, Any] | None:
     """Build one inline's metadata + rows payload.
 
@@ -126,7 +153,7 @@ def _spec_for_inline(
 
     rows: list[dict[str, Any]] = []
     if can_view:
-        rows = _rows_for_inline(inline, parent, fk_name, visible_fields, request)
+        rows = _rows_for_inline(inline, parent, fk_name, visible_fields, request, admin_site)
 
     return {
         "name": fk_name + "_set" if not hasattr(child_model, fk_name + "_set") else fk_name,
@@ -141,6 +168,14 @@ def _spec_for_inline(
         "can_add": can_add,
         "can_change": can_change,
         "can_delete": can_delete,
+        # InlineModelAdmin.show_change_link (#384) — when True, the SPA
+        # renders a per-row link to the child's own change page. Gated on
+        # the child being registered **and** the user's per-model
+        # has_view_permission (#301 least-disclosure, same gate as
+        # serialize_fk_value's `to`): never advertise a link the detail
+        # endpoint would 404 on, never leak adjacency to an unviewable model.
+        "show_change_link": bool(getattr(inline, "show_change_link", False))
+        and _show_change_link_allowed(admin_site, child_model, request),
         "fields": fields_meta,
         "rows": rows,
     }
@@ -161,7 +196,9 @@ def _resolve_fk_name(inline: InlineModelAdmin, parent: Model) -> str | None:
         if isinstance(field, ForeignKey):
             related = field.related_model
             if related is parent_class or (
-                related is not None and issubclass(parent_class, related)
+                related is not None
+                and not isinstance(related, str)
+                and issubclass(parent_class, related)
             ):
                 return field.name
     return None
@@ -183,7 +220,10 @@ def _visible_inline_fields(
     visible = [
         name
         for name in declared
-        if name not in excluded and name != fk_back and not is_sensitive_field_name(name)
+        if isinstance(name, str)
+        and name not in excluded
+        and name != fk_back
+        and not is_sensitive_field_name(name)
     ]
     return filter_sensitive(visible)
 
@@ -208,6 +248,7 @@ def _fields_meta(
     readonly = set(inline.get_readonly_fields(request, None) or ())
     out: list[dict[str, Any]] = []
     for name in visible_fields:
+        label: Any
         try:
             label = label_for_field(name, child_model, inline)
         except Exception:  # pragma: no cover
@@ -236,6 +277,7 @@ def _rows_for_inline(
     fk_name: str,
     visible_fields: list[str],
     request: HttpRequest,
+    admin_site: Any = None,
 ) -> list[dict[str, Any]]:
     """Fetch + serialize the child rows attached to ``parent``."""
     try:
@@ -251,15 +293,43 @@ def _rows_for_inline(
                 model_field = inline.model._meta.get_field(name)
             except Exception:
                 model_field = None
+            if model_field is None:
+                # No underlying model field: the inline lists a display
+                # method / callable (the `@admin.display def x(self, obj)`
+                # pattern, called with `obj`). Resolve via Django's own
+                # `lookup_field` (admin-first) so methods defined on the
+                # *inline admin* resolve, not just methods on the model
+                # instance. A naive `getattr(obj, name)` misses admin
+                # methods and returns None — the inline-row "—" bug
+                # (mirrors the detail-view fix in #232).
+                try:
+                    _f, _attr, value = lookup_field(name, obj, inline)
+                except Exception:
+                    # Guard the whole fallback: a readonly property can
+                    # *raise* (not just be missing), and getattr's default
+                    # only swallows AttributeError, so any other exception
+                    # from the getter would 500 the parent detail (#275).
+                    try:
+                        value = getattr(obj, name, None)
+                        if callable(value):
+                            value = value()
+                    except Exception:
+                        value = None
+                fields_payload[name] = serialize_value(value)
+                continue
             value = getattr(obj, name, None)
             if isinstance(model_field, ForeignKey):
-                fields_payload[name] = serialize_fk_value(value)
+                fields_payload[name] = serialize_fk_value(
+                    value, admin_site=admin_site, request=request
+                )
             elif isinstance(model_field, ManyToManyField):
                 try:
-                    related = list(value.all())
+                    related = list(value.all()) if value is not None else []
                 except Exception:
                     related = []
-                fields_payload[name] = [serialize_fk_value(r) for r in related]
+                fields_payload[name] = [
+                    serialize_fk_value(r, admin_site=admin_site, request=request) for r in related
+                ]
             else:
                 fields_payload[name] = serialize_value(value, field=model_field)
         rows.append({"pk": obj.pk, "label": label_for(obj), "fields": fields_payload})

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/django_admin_react/api/inlines_write.py

@@ -69,6 +69,21 @@ class InlinePermissionDenied(Exception):
         self.state = state
 
 
+class InlineValidationError(Exception):
+    """Carries inline formset errors out of the caller's ``atomic()`` block.
+
+    Raised so the transaction unwinds (reverting the parent write), then
+    caught immediately outside the block and converted to a 400 with the
+    per-inline error detail. Using an exception rather than an early return
+    is what guarantees the rollback — a plain return inside ``atomic()``
+    would commit the parent. Shared by the create + update endpoints.
+    """
+
+    def __init__(self, errors: dict) -> None:
+        super().__init__("inline formset validation failed")
+        self.errors = errors
+
+
 def _inline_name(inline: InlineModelAdmin, parent: Model) -> str:
     """The identifier the read half emits for this inline.
 

{django_admin_react-0.2.0a4 → django_admin_react-0.2.0a6}/django_admin_react/api/registry.py

@@ -352,3 +352,42 @@ def save_options(
         "save_as": save_as,
         "save_as_continue": save_as_continue,
     }
+
+
+def password_change_form_class(model_admin: ModelAdmin) -> type | None:
+    """Return the admin's declared password-change form class, or ``None``.
+
+    Django's ``UserAdmin`` declares ``change_password_form`` (default
+    ``django.contrib.auth.forms.AdminPasswordChangeForm``) and registers a
+    dedicated ``<id>/password/`` view; a plain ``ModelAdmin`` does neither.
+    We treat the presence of a ``change_password_form`` attribute as the
+    signal that this admin intends password-set support — and reuse *that*
+    form, so the package never invents its own password handling (rule 1:
+    ``ModelAdmin`` is the only source of truth). Models whose admin lacks
+    the attribute have no password sub-resource (the caller 404s, exactly
+    as Django's router 404s ``/password/`` for a non-``UserAdmin`` model).
+    """
+    form_class = getattr(model_admin, "change_password_form", None)
+    return form_class if isinstance(form_class, type) else None
+
+
+def password_change_meta(
+    model_admin: ModelAdmin,
+    request: HttpRequest,
+    obj: Model,
+) -> dict[str, bool]:
+    """Detail-payload block describing the password-set affordance (#252).
+
+    ``supported`` is ``True`` only when the admin exposes a password-change
+    form **and** the request holds change permission on the object — so the
+    SPA shows "Set password" exactly when the POST would be accepted, never
+    a button that 403s. No password material is ever surfaced here; this is
+    purely a capability flag (the field itself stays hidden by the
+    sensitive-name denylist).
+    """
+    return {
+        "supported": bool(
+            password_change_form_class(model_admin) is not None
+            and model_admin.has_change_permission(request, obj)
+        ),
+    }