django-admin-react 0.2.0a5__tar.gz → 0.2.0a6__tar.gz

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: django-admin-react
-Version: 0.2.0a5
+Version: 0.2.0a6
 Summary: A drop-in React single-page admin for Django, driven entirely by ModelAdmin.
 License: MIT
 Keywords: django,admin,react,spa,tailwind

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/filters.py

@@ -144,17 +144,30 @@ def _spec_for_fk(
         "to": {"app_label": meta.app_label, "model_name": meta.model_name},
     }
     # Inline up to _FK_FILTER_MAX_OPTIONS choices for tiny tables;
-    # larger tables defer to the autocomplete endpoint (#59).
+    # larger tables defer to the autocomplete endpoint (#59). Respect the
+    # FK's ``limit_choices_to`` so the offered options match Django's
+    # RelatedFieldListFilter, whose choices come from
+    # ``complex_filter(limit_choices_to)`` — a FK declared with, e.g.,
+    # ``limit_choices_to={"is_active": True}`` must not offer the rows it
+    # excludes (#273). An unset / empty / callable-returning-empty limit
+    # is falsy, so the unfiltered manager is used unchanged (and we never
+    # call ``complex_filter(None)``, which would raise).
+    base_qs = related._default_manager.all()
+    limit = field.get_limit_choices_to()
+    if limit:
+        try:
+            base_qs = related._default_manager.complex_filter(limit)
+        except Exception:
+            base_qs = related._default_manager.all()
     try:
-        count = related._default_manager.count()
+        count = base_qs.count()
     except Exception:
         count = _FK_FILTER_MAX_OPTIONS + 1
     if count <= _FK_FILTER_MAX_OPTIONS:
         from django_admin_react.api.serializers import label_for
 
         payload["choices"] = [
-            {"value": obj.pk, "label": label_for(obj)}
-            for obj in related._default_manager.all()[:_FK_FILTER_MAX_OPTIONS]
+            {"value": obj.pk, "label": label_for(obj)} for obj in base_qs[:_FK_FILTER_MAX_OPTIONS]
         ]
     return payload
 
@@ -179,10 +192,22 @@ def _spec_for_simple_filter(
         lookups = list(instance.lookups(request, model_admin) or [])
     except Exception:  # pragma: no cover — admin author error
         lookups = []
+    # The lookup the filter is currently applying — Django's
+    # ``SimpleListFilter.value()``. Crucially this includes a *default*
+    # the filter applies when no querystring param is present (a common
+    # "exclude test tenants unless opted in" pattern): such a filter
+    # returns its default from ``value()``, so the SPA can reflect the
+    # default as selected instead of showing "All" while the backend
+    # silently narrows the rows (#283). ``None`` means no selection.
+    try:
+        selected = instance.value()
+    except Exception:  # pragma: no cover — admin author error
+        selected = None
     return {
         "name": instance.parameter_name,
         "label": str(getattr(instance, "title", "") or instance.parameter_name),
         "type": "custom",
+        "selected": selected,
         "lookups": [{"value": v, "label": str(lbl)} for v, lbl in lookups],
     }
 

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/inlines.py

@@ -100,6 +100,26 @@ def _get_inline_instances(
         return []
 
 
+def _show_change_link_allowed(
+    admin_site: Any, child_model: type[Model], request: HttpRequest
+) -> bool:
+    """Whether to advertise an inline row's link to the child's change page.
+
+    Mirrors ``serialize_fk_value``'s ``to`` gate (#301): only when the child
+    model is registered on this admin site **and** the requesting user has
+    ``has_view_permission`` for it. Registration alone isn't enough — without
+    the per-user check the SPA would render a link the detail endpoint 404s
+    on and leak the adjacency / identity of a model the user can't view
+    (extends the #89 registry guard to a per-user check).
+    """
+    if admin_site is None:
+        return False
+    target_admin = getattr(admin_site, "_registry", {}).get(child_model)
+    if target_admin is None:
+        return False
+    return bool(target_admin.has_view_permission(request))
+
+
 def _spec_for_inline(
     inline: InlineModelAdmin,
     parent: Model,
@@ -148,6 +168,14 @@ def _spec_for_inline(
         "can_add": can_add,
         "can_change": can_change,
         "can_delete": can_delete,
+        # InlineModelAdmin.show_change_link (#384) — when True, the SPA
+        # renders a per-row link to the child's own change page. Gated on
+        # the child being registered **and** the user's per-model
+        # has_view_permission (#301 least-disclosure, same gate as
+        # serialize_fk_value's `to`): never advertise a link the detail
+        # endpoint would 404 on, never leak adjacency to an unviewable model.
+        "show_change_link": bool(getattr(inline, "show_change_link", False))
+        and _show_change_link_allowed(admin_site, child_model, request),
         "fields": fields_meta,
         "rows": rows,
     }

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/inlines_write.py

@@ -69,6 +69,21 @@ class InlinePermissionDenied(Exception):
         self.state = state
 
 
+class InlineValidationError(Exception):
+    """Carries inline formset errors out of the caller's ``atomic()`` block.
+
+    Raised so the transaction unwinds (reverting the parent write), then
+    caught immediately outside the block and converted to a 400 with the
+    per-inline error detail. Using an exception rather than an early return
+    is what guarantees the rollback — a plain return inside ``atomic()``
+    would commit the parent. Shared by the create + update endpoints.
+    """
+
+    def __init__(self, errors: dict) -> None:
+        super().__init__("inline formset validation failed")
+        self.errors = errors
+
+
 def _inline_name(inline: InlineModelAdmin, parent: Model) -> str:
     """The identifier the read half emits for this inline.
 

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/views/bulk.py

@@ -33,6 +33,7 @@ from __future__ import annotations
 
 from typing import Any
 
+from django.db import IntegrityError
 from django.db import transaction
 from django.http import HttpRequest
 from django.http import HttpResponse
@@ -44,6 +45,7 @@ from django_admin_react.api.permissions import is_admin_user
 from django_admin_react.api.registry import get_admin_site
 from django_admin_react.api.registry import resolve_model
 from django_admin_react.api.writes import bad_request
+from django_admin_react.api.writes import conflict_error
 from django_admin_react.api.writes import form_errors_to_envelope
 from django_admin_react.api.writes import load_object_or_none
 from django_admin_react.api.writes import log_change
@@ -180,6 +182,26 @@ def _apply_one(
             "error": {"code": "forbidden", "message": "You do not have permission."},
         }
 
+    # list_editable parity + scope guard (#401): this endpoint powers the
+    # changelist's inline-editable cells, so a write may only touch fields
+    # the admin put in ``list_editable`` — exactly like Django, which only
+    # accepts ``list_editable`` names on a changelist POST. A field that's
+    # writable on the *change form* but not list_editable (or ANY field
+    # when list_editable is empty) is rejected here, even though the user
+    # could edit it through the detail form. This keeps the bulk surface
+    # from silently widening the set of fields editable from the list.
+    list_editable = set(getattr(model_admin, "list_editable", ()) or ())
+    not_editable = sorted(k for k in fields if k not in list_editable)
+    if not_editable:
+        return {
+            "pk": pk,
+            "ok": False,
+            "error": {
+                "code": "bad_request",
+                "message": f"Field(s) not editable in the list view: {', '.join(not_editable)}.",
+            },
+        }
+
     writable = writable_field_names(model, model_admin, request, obj)
     forbidden = readonly_or_excluded_names(model_admin, request, obj)
     rejection = reject_forbidden_keys(fields, writable, forbidden)
@@ -208,8 +230,19 @@ def _apply_one(
             },
         }
 
-    instance = form.save(commit=False)
-    model_admin.save_model(request, instance, form, change=True)
-    form.save_m2m()
-    log_change(model_admin, request, instance, form)
+    # Per-row savepoint so a DB IntegrityError the form didn't catch (a
+    # uniqueness race, or a DB-level constraint) rolls back just this row
+    # and returns a clean per-row error — keeping the surrounding batch
+    # transaction usable instead of aborting it (and 500ing) (#404). The
+    # batch still rolls everything back when any row is rejected.
+    try:
+        with transaction.atomic():
+            instance = form.save(commit=False)
+            model_admin.save_model(request, instance, form, change=True)
+            # M2M / related via the admin hook (#402) so a consumer's
+            # save_related override runs (default = save_m2m).
+            model_admin.save_related(request, form, [], change=True)
+            log_change(model_admin, request, instance, form)
+    except IntegrityError:
+        return {"pk": pk, "ok": False, "error": conflict_error()}
     return {"pk": pk, "ok": True}

django_admin_react-0.2.0a6/django_admin_react/api/views/create.py

@@ -0,0 +1,213 @@
+"""``POST /api/v1/<app>/<model>/`` — create endpoint.
+
+Wire contract: ``docs/api-contract.md`` §5.1.
+
+Hard rules (`SECURITY.md` §3, `ACCEPTANCE.md` §3.1):
+
+- Rule 1:  Staff + ``AdminSite.has_permission`` gate.
+- Rule 3:  Model resolved through ``admin.site._registry`` (B-7).
+- Rule 6:  Writes go through ``ModelAdmin.get_form()`` then
+           ``save_model(..., change=False)`` (B-3).
+- Rule 12: Unknown / readonly / excluded / sensitive payload keys → 400,
+           never a silent drop.
+- CSRF:    No ``@csrf_exempt`` — Django's middleware enforces.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.core.exceptions import RequestDataTooBig
+from django.core.exceptions import TooManyFieldsSent
+from django.db import IntegrityError
+from django.db import transaction
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.http import JsonResponse
+from django.views.generic import View
+
+from django_admin_react.api.inlines_write import InlinePermissionDenied
+from django_admin_react.api.inlines_write import InlineValidationError
+from django_admin_react.api.inlines_write import apply_inline_writes
+from django_admin_react.api.permissions import forbidden_response
+from django_admin_react.api.permissions import is_admin_user
+from django_admin_react.api.registry import get_admin_site
+from django_admin_react.api.registry import resolve_model
+from django_admin_react.api.serializers import label_for
+from django_admin_react.api.writes import bad_request
+from django_admin_react.api.writes import coerce_fk_values
+from django_admin_react.api.writes import conflict_response
+from django_admin_react.api.writes import form_errors_to_envelope
+from django_admin_react.api.writes import log_addition
+from django_admin_react.api.writes import not_found_response
+from django_admin_react.api.writes import parse_json_body
+from django_admin_react.api.writes import readonly_or_excluded_names
+from django_admin_react.api.writes import reject_forbidden_keys
+from django_admin_react.api.writes import validation_failed
+from django_admin_react.api.writes import writable_field_names
+
+
+class CreateView(View):
+    """``POST /api/v1/<app_label>/<model_name>/``."""
+
+    http_method_names = ["post"]
+
+    def post(
+        self,
+        request: HttpRequest,
+        app_label: str,
+        model_name: str,
+        *args: Any,
+        **kwargs: Any,
+    ) -> HttpResponse:
+        """Create a new instance (contract §5.1).
+
+        Gates: ``is_admin_user`` → ``resolve_model`` →
+        ``has_add_permission(request)``. CSRF enforcement is Django's
+        ``CsrfViewMiddleware`` — no ``@csrf_exempt`` (rule 4 /
+        ACCEPTANCE §4.6 S-26).
+
+        Payload validation runs **before** the form is built:
+
+        - Unknown keys → 400 ``bad_request``.
+        - Keys matching ``get_readonly_fields`` or ``get_exclude`` →
+          400 (rule 12 / S-22, S-23).
+        - Keys matching the sensitive-name denylist → 400 (S-31).
+
+        The actual write goes through ``ModelAdmin.get_form()`` →
+        ``form.save(commit=False)`` → ``model_admin.save_model(...)``
+        — never ``setattr`` (rule 6 / B-3). Wrapped in
+        ``transaction.atomic()``.
+        """
+        admin_site = get_admin_site()
+        if not is_admin_user(request, admin_site=admin_site):
+            return forbidden_response(request)
+
+        resolved = resolve_model(admin_site, request, app_label, model_name)
+        if resolved is None:
+            return not_found_response()
+        model, model_admin = resolved
+
+        if not model_admin.has_add_permission(request):
+            return forbidden_response(request)
+
+        # FileField / ImageField uploads arrive as multipart/form-data
+        # (#241). Branch on content type: multipart feeds the ModelForm
+        # ``request.POST`` (a QueryDict, so ``getlist`` preserves M2M) +
+        # ``request.FILES``; JSON keeps the existing envelope path. CSRF is
+        # enforced either way — ``CsrfViewMiddleware`` ran before this view
+        # and there is no ``@csrf_exempt``.
+        # Optional inline formsets (#403) — set only on the JSON path; a
+        # multipart create (file uploads) doesn't carry inlines.
+        inlines_payload: Any = None
+        is_multipart = (request.content_type or "").startswith("multipart/form-data")
+        if is_multipart:
+            form_data: Any
+            files: Any
+            # Accessing request.POST/FILES triggers the multipart parse, which
+            # enforces Django's body limits. Surface an over-limit upload as
+            # the canonical JSON envelope instead of Django's default 400
+            # page (#448) — RequestDataTooBig / TooManyFieldsSent are
+            # SuspiciousOperation subclasses, not MultiPartParserError.
+            try:
+                form_data = request.POST
+                files = request.FILES
+            except (RequestDataTooBig, TooManyFieldsSent):
+                return bad_request("Upload exceeds the configured size or field limits.")
+            # Validate the union of POST + FILES keys: a file posted to a
+            # readonly / excluded / unknown field is rejected just like a
+            # scalar would be. Bare multipart values are not {id,label}
+            # envelopes, so ``coerce_fk_values`` is skipped.
+            submitted_keys: dict[str, Any] = dict.fromkeys(form_data)
+            submitted_keys.update(dict.fromkeys(files))
+        else:
+            parsed = parse_json_body(request)
+            if isinstance(parsed, HttpResponse):
+                return parsed
+            payload: dict[str, Any] = parsed
+            # Strip the inline block before validating parent keys so it
+            # isn't treated as an unknown field; it's saved after the parent.
+            inlines_payload = payload.pop("inlines", None)
+            form_data = coerce_fk_values(payload, model)
+            files = None
+            submitted_keys = payload
+
+        writable = writable_field_names(model, model_admin, request, obj=None)
+        forbidden = readonly_or_excluded_names(model_admin, request, obj=None)
+        rejection = reject_forbidden_keys(submitted_keys, writable, forbidden)
+        if rejection is not None:
+            return rejection
+
+        form = model_admin.get_form(request, obj=None)(data=form_data, files=files)
+        if not form.is_valid():
+            return validation_failed(form_errors_to_envelope(form))
+
+        # A DB IntegrityError the form didn't catch (a uniqueness race, or a
+        # DB-level constraint not mirrored in form validation) must exit the
+        # atomic block before it's handled — catch outside (#404).
+        try:
+            with transaction.atomic():
+                instance = form.save(commit=False)
+                model_admin.save_model(request, instance, form, change=False)
+                # Save M2M / related through the admin hook (#402), not a
+                # bare form.save_m2m(), so a consumer's save_related override
+                # is honoured. The default save_related just runs save_m2m;
+                # inline formsets flow through our own write path, so the
+                # `formsets` list is empty here.
+                model_admin.save_related(request, form, [], change=False)
+                log_addition(model_admin, request, instance, form)
+                # Inline formsets (#403) round-trip in the SAME transaction
+                # as the parent create, so a child permission denial or a
+                # formset validation failure reverts the parent too — exactly
+                # how the update endpoint handles them.
+                if inlines_payload is not None:
+                    inline_errors = apply_inline_writes(
+                        model_admin, request, instance, form, inlines_payload
+                    )
+                    if inline_errors is not None:
+                        raise InlineValidationError(inline_errors)
+        except InlinePermissionDenied:
+            return forbidden_response(request)
+        except InlineValidationError as exc:
+            return validation_failed({"inlines": exc.errors})
+        except IntegrityError:
+            return conflict_response()
+        except ValueError:
+            # Malformed `inlines` payload shape (not a 500) — fixed generic
+            # message, never echoing exception text (CodeQL stack-trace).
+            return bad_request("Malformed 'inlines' payload.")
+
+        body = {
+            "pk": instance.pk,
+            "label": label_for(instance),
+            "redirect": _redirect_for(
+                request,
+                model._meta.app_label,
+                model._meta.model_name or "",
+                instance.pk,
+            ),
+        }
+        response = JsonResponse(body, status=201)
+        response["Cache-Control"] = "no-store"
+        return response
+
+
+def _redirect_for(
+    request: HttpRequest,
+    app_label: str,
+    model_name: str,
+    pk: Any,
+) -> str:
+    """Construct a SPA-relative redirect (``<mount>/<app>/<model>/<pk>/``).
+
+    The mount is reconstructed from the request path. The URL pattern
+    is fixed inside this package, so everything in front of
+    ``api/v1/`` is the consumer-chosen prefix
+    (``ARCHITECTURE.md`` §4.5). Falls back to ``/`` if the pattern is
+    not present (should not happen — the URL router routed us here).
+    """
+    suffix = "api/v1/"
+    path = request.path
+    idx = path.rfind(suffix)
+    mount = path[:idx] if idx != -1 else "/"
+    return f"{mount}{app_label}/{model_name}/{pk}/"

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/views/create_form.py

@@ -96,7 +96,44 @@ class AddFormView(View):
             # Add-view save-flow buttons (#154): obj=None → add semantics
             # (Save / Save-and-add-another / Save-and-continue editing).
             "save_options": save_options(model_admin, request, None),
+            # prepopulated_fields (#245): {target: [sources]} so the SPA can
+            # slugify the target from its sources while typing — Django's
+            # add-form behaviour. Restrict to fields actually rendered, and
+            # never a readonly target (it can't be filled), mirroring how
+            # Django drops readonly targets from the change-form JS.
+            "prepopulated_fields": _prepopulated_payload(
+                model_admin, request, visible_names, readonly
+            ),
         }
         response = JsonResponse(payload, status=200)
         response["Cache-Control"] = "no-store"
         return response
+
+
+def _prepopulated_payload(
+    model_admin: Any,
+    request: HttpRequest,
+    visible_names: list[str],
+    readonly: set[str],
+) -> dict[str, list[str]]:
+    """Build the ``prepopulated_fields`` block (#245).
+
+    Returns ``{target: [sources]}`` from ``ModelAdmin.prepopulated_fields``,
+    restricted to fields actually rendered: a target that's readonly or not
+    in the form is dropped (it can't be filled), and source names the form
+    doesn't render are filtered out. A target left with no usable sources is
+    omitted. The SPA slugifies the target from its sources while typing.
+    """
+    try:
+        raw = model_admin.get_prepopulated_fields(request, None) or {}
+    except Exception:  # pragma: no cover — admin author error
+        return {}
+    visible = set(visible_names)
+    out: dict[str, list[str]] = {}
+    for target, sources in raw.items():
+        if target not in visible or target in readonly:
+            continue
+        kept = [s for s in sources if s in visible]
+        if kept:
+            out[target] = kept
+    return out

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/views/detail.py

@@ -207,17 +207,26 @@ def _fieldsets_payload(
     except Exception:
         raw = ()
     if not raw:
-        return [{"title": None, "fields": visible_names}]
+        return [{"title": None, "fields": visible_names, "field_rows": [[n] for n in visible_names]}]
 
     visible_set = set(visible_names)
     payload: list[dict[str, Any]] = []
     for title, opts in raw:
-        fields = [
-            sub
-            for entry in opts.get("fields", ())
-            for sub in (entry if isinstance(entry, list | tuple) else (entry,))
-            if sub in visible_set
-        ]
+        # Preserve Django's multi-field-row grouping (#382): a fieldset
+        # ``fields`` entry that is a tuple/list — e.g. ``(("first", "last"),
+        # "email")`` — is one display row. ``field_rows`` keeps that shape
+        # (each inner list = one row, after the visibility filter); the flat
+        # ``fields`` is kept for back-compat as the row-flattened list.
+        field_rows: list[list[str]] = []
+        for entry in opts.get("fields", ()):
+            row = [
+                sub
+                for sub in (entry if isinstance(entry, list | tuple) else (entry,))
+                if sub in visible_set
+            ]
+            if row:
+                field_rows.append(row)
+        fields = [sub for row in field_rows for sub in row]
         if fields:
             # Carry the fieldset's ``classes`` (e.g. ``collapse`` / ``wide``)
             # and ``description`` so the SPA can render a collapsible section
@@ -228,11 +237,14 @@ def _fieldsets_payload(
                 {
                     "title": title,
                     "fields": fields,
+                    "field_rows": field_rows,
                     "classes": classes,
                     "description": str(description) if description else None,
                 }
             )
-    return payload or [{"title": None, "fields": visible_names}]
+    return payload or [
+        {"title": None, "fields": visible_names, "field_rows": [[n] for n in visible_names]}
+    ]
 
 
 def _fields_payload(

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/views/list.py

@@ -46,6 +46,19 @@ from django_admin_react.api.serializers import serialize_value
 from django_admin_react.api.views.actions import actions_payload
 from django_admin_react.api.writes import not_found_response
 
+# Query params the list view manages itself (pagination / sort / search);
+# any *other* key is a list_filter or date_hierarchy lookup, i.e. the list
+# is narrowed. Used to decide whether the unfiltered ``full_count`` could
+# differ from ``total`` (#311) — and so whether the extra COUNT(*) is worth
+# running at all. ``all`` is Django's ``ALL_VAR`` "Show all" flag, not a
+# filter lookup, so it must not flip the list into the narrowed branch.
+_COUNT_RESERVED_PARAMS = frozenset({"page", "page_size", "ordering", "q", "all"})
+
+# Django's ``ALL_VAR`` — the query param its changelist uses for the
+# "Show all N" link (#385). Its mere presence requests show-all; the value
+# is ignored, mirroring Django.
+_ALL_VAR = "all"
+
 
 class ListView(View):
     """``GET /api/v1/<app_label>/<model_name>/`` — paginated list."""
@@ -90,6 +103,9 @@ class ListView(View):
         # Apply ``list_select_related`` up front so FK columns don't issue
         # one query per row (Django changelist parity / N+1 fix).
         queryset = _apply_select_related(queryset, model_admin, list_display)
+        # The admin's unfiltered base — captured before search / list_filter
+        # / date narrowing — for the ``show_full_result_count`` parity below.
+        base_queryset = queryset
 
         q = request.GET.get("q", "") or ""
         if q and model_admin.search_fields:
@@ -108,8 +124,40 @@ class ListView(View):
 
         total = queryset.count()
 
-        page_size = _clamp_page_size(request.GET.get("page_size"))
-        page = _clamp_page(request.GET.get("page"))
+        # ``show_full_result_count`` parity (#311): when the list is
+        # narrowed (search / list_filter / date_hierarchy), surface the
+        # unfiltered base count so the SPA can show "X of Y". Honour
+        # ``ModelAdmin.show_full_result_count`` (default True) — Django's
+        # opt-out for tables where the extra COUNT(*) is too expensive,
+        # in which case we send ``null``. When the view isn't narrowed the
+        # full count equals ``total``, so skip the redundant query.
+        show_full = getattr(model_admin, "show_full_result_count", True)
+        narrowed = bool(q) or any(k not in _COUNT_RESERVED_PARAMS for k in request.GET)
+        if not show_full:
+            full_count: int | None = None
+        elif narrowed:
+            full_count = base_queryset.count()
+        else:
+            full_count = total
+
+        # "Show all N" parity (#385): Django's changelist drops pagination
+        # when the ``all`` param (its ``ALL_VAR``) is present AND the result
+        # count is at/below ``list_max_show_all`` (default 200). Above that
+        # cap the flag is ignored and the list paginates normally — the
+        # guard that stops a crawler forcing a huge unbounded materialise.
+        list_max_show_all = int(getattr(model_admin, "list_max_show_all", 200))
+        show_all = _ALL_VAR in request.GET and total <= list_max_show_all
+
+        if show_all:
+            # One page holding every row: page 1, page_size = total. The
+            # ``max(total, 1)`` keeps page_size positive for an empty list
+            # (a 0-size page would slice to nothing, but there's nothing to
+            # show anyway).
+            page = 1
+            page_size = max(total, 1)
+        else:
+            page_size = _clamp_page_size(request.GET.get("page_size"))
+            page = _clamp_page(request.GET.get("page"))
         start = (page - 1) * page_size
         end = start + page_size
 
@@ -134,6 +182,13 @@ class ListView(View):
             "object_name": model._meta.object_name,
             "verbose_name": str(model._meta.verbose_name),
             "verbose_name_plural": str(model._meta.verbose_name_plural),
+            # Name of the primary-key field (usually ``id``). The SPA uses
+            # it to identify the pk column among ``columns`` so it can pin
+            # it first, never truncate it, and keep it from being hidden —
+            # the pk is the row's identity and must always be readable in
+            # full. May or may not appear in ``list_display``; when it
+            # doesn't, the SPA simply has nothing to pin.
+            "pk_field": model._meta.pk.name,
             "permissions": model_permissions(model_admin, request),
             "columns": columns,
             "search_fields": list(model_admin.search_fields or ()),
@@ -142,6 +197,14 @@ class ListView(View):
             "page": page,
             "page_size": page_size,
             "total": total,
+            # Unfiltered base count when the list is narrowed (else == total);
+            # ``null`` when ``show_full_result_count`` is False. The SPA shows
+            # "<total> of <full_count>" when they differ (#311).
+            "full_count": full_count,
+            # ``ModelAdmin.list_max_show_all`` (default 200): the SPA offers a
+            # "Show all N" control only when ``total`` is at/below this cap,
+            # matching Django's changelist (#385).
+            "list_max_show_all": list_max_show_all,
             "results": results,
         }
         date_hierarchy = date_hierarchy_payload(

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a6}/django_admin_react/api/views/password.py

@@ -146,7 +146,11 @@ class SetPasswordView(View):
             # rotating the session auth hash (otherwise the password
             # change would log them straight out).
             if request.user.pk == obj.pk:
-                update_session_auth_hash(request, obj)
+                # django-stubs types the ``user`` param as the concrete
+                # ``User``; ``obj`` is the admin's user model (an
+                # ``AbstractBaseUser``), which is correct at runtime. The
+                # stub is over-narrow, so ignore just this arg-type.
+                update_session_auth_hash(request, obj)  # type: ignore[arg-type]
             # Audit parity: the legacy admin logs a CHANGE with the fixed
             # "Changed password." message (never the value or a diff of
             # the password fields). Match it byte-for-byte.