django-admin-react 0.2.0a5__tar.gz → 0.2.0a7__tar.gz

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: django-admin-react
-Version: 0.2.0a5
+Version: 0.2.0a7
 Summary: A drop-in React single-page admin for Django, driven entirely by ModelAdmin.
 License: MIT
 Keywords: django,admin,react,spa,tailwind
@@ -152,6 +152,10 @@ DJANGO_ADMIN_REACT = {
     "BRAND_LOGO_URL": None,     # str | None — used as the favicon and
                                 # the sidebar logo. Absolute URL or a
                                 # path under your STATIC_URL.
+    "PRIMARY_COLOR": "#2563eb", # accent for primary buttons, links, and
+                                # active states. Hex only (validated);
+                                # injected as the --dar-primary CSS var, so
+                                # rebranding needs no React rebuild.
 }
 ```
 
@@ -193,6 +197,52 @@ brand. No flash of the package's defaults.
   `AUTH_USER_MODEL`, custom `AUTHENTICATION_BACKENDS`, and custom
   `AdminSite.has_permission`.
 
+### Production: static files (and media for file uploads)
+
+The wheel ships the pre-built bundle under the package's `static/` and
+serves it through `{% static %}`. With `DEBUG = True`, Django's
+staticfiles app serves it automatically — nothing to do. **In
+production** you collect + serve static files like any Django app:
+
+```python
+# settings.py
+STATIC_URL = "/static/"
+STATIC_ROOT = BASE_DIR / "staticfiles"   # where collectstatic gathers files
+```
+
+```bash
+python manage.py collectstatic --no-input
+```
+
+Then serve `STATIC_ROOT` from your web server / CDN — or let
+[WhiteNoise](https://whitenoise.readthedocs.io/) do it:
+
+```python
+MIDDLEWARE = [
+    "django.middleware.security.SecurityMiddleware",
+    "whitenoise.middleware.WhiteNoiseMiddleware",   # right after SecurityMiddleware
+    # ...
+]
+```
+
+> If the SPA shell loads but its JS/CSS 404 (blank page, console errors),
+> this `collectstatic` step is what's missing.
+
+**File / image fields.** Editing `FileField` / `ImageField` needs
+Django's media settings:
+
+```python
+# settings.py
+MEDIA_URL = "/media/"
+MEDIA_ROOT = BASE_DIR / "media"
+```
+
+Uploads go through your configured file storage
+(`STORAGES["default"]` / `DEFAULT_FILE_STORAGE`); in production serve
+`MEDIA_ROOT` from your web server or object storage as usual.
+
+> ⚠️ **Serving user-uploaded media has security implications** (access-gating, stored-file XSS). See [`SECURITY.md` §9](SECURITY.md) before exposing `MEDIA_URL` in production — `FileField`/`ImageField` are writable.
+
 ### Running side-by-side with the legacy admin
 
 A common rollout: keep `/admin/` on the legacy HTML admin, mount the

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/README.md

@@ -121,6 +121,10 @@ DJANGO_ADMIN_REACT = {
     "BRAND_LOGO_URL": None,     # str | None — used as the favicon and
                                 # the sidebar logo. Absolute URL or a
                                 # path under your STATIC_URL.
+    "PRIMARY_COLOR": "#2563eb", # accent for primary buttons, links, and
+                                # active states. Hex only (validated);
+                                # injected as the --dar-primary CSS var, so
+                                # rebranding needs no React rebuild.
 }
 ```
 
@@ -162,6 +166,52 @@ brand. No flash of the package's defaults.
   `AUTH_USER_MODEL`, custom `AUTHENTICATION_BACKENDS`, and custom
   `AdminSite.has_permission`.
 
+### Production: static files (and media for file uploads)
+
+The wheel ships the pre-built bundle under the package's `static/` and
+serves it through `{% static %}`. With `DEBUG = True`, Django's
+staticfiles app serves it automatically — nothing to do. **In
+production** you collect + serve static files like any Django app:
+
+```python
+# settings.py
+STATIC_URL = "/static/"
+STATIC_ROOT = BASE_DIR / "staticfiles"   # where collectstatic gathers files
+```
+
+```bash
+python manage.py collectstatic --no-input
+```
+
+Then serve `STATIC_ROOT` from your web server / CDN — or let
+[WhiteNoise](https://whitenoise.readthedocs.io/) do it:
+
+```python
+MIDDLEWARE = [
+    "django.middleware.security.SecurityMiddleware",
+    "whitenoise.middleware.WhiteNoiseMiddleware",   # right after SecurityMiddleware
+    # ...
+]
+```
+
+> If the SPA shell loads but its JS/CSS 404 (blank page, console errors),
+> this `collectstatic` step is what's missing.
+
+**File / image fields.** Editing `FileField` / `ImageField` needs
+Django's media settings:
+
+```python
+# settings.py
+MEDIA_URL = "/media/"
+MEDIA_ROOT = BASE_DIR / "media"
+```
+
+Uploads go through your configured file storage
+(`STORAGES["default"]` / `DEFAULT_FILE_STORAGE`); in production serve
+`MEDIA_ROOT` from your web server or object storage as usual.
+
+> ⚠️ **Serving user-uploaded media has security implications** (access-gating, stored-file XSS). See [`SECURITY.md` §9](SECURITY.md) before exposing `MEDIA_URL` in production — `FileField`/`ImageField` are writable.
+
 ### Running side-by-side with the legacy admin
 
 A common rollout: keep `/admin/` on the legacy HTML admin, mount the

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/filters.py

@@ -92,6 +92,38 @@ def _safe_get_field(model: type[Model], name: str) -> Field | None:
     return field if isinstance(field, Field) else None
 
 
+def _resolve_field_path(model: type[Model], path: str) -> Field | None:
+    """Resolve a ``list_filter`` entry to its leaf model ``Field``.
+
+    Handles a plain field name (``"status"``) and a **related-field path**
+    that spans relations (``"author__is_active"`` / ``"order__customer__country"``):
+    each non-final segment must be a relation we can traverse, and the
+    final segment is the leaf field whose *type* drives the descriptor and
+    whose value the ORM filters on (Django applies ``filter(path=value)``
+    natively). Transform lookups (``__year`` / ``__gte`` / ``__icontains``)
+    are not fields and resolve to ``None`` — a separate follow-up (#440).
+    Reverse / generic relations collapse to ``None``, like ``_safe_get_field``.
+    """
+    parts = path.split("__")
+    current: type[Model] = model
+    field: Field | None = None
+    for index, part in enumerate(parts):
+        try:
+            candidate = current._meta.get_field(part)
+        except Exception:
+            return None
+        if not isinstance(candidate, Field):
+            return None
+        field = candidate
+        if index < len(parts) - 1:
+            # Non-final segment must be a relation we can step into.
+            related = getattr(candidate, "related_model", None)
+            if related is None or isinstance(related, str):
+                return None
+            current = related
+    return field
+
+
 def _spec_for_boolean(field_name: str, field: Any) -> dict[str, Any]:
     return {
         "name": field_name,
@@ -144,18 +176,40 @@ def _spec_for_fk(
         "to": {"app_label": meta.app_label, "model_name": meta.model_name},
     }
     # Inline up to _FK_FILTER_MAX_OPTIONS choices for tiny tables;
-    # larger tables defer to the autocomplete endpoint (#59).
+    # larger tables defer to the autocomplete endpoint (#59). Respect the
+    # FK's ``limit_choices_to`` so the offered options match Django's
+    # RelatedFieldListFilter, whose choices come from
+    # ``complex_filter(limit_choices_to)`` — a FK declared with, e.g.,
+    # ``limit_choices_to={"is_active": True}`` must not offer the rows it
+    # excludes (#273). An unset / empty / callable-returning-empty limit
+    # is falsy, so the unfiltered manager is used unchanged (and we never
+    # call ``complex_filter(None)``, which would raise).
+    base_qs = related._default_manager.all()
+    limit = field.get_limit_choices_to()
+    if limit:
+        try:
+            base_qs = related._default_manager.complex_filter(limit)
+        except Exception:
+            base_qs = related._default_manager.all()
     try:
-        count = related._default_manager.count()
+        count = base_qs.count()
     except Exception:
         count = _FK_FILTER_MAX_OPTIONS + 1
     if count <= _FK_FILTER_MAX_OPTIONS:
         from django_admin_react.api.serializers import label_for
 
         payload["choices"] = [
-            {"value": obj.pk, "label": label_for(obj)}
-            for obj in related._default_manager.all()[:_FK_FILTER_MAX_OPTIONS]
+            {"value": obj.pk, "label": label_for(obj)} for obj in base_qs[:_FK_FILTER_MAX_OPTIONS]
         ]
+    elif admin_site is not None:
+        # High-cardinality target (#282): don't inline; hint the SPA to use
+        # the autocomplete endpoint for this filter — but only when the
+        # target admin declares ``search_fields`` (autocomplete 400s
+        # otherwise). The endpoint is already staff-gated and runs the
+        # target's own ``get_search_results``; this is purely a UI hint.
+        target_admin = admin_site._registry.get(related)
+        if target_admin is not None and getattr(target_admin, "search_fields", None):
+            payload["autocomplete"] = True
     return payload
 
 
@@ -179,10 +233,22 @@ def _spec_for_simple_filter(
         lookups = list(instance.lookups(request, model_admin) or [])
     except Exception:  # pragma: no cover — admin author error
         lookups = []
+    # The lookup the filter is currently applying — Django's
+    # ``SimpleListFilter.value()``. Crucially this includes a *default*
+    # the filter applies when no querystring param is present (a common
+    # "exclude test tenants unless opted in" pattern): such a filter
+    # returns its default from ``value()``, so the SPA can reflect the
+    # default as selected instead of showing "All" while the backend
+    # silently narrows the rows (#283). ``None`` means no selection.
+    try:
+        selected = instance.value()
+    except Exception:  # pragma: no cover — admin author error
+        selected = None
     return {
         "name": instance.parameter_name,
         "label": str(getattr(instance, "title", "") or instance.parameter_name),
         "type": "custom",
+        "selected": selected,
         "lookups": [{"value": v, "label": str(lbl)} for v, lbl in lookups],
     }
 
@@ -242,9 +308,17 @@ def filters_payload(
         if is_sensitive_field_name(field_name):
             continue
 
-        field = _safe_get_field(model, field_name)
+        # Resolve a plain field OR a related-field path (#440). The
+        # descriptor `name` stays the full path so the SPA round-trips
+        # `?<path>=<value>` and the ORM filters natively.
+        field = _resolve_field_path(model, field_name)
         if field is None:
             continue
+        # Defense-in-depth: a path can end in a sensitive leaf
+        # (`author__password`) even when the path string itself didn't trip
+        # the denylist — drop it.
+        if is_sensitive_field_name(field.name):
+            continue
         if isinstance(field, BooleanField):
             out.append(_spec_for_boolean(field_name, field))
         elif isinstance(field, ForeignKey):
@@ -302,9 +376,14 @@ def apply_filters(queryset: QuerySet, model_admin: ModelAdmin, request: HttpRequ
         if raw_value is None or raw_value == "":
             continue
 
-        field = _safe_get_field(model, field_name)
+        # Resolve a plain field OR a related-field path (#440); the leaf
+        # field's type picks the coercion below, while the full path is the
+        # lookup the ORM applies (`filter(author__is_active=True)`).
+        field = _resolve_field_path(model, field_name)
         if field is None:
             continue
+        if is_sensitive_field_name(field.name):
+            continue
 
         try:
             if isinstance(field, BooleanField):

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/inlines.py

@@ -100,6 +100,26 @@ def _get_inline_instances(
         return []
 
 
+def _show_change_link_allowed(
+    admin_site: Any, child_model: type[Model], request: HttpRequest
+) -> bool:
+    """Whether to advertise an inline row's link to the child's change page.
+
+    Mirrors ``serialize_fk_value``'s ``to`` gate (#301): only when the child
+    model is registered on this admin site **and** the requesting user has
+    ``has_view_permission`` for it. Registration alone isn't enough — without
+    the per-user check the SPA would render a link the detail endpoint 404s
+    on and leak the adjacency / identity of a model the user can't view
+    (extends the #89 registry guard to a per-user check).
+    """
+    if admin_site is None:
+        return False
+    target_admin = getattr(admin_site, "_registry", {}).get(child_model)
+    if target_admin is None:
+        return False
+    return bool(target_admin.has_view_permission(request))
+
+
 def _spec_for_inline(
     inline: InlineModelAdmin,
     parent: Model,
@@ -148,6 +168,14 @@ def _spec_for_inline(
         "can_add": can_add,
         "can_change": can_change,
         "can_delete": can_delete,
+        # InlineModelAdmin.show_change_link (#384) — when True, the SPA
+        # renders a per-row link to the child's own change page. Gated on
+        # the child being registered **and** the user's per-model
+        # has_view_permission (#301 least-disclosure, same gate as
+        # serialize_fk_value's `to`): never advertise a link the detail
+        # endpoint would 404 on, never leak adjacency to an unviewable model.
+        "show_change_link": bool(getattr(inline, "show_change_link", False))
+        and _show_change_link_allowed(admin_site, child_model, request),
         "fields": fields_meta,
         "rows": rows,
     }

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/inlines_write.py

@@ -69,6 +69,21 @@ class InlinePermissionDenied(Exception):
         self.state = state
 
 
+class InlineValidationError(Exception):
+    """Carries inline formset errors out of the caller's ``atomic()`` block.
+
+    Raised so the transaction unwinds (reverting the parent write), then
+    caught immediately outside the block and converted to a 400 with the
+    per-inline error detail. Using an exception rather than an early return
+    is what guarantees the rollback — a plain return inside ``atomic()``
+    would commit the parent. Shared by the create + update endpoints.
+    """
+
+    def __init__(self, errors: dict) -> None:
+        super().__init__("inline formset validation failed")
+        self.errors = errors
+
+
 def _inline_name(inline: InlineModelAdmin, parent: Model) -> str:
     """The identifier the read half emits for this inline.
 

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/registry.py

@@ -319,6 +319,10 @@ def save_options(
       flag (default True): after a "Save as new", whether the SPA
       lands on the new object's change view (True) or the changelist
       (False).
+    - ``save_on_top`` — the raw ``ModelAdmin.save_on_top`` flag (default
+      False): when True, the SPA mirrors the save-button row at the top
+      of the form too, matching Django's change-form layout (#251).
+      Purely presentational — button visibility is unchanged.
 
     ``has_editable_inline_admin_formsets`` is **not** factored in here
     (the package's inline write-half is tracked under #54). Until that
@@ -330,6 +334,7 @@ def save_options(
     is_add = not is_change
     save_as = bool(getattr(model_admin, "save_as", False))
     save_as_continue = bool(getattr(model_admin, "save_as_continue", True))
+    save_on_top = bool(getattr(model_admin, "save_on_top", False))
 
     has_add = bool(model_admin.has_add_permission(request))
     has_change = bool(model_admin.has_change_permission(request, obj))
@@ -351,6 +356,7 @@ def save_options(
         "show_save_as_new": show_save_as_new,
         "save_as": save_as,
         "save_as_continue": save_as_continue,
+        "save_on_top": save_on_top,
     }
 
 

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/views/actions.py

@@ -32,6 +32,7 @@ from __future__ import annotations
 from typing import Any
 
 from django.contrib.admin.utils import model_format_dict
+from django.contrib.messages import get_messages
 from django.db import transaction
 from django.http import HttpRequest
 from django.http import HttpResponse
@@ -131,17 +132,26 @@ class ActionView(View):
         with transaction.atomic():
             result = action_callable(model_admin, request, queryset)
 
+        # Surface any messages the action queued via
+        # ``ModelAdmin.message_user`` (#442) so the SPA can toast them —
+        # iterating ``get_messages`` consumes them, so they don't also leak
+        # into the session for the next page render. ``level_tag`` is
+        # Django's "success" / "info" / "warning" / "error" / "debug".
+        messages = [
+            {"level": m.level_tag or "info", "message": str(m)} for m in get_messages(request)
+        ]
+
         # Django admin's action contract: the callable may return an
         # ``HttpResponse`` (typically a redirect to a confirmation
         # page) — we surface that as a JSON envelope so the SPA can
         # follow it without parsing HTML.
         if isinstance(result, HttpResponse):
             body: dict[str, Any] = {"redirect": result["Location"]} if "Location" in result else {}
-            body.update({"executed": True, "action": action_name})
+            body.update({"executed": True, "action": action_name, "messages": messages})
             response = JsonResponse(body, status=200)
         else:
             response = JsonResponse(
-                {"executed": True, "action": action_name, "pks": list(pks)},
+                {"executed": True, "action": action_name, "pks": list(pks), "messages": messages},
                 status=200,
             )
         response["Cache-Control"] = "no-store"

{django_admin_react-0.2.0a5 → django_admin_react-0.2.0a7}/django_admin_react/api/views/bulk.py

@@ -33,6 +33,7 @@ from __future__ import annotations
 
 from typing import Any
 
+from django.db import IntegrityError
 from django.db import transaction
 from django.http import HttpRequest
 from django.http import HttpResponse
@@ -44,6 +45,7 @@ from django_admin_react.api.permissions import is_admin_user
 from django_admin_react.api.registry import get_admin_site
 from django_admin_react.api.registry import resolve_model
 from django_admin_react.api.writes import bad_request
+from django_admin_react.api.writes import conflict_error
 from django_admin_react.api.writes import form_errors_to_envelope
 from django_admin_react.api.writes import load_object_or_none
 from django_admin_react.api.writes import log_change
@@ -180,6 +182,26 @@ def _apply_one(
             "error": {"code": "forbidden", "message": "You do not have permission."},
         }
 
+    # list_editable parity + scope guard (#401): this endpoint powers the
+    # changelist's inline-editable cells, so a write may only touch fields
+    # the admin put in ``list_editable`` — exactly like Django, which only
+    # accepts ``list_editable`` names on a changelist POST. A field that's
+    # writable on the *change form* but not list_editable (or ANY field
+    # when list_editable is empty) is rejected here, even though the user
+    # could edit it through the detail form. This keeps the bulk surface
+    # from silently widening the set of fields editable from the list.
+    list_editable = set(getattr(model_admin, "list_editable", ()) or ())
+    not_editable = sorted(k for k in fields if k not in list_editable)
+    if not_editable:
+        return {
+            "pk": pk,
+            "ok": False,
+            "error": {
+                "code": "bad_request",
+                "message": f"Field(s) not editable in the list view: {', '.join(not_editable)}.",
+            },
+        }
+
     writable = writable_field_names(model, model_admin, request, obj)
     forbidden = readonly_or_excluded_names(model_admin, request, obj)
     rejection = reject_forbidden_keys(fields, writable, forbidden)
@@ -208,8 +230,19 @@ def _apply_one(
             },
         }
 
-    instance = form.save(commit=False)
-    model_admin.save_model(request, instance, form, change=True)
-    form.save_m2m()
-    log_change(model_admin, request, instance, form)
+    # Per-row savepoint so a DB IntegrityError the form didn't catch (a
+    # uniqueness race, or a DB-level constraint) rolls back just this row
+    # and returns a clean per-row error — keeping the surrounding batch
+    # transaction usable instead of aborting it (and 500ing) (#404). The
+    # batch still rolls everything back when any row is rejected.
+    try:
+        with transaction.atomic():
+            instance = form.save(commit=False)
+            model_admin.save_model(request, instance, form, change=True)
+            # M2M / related via the admin hook (#402) so a consumer's
+            # save_related override runs (default = save_m2m).
+            model_admin.save_related(request, form, [], change=True)
+            log_change(model_admin, request, instance, form)
+    except IntegrityError:
+        return {"pk": pk, "ok": False, "error": conflict_error()}
     return {"pk": pk, "ok": True}