django-approve-flow 0.1.0__tar.gz

django_approve_flow-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Denis Novikov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

django_approve_flow-0.1.0/PKG-INFO

@@ -0,0 +1,242 @@
+Metadata-Version: 2.4
+Name: django-approve-flow
+Version: 0.1.0
+Summary: Moderate edits in the Django admin: changes to tracked model fields wait for a second person's approval (four-eyes / maker-checker)
+License-Expression: MIT
+License-File: LICENSE
+Keywords: django,admin,approval,maker-checker,four-eyes,workflow,moderator
+Author: Denis Novikov
+Author-email: alpden550@gmail.com
+Requires-Python: >=3.13
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Web Environment
+Classifier: Framework :: Django
+Classifier: Framework :: Django :: 5.0
+Classifier: Framework :: Django :: 5.1
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Dist: django (>=5)
+Project-URL: Homepage, https://github.com/alpden550/django-approve
+Project-URL: Issues, https://github.com/alpden550/django-approve/issues
+Project-URL: Repository, https://github.com/alpden550/django-approve
+Description-Content-Type: text/markdown
+
+# django-approve-flow
+
+> Moderate edits in the Django admin — a change to a tracked model field isn't
+> saved directly, it waits for a second person's approval (four-eyes /
+> maker-checker).
+
+[![CI](https://github.com/alpden550/django-approve/actions/workflows/ci.yml/badge.svg)](https://github.com/alpden550/django-approve/actions/workflows/ci.yml)
+[![PyPI version](https://img.shields.io/pypi/v/django-approve-flow.svg)](https://pypi.org/project/django-approve-flow/)
+[![Python versions](https://img.shields.io/pypi/pyversions/django-approve-flow.svg)](https://pypi.org/project/django-approve-flow/)
+[![Django](https://img.shields.io/badge/django-5%2B-092e20.svg)](https://www.djangoproject.com/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
+**Granularity is per field, not per object.** A single save touching three
+tracked fields creates three independent requests, each with its own status and
+its own reviewer. There is no batch / "change set" model — grouping is purely a
+UX artifact (one "Submitted for approval: a, b, c" message).
+
+## How it works
+
+1. **Register** a model to make its fields *eligible* for approval.
+2. **Pick** which eligible fields are actually *tracked*, in the admin.
+3. **Add the admin mixin.** Editing a tracked field now creates an approval
+   request instead of writing the value.
+4. A **reviewer** approves or rejects each request — per field, independently.
+
+## Installation
+
+```bash
+pip install django-approve-flow
+```
+
+```python
+INSTALLED_APPS = [
+    "django.contrib.contenttypes",
+    "django_approve",
+]
+```
+
+Run `migrate`. This creates the `ApprovalConfig` / `ChangeRequestField` tables,
+syncs an `ApprovalConfig` row per registered model, and creates the `Approvals`
+group with `view` / `change` permissions on both models.
+
+Optionally, add the middleware to show reviewers an *"N change request(s)
+awaiting review"* banner on the admin index:
+
+```python
+MIDDLEWARE = [
+    "django_approve.middlewares.PendingApprovalsNoticeMiddleware",
+]
+```
+
+It only fires on `GET /admin/`, for active users in the `Approvals` group, and
+only when at least one `pending` request exists.
+
+## Usage
+
+### 1. Register a model
+
+```python
+from django_approve.registry import register
+
+@register
+class Employee(models.Model):
+    name = models.CharField(max_length=255)
+    salary = models.DecimalField(max_digits=10, decimal_places=2)
+    manager = models.ForeignKey("self", null=True, on_delete=models.SET_NULL)
+```
+
+Bare `@register` makes *every* eligible field a candidate. A field is eligible
+when it is concrete and editable, and is **not**:
+
+- the primary key,
+- non-editable,
+- an `auto_now` / `auto_now_add` timestamp,
+- a `FileField` / `ImageField` (files and M2M are out of scope for v1).
+
+To narrow the set further, pass `fields` — it is intersected with the eligible
+candidates:
+
+```python
+@register(fields=["salary", "manager"])
+class Employee(models.Model):
+    ...
+```
+
+Registering only makes a field *eligible* — nothing is tracked yet.
+
+### 2. Pick tracked fields in the admin
+
+Each registered model gets an `ApprovalConfig` row (synced automatically on
+`migrate`). In the `ApprovalConfig` admin, check which candidate fields should
+actually go through the approval flow — this is `tracked_fields`, a subset of
+the candidates. Rows can't be added or deleted by hand; they only come from the
+sync.
+
+### 3. Add the admin mixin
+
+```python
+from django_approve import ApprovalAdminMixin
+
+@admin.register(Employee)
+class EmployeeAdmin(ApprovalAdminMixin, admin.ModelAdmin):
+    ...
+```
+
+From here on, editing a tracked field through this admin no longer writes it
+directly:
+
+- The change is diverted into a `ChangeRequestField(status=pending)` with the
+  old / new value serialized, and the in-memory value is reverted before
+  saving. Untracked fields save normally in the same request.
+- While a request is pending, the field is locked (`get_readonly_fields`) and
+  the change form shows a "Pending approval" block above it.
+- A reviewer (member of the `Approvals` group) sees a banner on the admin
+  index, then works through pending rows in the `ChangeRequestField` changelist
+  — **Approve** or **Reject**, per field, independently. Both are also
+  available as bulk actions: select multiple pending rows and run **Approve
+  selected** / **Reject selected** in one go.
+
+See [Screenshots](#screenshots) for what this looks like in the admin.
+
+> [!WARNING]
+> **Locking only happens in the admin.** The whole flow — diverting edits,
+> locking fields, showing the pending block — lives in `ApprovalAdminMixin`.
+> Calling `.save()` from code (management commands, Celery tasks, shell, DRF)
+> bypasses it entirely and writes straight to the row. For the same guarantee
+> outside the admin, call `apply_field` yourself or add your own guard — there
+> is no model-level enforcement.
+
+## Statuses
+
+| Status      | Meaning                                                                                                       |
+| ----------- | ------------------------------------------------------------------------------------------------------------ |
+| `pending`   | Awaiting review. Field is locked.                                                                             |
+| `approved`  | Applied to the target in the same atomic transaction as the status change. There is no separate "applied" state. |
+| `rejected`  | Reviewer declined the change. Reviewer-only verb.                                                             |
+| `cancelled` | The author withdrew the request. Author-only verb.                                                           |
+| `deleted`   | The target was deleted while the request was pending. Set automatically via `post_delete`; never a manual choice. |
+
+A pending request can only move forward, and the role restricts the available
+choices:
+
+- the **author** can `cancel`, but never `approve` / `reject` their own request
+  (when `APPROVE_REQUIRE_DIFFERENT_USER` is on);
+- a **reviewer** can `approve` / `reject`, but not `cancel` someone else's
+  request.
+
+If the target's current value no longer matches the recorded `old_value` at
+approval time (someone else changed it in the meantime), approval fails with a
+`ConflictError` shown as an admin message — the request stays `pending` and
+nothing is applied.
+
+## Settings
+
+All settings are optional; defaults are shown.
+
+```python
+APPROVE_AUTO_CREATE_GROUP = True       # create/maintain the Approvals group via post_migrate
+APPROVE_GROUP_NAME = "Approvals"       # group name; membership = reviewer
+APPROVE_REQUIRE_DIFFERENT_USER = True  # four-eyes: block self-approval (SelfApprovalError)
+```
+
+`APPROVE_AUTO_CREATE_GROUP` only controls whether the package manages the
+group's permissions on `migrate`; it never adds or removes users.
+
+## Supported field types (v1)
+
+Any concrete, editable field is supported, with two serialization paths:
+
+- **Relations** (`ForeignKey`, `OneToOneField`) — stored as the related
+  object's `.pk`, restored via `related_model._base_manager.get(pk=...)`; raises
+  `ConflictError` instead of `DoesNotExist` if the target was deleted before
+  approval.
+- **Everything else** — stored via `field.get_prep_value()` encoded with
+  `DjangoJSONEncoder` (covers `str` / `int` / `bool`, `Decimal`, `date` /
+  `datetime` / `time` / `timedelta`, `UUID`, `JSONField`, …), restored via
+  `field.to_python()`.
+
+Out of scope for v1: `FileField` / `ImageField`, `ManyToManyField`, and (as for
+any tracked field) the primary key, non-editable, and `auto_now` /
+`auto_now_add` fields.
+
+## Screenshots
+
+<details>
+<summary>ApprovalConfig: pick tracked fields per model</summary>
+
+![Approval configurations changelist](docs/screenshots/configurations.png)
+![Picking tracked fields for a model](docs/screenshots/tracked_fields.png)
+
+</details>
+
+<details>
+<summary>Locked field and pending-approval block on the change form</summary>
+
+![Locked fields with a pending-approval block](docs/screenshots/model.png)
+
+</details>
+
+<details>
+<summary>Reviewer: admin-index banner + ChangeRequestField changelist</summary>
+
+![Pending-requests banner on the admin index](docs/screenshots/approvers.png)
+![Change request fields changelist](docs/screenshots/requests.png)
+
+</details>
+
+## Development
+
+```bash
+poetry install
+poetry run pytest
+poetry run ruff check .
+```
+

django_approve_flow-0.1.0/README.md

@@ -0,0 +1,214 @@
+# django-approve-flow
+
+> Moderate edits in the Django admin — a change to a tracked model field isn't
+> saved directly, it waits for a second person's approval (four-eyes /
+> maker-checker).
+
+[![CI](https://github.com/alpden550/django-approve/actions/workflows/ci.yml/badge.svg)](https://github.com/alpden550/django-approve/actions/workflows/ci.yml)
+[![PyPI version](https://img.shields.io/pypi/v/django-approve-flow.svg)](https://pypi.org/project/django-approve-flow/)
+[![Python versions](https://img.shields.io/pypi/pyversions/django-approve-flow.svg)](https://pypi.org/project/django-approve-flow/)
+[![Django](https://img.shields.io/badge/django-5%2B-092e20.svg)](https://www.djangoproject.com/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
+**Granularity is per field, not per object.** A single save touching three
+tracked fields creates three independent requests, each with its own status and
+its own reviewer. There is no batch / "change set" model — grouping is purely a
+UX artifact (one "Submitted for approval: a, b, c" message).
+
+## How it works
+
+1. **Register** a model to make its fields *eligible* for approval.
+2. **Pick** which eligible fields are actually *tracked*, in the admin.
+3. **Add the admin mixin.** Editing a tracked field now creates an approval
+   request instead of writing the value.
+4. A **reviewer** approves or rejects each request — per field, independently.
+
+## Installation
+
+```bash
+pip install django-approve-flow
+```
+
+```python
+INSTALLED_APPS = [
+    "django.contrib.contenttypes",
+    "django_approve",
+]
+```
+
+Run `migrate`. This creates the `ApprovalConfig` / `ChangeRequestField` tables,
+syncs an `ApprovalConfig` row per registered model, and creates the `Approvals`
+group with `view` / `change` permissions on both models.
+
+Optionally, add the middleware to show reviewers an *"N change request(s)
+awaiting review"* banner on the admin index:
+
+```python
+MIDDLEWARE = [
+    "django_approve.middlewares.PendingApprovalsNoticeMiddleware",
+]
+```
+
+It only fires on `GET /admin/`, for active users in the `Approvals` group, and
+only when at least one `pending` request exists.
+
+## Usage
+
+### 1. Register a model
+
+```python
+from django_approve.registry import register
+
+@register
+class Employee(models.Model):
+    name = models.CharField(max_length=255)
+    salary = models.DecimalField(max_digits=10, decimal_places=2)
+    manager = models.ForeignKey("self", null=True, on_delete=models.SET_NULL)
+```
+
+Bare `@register` makes *every* eligible field a candidate. A field is eligible
+when it is concrete and editable, and is **not**:
+
+- the primary key,
+- non-editable,
+- an `auto_now` / `auto_now_add` timestamp,
+- a `FileField` / `ImageField` (files and M2M are out of scope for v1).
+
+To narrow the set further, pass `fields` — it is intersected with the eligible
+candidates:
+
+```python
+@register(fields=["salary", "manager"])
+class Employee(models.Model):
+    ...
+```
+
+Registering only makes a field *eligible* — nothing is tracked yet.
+
+### 2. Pick tracked fields in the admin
+
+Each registered model gets an `ApprovalConfig` row (synced automatically on
+`migrate`). In the `ApprovalConfig` admin, check which candidate fields should
+actually go through the approval flow — this is `tracked_fields`, a subset of
+the candidates. Rows can't be added or deleted by hand; they only come from the
+sync.
+
+### 3. Add the admin mixin
+
+```python
+from django_approve import ApprovalAdminMixin
+
+@admin.register(Employee)
+class EmployeeAdmin(ApprovalAdminMixin, admin.ModelAdmin):
+    ...
+```
+
+From here on, editing a tracked field through this admin no longer writes it
+directly:
+
+- The change is diverted into a `ChangeRequestField(status=pending)` with the
+  old / new value serialized, and the in-memory value is reverted before
+  saving. Untracked fields save normally in the same request.
+- While a request is pending, the field is locked (`get_readonly_fields`) and
+  the change form shows a "Pending approval" block above it.
+- A reviewer (member of the `Approvals` group) sees a banner on the admin
+  index, then works through pending rows in the `ChangeRequestField` changelist
+  — **Approve** or **Reject**, per field, independently. Both are also
+  available as bulk actions: select multiple pending rows and run **Approve
+  selected** / **Reject selected** in one go.
+
+See [Screenshots](#screenshots) for what this looks like in the admin.
+
+> [!WARNING]
+> **Locking only happens in the admin.** The whole flow — diverting edits,
+> locking fields, showing the pending block — lives in `ApprovalAdminMixin`.
+> Calling `.save()` from code (management commands, Celery tasks, shell, DRF)
+> bypasses it entirely and writes straight to the row. For the same guarantee
+> outside the admin, call `apply_field` yourself or add your own guard — there
+> is no model-level enforcement.
+
+## Statuses
+
+| Status      | Meaning                                                                                                       |
+| ----------- | ------------------------------------------------------------------------------------------------------------ |
+| `pending`   | Awaiting review. Field is locked.                                                                             |
+| `approved`  | Applied to the target in the same atomic transaction as the status change. There is no separate "applied" state. |
+| `rejected`  | Reviewer declined the change. Reviewer-only verb.                                                             |
+| `cancelled` | The author withdrew the request. Author-only verb.                                                           |
+| `deleted`   | The target was deleted while the request was pending. Set automatically via `post_delete`; never a manual choice. |
+
+A pending request can only move forward, and the role restricts the available
+choices:
+
+- the **author** can `cancel`, but never `approve` / `reject` their own request
+  (when `APPROVE_REQUIRE_DIFFERENT_USER` is on);
+- a **reviewer** can `approve` / `reject`, but not `cancel` someone else's
+  request.
+
+If the target's current value no longer matches the recorded `old_value` at
+approval time (someone else changed it in the meantime), approval fails with a
+`ConflictError` shown as an admin message — the request stays `pending` and
+nothing is applied.
+
+## Settings
+
+All settings are optional; defaults are shown.
+
+```python
+APPROVE_AUTO_CREATE_GROUP = True       # create/maintain the Approvals group via post_migrate
+APPROVE_GROUP_NAME = "Approvals"       # group name; membership = reviewer
+APPROVE_REQUIRE_DIFFERENT_USER = True  # four-eyes: block self-approval (SelfApprovalError)
+```
+
+`APPROVE_AUTO_CREATE_GROUP` only controls whether the package manages the
+group's permissions on `migrate`; it never adds or removes users.
+
+## Supported field types (v1)
+
+Any concrete, editable field is supported, with two serialization paths:
+
+- **Relations** (`ForeignKey`, `OneToOneField`) — stored as the related
+  object's `.pk`, restored via `related_model._base_manager.get(pk=...)`; raises
+  `ConflictError` instead of `DoesNotExist` if the target was deleted before
+  approval.
+- **Everything else** — stored via `field.get_prep_value()` encoded with
+  `DjangoJSONEncoder` (covers `str` / `int` / `bool`, `Decimal`, `date` /
+  `datetime` / `time` / `timedelta`, `UUID`, `JSONField`, …), restored via
+  `field.to_python()`.
+
+Out of scope for v1: `FileField` / `ImageField`, `ManyToManyField`, and (as for
+any tracked field) the primary key, non-editable, and `auto_now` /
+`auto_now_add` fields.
+
+## Screenshots
+
+<details>
+<summary>ApprovalConfig: pick tracked fields per model</summary>
+
+![Approval configurations changelist](docs/screenshots/configurations.png)
+![Picking tracked fields for a model](docs/screenshots/tracked_fields.png)
+
+</details>
+
+<details>
+<summary>Locked field and pending-approval block on the change form</summary>
+
+![Locked fields with a pending-approval block](docs/screenshots/model.png)
+
+</details>
+
+<details>
+<summary>Reviewer: admin-index banner + ChangeRequestField changelist</summary>
+
+![Pending-requests banner on the admin index](docs/screenshots/approvers.png)
+![Change request fields changelist](docs/screenshots/requests.png)
+
+</details>
+
+## Development
+
+```bash
+poetry install
+poetry run pytest
+poetry run ruff check .
+```

django_approve_flow-0.1.0/django_approve/__init__.py

@@ -0,0 +1,19 @@
+from typing import TYPE_CHECKING, Any
+
+from django_approve.registry import register
+
+if TYPE_CHECKING:
+    from django_approve.admin import ApprovalAdminMixin
+
+__all__ = ["ApprovalAdminMixin", "register"]
+
+
+def __getattr__(name: str) -> Any:
+    """Lazily expose ApprovalAdminMixin from the package root."""
+    if name == "ApprovalAdminMixin":
+        from django_approve.admin import ApprovalAdminMixin  # noqa: PLC0415
+
+        return ApprovalAdminMixin
+
+    msg = f"module {__name__!r} has no attribute {name!r}"
+    raise AttributeError(msg)

django_approve_flow-0.1.0/django_approve/admin/__init__.py

@@ -0,0 +1,5 @@
+from django_approve.admin.approval_config import ApprovalConfigAdmin
+from django_approve.admin.change_request import ChangeRequestFieldAdmin
+from django_approve.admin.mixins import ApprovalAdminMixin
+
+__all__ = ["ApprovalAdminMixin", "ApprovalConfigAdmin", "ChangeRequestFieldAdmin"]

django_approve_flow-0.1.0/django_approve/admin/approval_config.py

@@ -0,0 +1,19 @@
+from django.contrib import admin
+
+from django_approve.admin.forms import ApprovalConfigForm
+from django_approve.models import ApprovalConfig
+
+
+@admin.register(ApprovalConfig)
+class ApprovalConfigAdmin(admin.ModelAdmin):
+    form = ApprovalConfigForm
+    list_display = ("content_type", "is_enabled", "tracked_fields")
+    list_filter = ("is_enabled",)
+    list_select_related = ("content_type",)
+    readonly_fields = ("content_type",)
+
+    def has_add_permission(self, request) -> bool:
+        return False
+
+    def has_delete_permission(self, request, obj=None) -> bool:
+        return False

django_approve_flow-0.1.0/django_approve/admin/change_request.py

@@ -0,0 +1,140 @@
+from collections import Counter
+
+from django.contrib import admin, messages
+from django.contrib.auth.models import AbstractBaseUser
+from django.db.models import QuerySet
+from django.http import HttpRequest
+from django.utils import timezone
+
+from django_approve.admin.filters import TargetModelFilter
+from django_approve.config import conf
+from django_approve.cons import ApprovalStatusChoices
+from django_approve.exceptions import ConflictError, SelfApprovalError
+from django_approve.models.change_request import ChangeRequestField
+from django_approve.services import apply_field
+
+
+@admin.register(ChangeRequestField)
+class ChangeRequestFieldAdmin(admin.ModelAdmin):
+    list_display = (
+        "content_type__model",
+        "target",
+        "change_type",
+        "status",
+        "field_name",
+        "old_value",
+        "new_value",
+        "requested_by",
+        "approved_by",
+    )
+    list_filter = ("status", "change_type", TargetModelFilter)
+    readonly_fields = (
+        "content_type",
+        "object_id",
+        "target",
+        "field_name",
+        "change_type",
+        "old_value",
+        "new_value",
+        "requested_by",
+        "approved_by",
+    )
+    actions = ("approve", "reject")
+    list_select_related = ("content_type", "requested_by", "approved_by")
+
+    def get_queryset(self, request: HttpRequest) -> QuerySet[ChangeRequestField]:
+        return super().get_queryset(request).prefetch_related("target")
+
+    def has_add_permission(self, request) -> bool:
+        return False
+
+    def has_delete_permission(self, request, obj=None) -> bool:
+        return False
+
+    @staticmethod
+    def _allowed_statuses(obj: ChangeRequestField, user: AbstractBaseUser) -> list[tuple[str, str]]:
+        """Status choices selectable in the form for the given user.
+
+        A terminal request is locked to its current status. For a `pending`
+        request: `rejected` is the reviewer's verb (hidden from the author,
+        whose withdrawal verb is `cancelled`); `approved` is also hidden from
+        the author while four-eyes is on; `cancelled` is hidden from reviewers.
+        `deleted` is system-only and never offered.
+        """
+        if obj.status != ApprovalStatusChoices.PENDING:
+            return [(obj.status, ApprovalStatusChoices(obj.status).label)]
+
+        excluded = {ApprovalStatusChoices.DELETED.value}
+        is_author = obj.requested_by_id == user.pk  # pyrefly: ignore [missing-attribute]
+        if is_author:
+            excluded.add(ApprovalStatusChoices.REJECTED.value)
+            if conf.REQUIRE_DIFFERENT_USER:
+                excluded.add(ApprovalStatusChoices.APPROVED.value)
+        else:
+            excluded.add(ApprovalStatusChoices.CANCELLED.value)
+
+        return [choice for choice in ApprovalStatusChoices.choices if choice[0] not in excluded]
+
+    def get_form(self, request, obj=None, change=False, **kwargs):  # noqa: FBT002
+        form_class = super().get_form(request, obj, change=change, **kwargs)
+        if obj is None:
+            return form_class
+
+        allowed = self._allowed_statuses(obj, request.user)
+
+        class RestrictedStatusForm(form_class):
+            def __init__(self, *args, **inner_kwargs):
+                super().__init__(*args, **inner_kwargs)
+                self.fields["status"].choices = allowed  # pyrefly: ignore [missing-attribute]
+
+        return RestrictedStatusForm
+
+    def save_model(self, request, obj, form, change) -> None:
+        if "status" not in form.changed_data:
+            super().save_model(request, obj, form, change)
+            return
+
+        obj.approved_by = request.user
+        if obj.status == ApprovalStatusChoices.APPROVED:
+            try:
+                apply_field(change_request=obj, reviewer=request.user)  # pyrefly: ignore [bad-argument-type]
+            except (ConflictError, SelfApprovalError) as exc:
+                self.message_user(request, str(exc), level=messages.ERROR)
+                return
+        super().save_model(request, obj, form, change)
+
+    @staticmethod
+    def _apply_one(change_request: ChangeRequestField, reviewer: AbstractBaseUser) -> str:
+        try:
+            apply_field(change_request=change_request, reviewer=reviewer)
+        except ConflictError:
+            return "conflict"
+        except SelfApprovalError:
+            return "blocked"
+
+        change_request.status = ApprovalStatusChoices.APPROVED
+        change_request.approved_by = reviewer  # pyrefly: ignore [bad-assignment]
+        change_request.save(update_fields=["status", "approved_by", "updated"])
+        return "applied"
+
+    @admin.action(description="Approve selected change requests")
+    def approve(self, request: HttpRequest, queryset: QuerySet[ChangeRequestField]) -> None:
+        outcomes = Counter(
+            self._apply_one(change_request, request.user)  # pyrefly: ignore [bad-argument-type]
+            for change_request in queryset.filter(status=ApprovalStatusChoices.PENDING)
+        )
+        msg = f"Approved & applied: {outcomes['applied']}"
+        if outcomes["conflict"]:
+            msg += f"; skipped (conflict): {outcomes['conflict']}"
+        if outcomes["blocked"]:
+            msg += f"; skipped (self-approval): {outcomes['blocked']}"
+        self.message_user(request, msg)
+
+    @admin.action(description="Reject selected change requests")
+    def reject(self, request: HttpRequest, queryset: QuerySet[ChangeRequestField]) -> None:
+        updated = queryset.filter(status=ApprovalStatusChoices.PENDING).update(
+            status=ApprovalStatusChoices.REJECTED,
+            approved_by=request.user,
+            updated=timezone.now(),
+        )
+        self.message_user(request, f"Rejected: {updated}")

django_approve_flow-0.1.0/django_approve/admin/filters.py

@@ -0,0 +1,18 @@
+from django.contrib import admin
+from django.contrib.contenttypes.models import ContentType
+
+from django_approve.models import ChangeRequestField
+
+
+class TargetModelFilter(admin.SimpleListFilter):
+    title = "target model"
+    parameter_name = "target_model"
+
+    # pyrefly: ignore [bad-override]
+    def lookups(self, request, model_admin):
+        ct_ids = ChangeRequestField.objects.values_list("content_type", flat=True).distinct()
+        return [(ct.pk, ct.name) for ct in ContentType.objects.filter(pk__in=ct_ids)]
+
+    def queryset(self, request, queryset):
+        value = self.value()
+        return queryset.filter(content_type_id=value) if value else queryset