Can we have some kind of empty state here that says there are no configured applications?

Docstring?

Docstring?

Needs to include the local_site_name parameter.

Needs Returns:

Docstring?

Docstring?

Module docstring?

Docstring?

We should use </div> instead of the XHTML syntax.

This URL isn't on a Local Site, and we're not providing Local Site information, so reverse is fine.

We should provide the request as an argument, so feature checkers can factor it in.

It's not immediately clear what this is for. Can you elaborate?

This can be condensed:

url(r'^preferences/oauth2-application/((?P<app_id>[0-9]+)/)?$',
    accounts_views.edit_oauth_app,
    name='edit-oauth-app'),

Alphabetical order.

Two blank lines.

Swap these. We want to test for login first.

You should use get_object_or_404 instead.

This and the other Local Site-related code below will never work. This URL isn't under a /s/<localsite>/ URL, so there's never going to be a Local Site listed.
I think what's going to have to happen is you'll have to fetch without the Local Site, then check if there is a Local Site and that the user has access to it (covering the case where a user has created one but since left the company -- we don't want them sabotaging something).
Then we'll have to include the local_site in the form data, but validate that the user has access to it.

This doesn't seem to match what's in the form.
Let's import the form and make sure we're always using the value it defines.

No blank line here.

No trailing comma after form. Or if this is meant to be a tuple, it should be wrapped in parens.

This is probably best moved to djblets.forms somewhere.
We have a get_fieldsets template tag as well, but it's a bit different in what it returns.

We don't always necessarily want this. This should be up to callers.

I don't think we want to assume that all collapsed content should be excluded. Seems like that should be a flag, like ignore_collapsed.
Also, tuple() can just be ().

Swap these.

"or"

How about:

instance = super(UserApplicationForm, self).save(commit=False)

if not self.instance.pk:
    instance.user = self.user

if commit:
    instance.save()

No parens.

This is being overrided below.

Why do we need to override this? Input classes should generally be left alone.

Similarly here (and for other common styles), we ideally shouldn't have versions specific to the OAuth2 page. We should have consistent definitions that apply to all relevant pages.

render() chains, so you can include this in the chain. We usually do it as one entry as render().$el.

This is really going to be tough to maintain. Can we split across lines? We can use {% spaceless %}.

So ideally we'd use the djblets_forms/admin/form_fieldsets.html template here. There are two things that prevent this, though:

It uses the get_fieldsets filter, which doesn't exclude or remove collapsed entries.
It doesn't use fieldset.name, since get_fieldsets returns a tuple of (name, fieldset).

I think the best route to go (since I really don't want to duplicate fieldset rendering logic) is to split the fieldset rendering of form_fieldsets.html into a form_fieldset.html. Then you could easily use it with:

{% for fieldset in fieldsets %}
{%  include "djblets_forms/admin/form_fieldset.html" with fieldset_title=fieldset.name %} 
{% endfor %}


(Also, can we change fieldset.name to fieldset.title? It's more correct.)

Save and Cancel need to be localized.

This doesn't match the anchor used in the form. We should provide that to the template.

No blank line needed.

Mind making this alphabetical?

e before o

Doc comment?

Doc comment?

Trailing whitespace.

Trailing whitespace.

Doc comment?

Doc comment?

Doc comment?

Doc comment?

Trailing comma.

No blank lines here.

Doc comment?

I don't see this file in your change.

Ship It!