Skip to content

fix(environments): validate project field in environment creation#7063

Open
nielskaspers wants to merge 2 commits intoFlagsmith:mainfrom
nielskaspers:fix/issue-6599-validate-project-env
Open

fix(environments): validate project field in environment creation#7063
nielskaspers wants to merge 2 commits intoFlagsmith:mainfrom
nielskaspers:fix/issue-6599-validate-project-env

Conversation

@nielskaspers
Copy link
Copy Markdown
Contributor

@nielskaspers nielskaspers commented Mar 30, 2026

Summary

  • Validates the project field is a valid integer before querying the database in EnvironmentPermissions.has_permission
  • Previously, passing a non-integer string (e.g. <Project ID>) caused an unhandled ValueError at Project.objects.get(), resulting in a 500 response
  • Now returns 403 for invalid project values, consistent with how missing or non-existent projects are already handled

Issue

Fixes #6599

Changes

  • api/environments/permissions/permissions.py: Added int() validation with (TypeError, ValueError) handling before the ORM query, following the same pattern used in FeatureSegmentPermissions
  • Removed unused Q import
  • Added two unit tests covering non-integer and missing project values

@nielskaspers
fix(environments): validate project field in POST /api/v1/environment…
7a6d047 
…s/ (Flagsmith#6599)

Validate that the `project` field is a valid integer before querying
the database. Previously, passing a non-integer string (e.g. '<Project ID>')
caused an unhandled ValueError resulting in a 500 response. Now returns
403 (permission denied) for invalid values, consistent with how missing
or non-existent projects are handled.

Follows the same validation pattern used in FeatureSegmentPermissions.
@nielskaspers nielskaspers requested a review from a team as a code owner March 30, 2026 06:06
@nielskaspers nielskaspers requested review from Zaimwa9 and removed request for a team March 30, 2026 06:06
claude[bot]
claude bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026

@nielskaspers is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the api Issue related to the REST API label Mar 30, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.26%. Comparing base (9c09ac1) to head (7a6d047).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7063      +/-   ##
==========================================
- Coverage   98.33%   98.26%   -0.08%     
==========================================
  Files        1337     1337              
  Lines       50010    49899     -111     
==========================================
- Hits        49178    49032     -146     
- Misses        832      867      +35

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nielskaspers nielskaspers mentioned this pull request Mar 30, 2026
Open
Zaimwa9
Zaimwa9 requested changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! Small NIT comments on the tests that could be addressed while we are working on this

api/tests/unit/environments/permissions/test_unit_environments_permissions.py Outdated
staff_user: FFAdminUser,
) -> None:
# Given
mock_view.action = "create"
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT for the 2 tests:
Can we instantiate a new mock for each test to avoid shared state?

      view = mock.MagicMock()
      request = mock.MagicMock()
      view.action = "create"
      etc...

api/tests/unit/environments/permissions/test_unit_environments_permissions.py Outdated
assert result is False


def test_environment_permissions__create_with_none_project__returns_false(
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could parametrize those 2 tests actually?

While we are at it, I could see a separate test case for string-encoded integer ("42") that should pass

@nielskaspers
refactor(tests): address review feedback on environment permission tests
6300dfc 
- Parametrize invalid project tests to avoid shared module-level mocks
- Use fresh mock instances per test to prevent shared state
- Add test for string-encoded integer project ID ("42") that should pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@Zaimwa9 Zaimwa9 Zaimwa9 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

api Issue related to the REST API

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

project not validated in POST /api/v1/environments/

2 participants

@nielskaspers @Zaimwa9