diff --git a/api/environments/permissions/permissions.py b/api/environments/permissions/permissions.py index 374adfbc5113..a6e9c4b19438 100644 --- a/api/environments/permissions/permissions.py +++ b/api/environments/permissions/permissions.py @@ -6,7 +6,7 @@ from common.projects.permissions import ( CREATE_ENVIRONMENT, ) -from django.db.models import Model, Q +from django.db.models import Model from rest_framework import exceptions from rest_framework.permissions import BasePermission, IsAuthenticated @@ -36,9 +36,12 @@ def has_permission(self, request, view): # type: ignore[no-untyped-def] if view.action == "create": try: - project_id = request.data.get("project") - project_lookup = Q(id=project_id) - project = Project.objects.get(project_lookup) + project_id = int(request.data.get("project")) + except (TypeError, ValueError): + return False + + try: + project = Project.objects.get(id=project_id) return request.user.has_project_permission(CREATE_ENVIRONMENT, project) except Project.DoesNotExist: return False diff --git a/api/tests/unit/environments/permissions/test_unit_environments_permissions.py b/api/tests/unit/environments/permissions/test_unit_environments_permissions.py index efde99f62b43..ea9403a984a9 100644 --- a/api/tests/unit/environments/permissions/test_unit_environments_permissions.py +++ b/api/tests/unit/environments/permissions/test_unit_environments_permissions.py @@ -1,5 +1,6 @@ from unittest import mock +import pytest from common.projects.permissions import ( CREATE_ENVIRONMENT, ) @@ -148,6 +149,59 @@ def test_environment_permissions__user_without_create_permission__returns_false( assert result is False +@pytest.mark.parametrize( + "request_data, expected", + [ + ({"project": "", "name": "Test environment"}, False), + ({"name": "Test environment"}, False), + ], +) +def test_environment_permissions__create_with_invalid_project__returns_false( + staff_user: FFAdminUser, + request_data: dict, + expected: bool, +) -> None: + # Given + view = mock.MagicMock() + request = mock.MagicMock() + view.action = "create" + view.detail = False + request.user = staff_user + request.data = request_data + + # When + result = environment_permissions.has_permission(request, view) # type: ignore[no-untyped-call] + + # Then + assert result is expected + + +def test_environment_permissions__create_with_string_integer_project__returns_true( + staff_user: FFAdminUser, + project: Project, +) -> None: + # Given + create_environment_permission = ProjectPermissionModel.objects.get( + key=CREATE_ENVIRONMENT + ) + user_project_permission = UserProjectPermission.objects.create( + user=staff_user, project=project + ) + user_project_permission.permissions.set([create_environment_permission]) + view = mock.MagicMock() + request = mock.MagicMock() + view.action = "create" + view.detail = False + request.user = staff_user + request.data = {"project": str(project.id), "name": "Test environment"} + + # When + result = environment_permissions.has_permission(request, view) # type: ignore[no-untyped-call] + + # Then + assert result is True + + def test_environment_permissions__list_action__returns_true( staff_user: FFAdminUser, ) -> None: