Fix ANY project sneaking in segment creation

Author: emyller

api/segments/serializers.py

@@ -1,3 +1,4 @@
+from functools import cached_property
 from typing import Any
 
 import structlog
@@ -79,6 +80,7 @@ class Meta:
 
 
 class SegmentSerializer(MetadataSerializerMixin, WritableNestedModelSerializer):
+    instance: Segment | None
     rules = SegmentRuleSerializer(many=True, required=True, allow_empty=False)
     metadata = MetadataSerializer(required=False, many=True)
 
@@ -112,17 +114,30 @@ class Meta:
             "rules",
             "metadata",
         ]
+        read_only_fields = ["project"]
+
+    @cached_property
+    def project(self) -> Project:
+        """Resolve the project from the view's URL kwargs"""
+        if self.instance:
+            return self.instance.project
+        try:
+            pk = int(self.context["view"].kwargs["project_pk"])
+        except KeyError as error:
+            raise RuntimeError(
+                "The serializer context is missing a view with project_pk in its URL."
+            ) from error
+        return Project.objects.get(pk=pk)  # type: ignore[no-any-return]
 
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         attrs = super().validate(attrs)
-        project = self.instance.project if self.instance else attrs["project"]  # type: ignore[union-attr]
-        organisation = project.organisation
+        organisation = self.project.organisation
 
         self._validate_required_metadata(
-            organisation, attrs.get("metadata", []), project=project
+            organisation, attrs.get("metadata", []), project=self.project
         )
         self._validate_segment_rules_conditions_limit(attrs["rules"])
-        self._validate_project_segment_limit(project)
+        self._validate_project_segment_limit(self.project)
         return attrs
 
     def create(self, validated_data: dict[str, Any]):  # type: ignore[no-untyped-def]

api/segments/views.py

@@ -135,6 +135,9 @@ def get_queryset(self):  # type: ignore[no-untyped-def]
 
         return queryset
 
+    def perform_create(self, serializer: SegmentSerializer) -> None:  # type: ignore[override]
+        serializer.save(project_id=self.kwargs["project_pk"])  # type: ignore[no-untyped-call]
+
     @extend_schema(parameters=[AssociatedFeaturesQuerySerializer])
     @action(
         detail=True,

api/tests/unit/segments/test_unit_segments_views.py

@@ -1884,3 +1884,26 @@ def test_create_segment__required_metadata_on_other_project__returns_201(
 
     # Then
     assert response.status_code == status.HTTP_201_CREATED
+
+
+def test_create_segment__body_project_differs_from_url__does_not_create_in_other_project(
+    admin_client: APIClient,
+    project: Project,
+) -> None:
+    # Given
+    other_org = Organisation.objects.create(name="Other Org")
+    other_project = Project.objects.create(name="Other Project", organisation=other_org)
+
+    # When
+    admin_client.post(
+        f"/api/v1/projects/{project.id}/segments/",
+        data={
+            "name": "a_wild_pokemon",
+            "project": other_project.id,
+            "rules": [{"type": "ALL", "rules": [], "conditions": []}],
+        },
+        format="json",
+    )
+
+    # Then
+    assert not Segment.objects.filter(project=other_project).exists()