Skip to content

fix(environments): validate project field in environment creation#7063

Open
nielskaspers wants to merge 3 commits intoFlagsmith:mainfrom
nielskaspers:fix/issue-6599-validate-project-env
Open

fix(environments): validate project field in environment creation#7063
nielskaspers wants to merge 3 commits intoFlagsmith:mainfrom
nielskaspers:fix/issue-6599-validate-project-env

Conversation

@nielskaspers
Copy link
Copy Markdown
Contributor

@nielskaspers nielskaspers commented Mar 30, 2026

Summary

  • Validates the project field is a valid integer before querying the database in EnvironmentPermissions.has_permission
  • Previously, passing a non-integer string (e.g. <Project ID>) caused an unhandled ValueError at Project.objects.get(), resulting in a 500 response
  • Now returns 403 for invalid project values, consistent with how missing or non-existent projects are already handled

Issue

Fixes #6599

Changes

  • api/environments/permissions/permissions.py: Added int() validation with (TypeError, ValueError) handling before the ORM query, following the same pattern used in FeatureSegmentPermissions
  • Removed unused Q import
  • Added two unit tests covering non-integer and missing project values

@nielskaspers
fix(environments): validate project field in POST /api/v1/environment…
7a6d047 
…s/ (Flagsmith#6599)

Validate that the `project` field is a valid integer before querying
the database. Previously, passing a non-integer string (e.g. '<Project ID>')
caused an unhandled ValueError resulting in a 500 response. Now returns
403 (permission denied) for invalid values, consistent with how missing
or non-existent projects are handled.

Follows the same validation pattern used in FeatureSegmentPermissions.
@nielskaspers nielskaspers requested a review from a team as a code owner March 30, 2026 06:06
@nielskaspers nielskaspers requested review from Zaimwa9 and removed request for a team March 30, 2026 06:06
claude[bot]
claude bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026

@nielskaspers is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the api Issue related to the REST API label Mar 30, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.27%. Comparing base (9c09ac1) to head (bdd74d8).
⚠️ Report is 45 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7063      +/-   ##
==========================================
- Coverage   98.33%   98.27%   -0.07%     
==========================================
  Files        1337     1336       -1     
  Lines       50010    50072      +62     
==========================================
+ Hits        49178    49207      +29     
- Misses        832      865      +33

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nielskaspers nielskaspers mentioned this pull request Mar 30, 2026
Open
Zaimwa9
Zaimwa9 requested changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! Small NIT comments on the tests that could be addressed while we are working on this

@nielskaspers
refactor(tests): address review feedback on environment permission tests
6300dfc 
- Parametrize invalid project tests to avoid shared module-level mocks
- Use fresh mock instances per test to prevent shared state
- Add test for string-encoded integer project ID ("42") that should pass
@Zaimwa9
Copy link
Copy Markdown
Contributor

Zaimwa9 commented Apr 6, 2026

Hi @nielskaspers , sorry for the delay in getting back to you. From what I see we are just missing a typing error. You can check with make typecheck
Error: /home/runner/work/flagsmith/flagsmith/api/tests/unit/environments/permissions/test_unit_environments_permissions.py:161: error: Missing type parameters for generic type "dict" [type-arg]

And i'll happily approve after

@nielskaspers @claude
fix: add type parameters to dict annotation
bdd74d8 
Resolves mypy type-arg error for generic dict type.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nielskaspers
Copy link
Copy Markdown
Contributor Author

nielskaspers commented Apr 7, 2026

Fixed! Added type parameters to the dict annotation (dict[str, str]). Should pass make typecheck now. Thanks for the review @Zaimwa9!

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs Ignored Ignored Preview Apr 7, 2026 1:15pm
flagsmith-frontend-preview Ignored Ignored Preview Apr 7, 2026 1:15pm
flagsmith-frontend-staging Ignored Ignored Preview Apr 7, 2026 1:15pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@Zaimwa9 Zaimwa9 Zaimwa9 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

api Issue related to the REST API

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

project not validated in POST /api/v1/environments/

2 participants

@nielskaspers @Zaimwa9