fix: allow project admins to create and manage project-scoped custom fields#7518
fix: allow project admins to create and manage project-scoped custom fields#751810done wants to merge 3 commits into
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
|
@10done is attempting to deploy a commit to the Flagsmith Team on Vercel. A member of the Team first needs to authorize it. |
|
@khvn26 Can you please review whenever you get time. Thank you. |
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the metadata permissions in api/metadata/permissions.py to allow project administrators to create, update, and delete project-scoped metadata fields. It also adds comprehensive unit tests in api/tests/unit/metadata/test_views.py to verify these permission rules under various scenarios. I have no feedback to provide as there are no review comments to evaluate.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7518 +/- ##
==========================================
- Coverage 98.46% 98.40% -0.07%
==========================================
Files 1398 1398
Lines 52900 52811 -89
==========================================
- Hits 52090 51968 -122
- Misses 810 843 +33 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
matthewelwell
left a comment
matthewelwell
left a comment
There was a problem hiding this comment.
Thanks very much for the contribution @10done. On the whole, this looks great. I've added a few comments that need addressing, but only minor things really.
|
@matthewelwell Thank you for the review on the PR. I have made the changes as suggested and also removed the local imports on other tests too. |
2 participants
Thanks for submitting a PR! Please check the boxes below:
docs/if required so people know about the feature.Changes
Closes #7424
##Issue Description
When a user with Project Administrator role (non-org-admin) created a project-scoped custom field via Project Settings → Custom Fields, the save flow partially failed:
POST /api/v1/metadata/fields/→ 201 (MetadataField created)POST /api/v1/organisations/{id}/metadata-model-fields/→ 403 (binding fails, field left orphaned)Root cause:
MetadataModelFieldPermissionsonly checkedis_organisation_adminforcreate,update, anddestroyactions.MetadataFieldPermissionsalready had the correct project-admin path, but its sibling class did not.Fix: Extended
MetadataModelFieldPermissionsinapi/metadata/permissions.pyto allow project admins to create, update, and deleteMetadataModelFieldbindings for project-scoped fields. Org-scoped fields remain restricted to org admins only.How did you test this code?
Reproduced the bug via direct API calls as a project-admin user (org role =
USER, projectadmin = true):Before fix:
POST /api/v1/organisations/1/metadata-model-fields/→403{"detail": "You do not have permission to perform this action."}`After fix:
POST /api/v1/organisations/1/metadata-model-fields/→201{"id": 2, "field": 2, "content_type": 55, "is_required_for": []}`**Regression tests added **
Since I cannot access the Enterprise plan I tried to fix it via the API calls. I hope it fixes the issue.