Skip to content

fix: allow project admins to create and manage project-scoped custom fields #7518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
10done wants to merge 3 commits into
base: main
Choose a base branch
from
+178 −8
Open

fix: allow project admins to create and manage project-scoped custom fields #7518

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
37c9b75
Projects admins can manage project scoped metadata fields
10done May 14, 2026
47c0aa9
Fixed linting errors
10done May 14, 2026
aa0493f
Applied suggestions
10done May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions api/metadata/permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,10 @@ def has_permission(self, request, view): # type: ignore[no-untyped-def]
if view.action == "create":
field = MetadataField.objects.get(id=request.data.get("field"))

return (
return (organisation_pk == field.organisation.id) and (
request.user.is_organisation_admin(organisation_pk)
and organisation_pk == field.organisation.id
or (project_id := field.project)
and request.user.is_project_admin(project_id)
)

return False
Expand All @@ -86,6 +87,10 @@ def has_object_permission(self, request, view, obj): # type: ignore[no-untyped-
return request.user.belongs_to(obj.field.organisation.id)

if view.action in ("update", "destroy", "partial_update"):
return request.user.is_organisation_admin(obj.field.organisation)
return (
request.user.is_organisation_admin(obj.field.organisation)
or (project_id := obj.field.project)
and request.user.is_project_admin(project_id)
)

return False
175 changes: 170 additions & 5 deletions api/tests/unit/metadata/test_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
)
from metadata.views import SUPPORTED_REQUIREMENTS_MAPPING # type: ignore[attr-defined]
from organisations.models import Organisation
from projects.models import Project
from projects.models import Project, UserProjectPermission
from users.models import FFAdminUser


Expand Down Expand Up @@ -511,8 +511,6 @@ def test_create_metadata_field__project_admin__returns_201(
project: Project,
) -> None:
# Given
from projects.models import UserProjectPermission

UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)

url = reverse("api-v1:metadata:metadata-fields-list")
Expand Down Expand Up @@ -942,8 +940,6 @@ def test_modify_metadata_field__project_admin__permission_check(
request: pytest.FixtureRequest,
) -> None:
# Given
from projects.models import UserProjectPermission

UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)
field_project = (
request.getfixturevalue(field_project_attr) if field_project_attr else None
Expand All @@ -969,3 +965,172 @@ def test_modify_metadata_field__project_admin__permission_check(

# Then
assert response.status_code == expected_status


def test_create_model_metadata_field__project_admin__returns_201(
staff_user: FFAdminUser,
staff_client: APIClient,
organisation: Organisation,
project: Project,
feature_content_type: ContentType,
) -> None:
# Given - a project-scoped MetadataField and a user who is project admin (not org admin)
UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)
project_field = MetadataField.objects.create(
name="proj_field",
type="int",
organisation=organisation,
project=project,
)
url = reverse(
"api-v1:organisations:metadata-model-fields-list", args=[organisation.id]
)
data = {
"field": project_field.id,
"content_type": feature_content_type.id,
"is_required_for": [],
}

# When
response = staff_client.post(
url, data=json.dumps(data), content_type="application/json"
)

# Then - project admin should be allowed to bind a project-scoped field
assert response.status_code == status.HTTP_201_CREATED
assert response.json()["field"] == project_field.id


def test_create_model_metadata_field__project_admin_org_scoped_field__returns_403(
staff_user: FFAdminUser,
staff_client: APIClient,
organisation: Organisation,
project: Project,
feature_content_type: ContentType,
) -> None:
# Given - an org-scoped MetadataField (project=None) and a user who is project admin only
UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)
org_field = MetadataField.objects.create(
name="org_field",
type="int",
organisation=organisation,
)
url = reverse(
"api-v1:organisations:metadata-model-fields-list", args=[organisation.id]
)
data = {
"field": org_field.id,
"content_type": feature_content_type.id,
"is_required_for": [],
}

# When
response = staff_client.post(
url, data=json.dumps(data), content_type="application/json"
)

# Then - project admin must not be able to bind org-scoped fields
assert response.status_code == status.HTTP_403_FORBIDDEN


@pytest.mark.parametrize(
"field_project_attr, expected_status",
[
("project", status.HTTP_200_OK),
(None, status.HTTP_403_FORBIDDEN),
("project_b", status.HTTP_403_FORBIDDEN),
],
ids=[
"own_project_field_allowed",
"org_scoped_field_denied",
"other_project_field_denied",
],
)
def test_update_model_metadata_field__project_admin__returns_expected_status(
staff_user: FFAdminUser,
staff_client: APIClient,
organisation: Organisation,
project: Project,
project_b: Project,
feature_content_type: ContentType,
field_project_attr: str | None,
expected_status: int,
request: pytest.FixtureRequest,
) -> None:
# Given - a project admin for `project`, and a MetadataModelField whose parent
# MetadataField belongs to one of: `project`, `project_b`, or the org (None)
UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)
field_project = (
request.getfixturevalue(field_project_attr) if field_project_attr else None
)
field = MetadataField.objects.create(
name="model_field", type="int", organisation=organisation, project=field_project
)
model_field = MetadataModelField.objects.create(
field=field, content_type=feature_content_type
)
url = reverse(
"api-v1:organisations:metadata-model-fields-detail",
args=[organisation.id, model_field.id],
)
data = {
"field": field.id,
"content_type": feature_content_type.id,
"is_required_for": [],
}

# When
response = staff_client.put(
url, data=json.dumps(data), content_type="application/json"
)

# Then
assert response.status_code == expected_status


@pytest.mark.parametrize(
"field_project_attr, expected_status",
[
("project", status.HTTP_204_NO_CONTENT),
(None, status.HTTP_403_FORBIDDEN),
("project_b", status.HTTP_403_FORBIDDEN),
],
ids=[
"own_project_field_allowed",
"org_scoped_field_denied",
"other_project_field_denied",
],
)
def test_delete_model_metadata_field__project_admin__returns_expected_status(
staff_user: FFAdminUser,
staff_client: APIClient,
organisation: Organisation,
project: Project,
project_b: Project,
feature_content_type: ContentType,
field_project_attr: str | None,
expected_status: int,
request: pytest.FixtureRequest,
) -> None:
# Given - a project admin for `project`, and a MetadataModelField whose parent
# MetadataField belongs to one of: `project`, `project_b`, or the org (None)
UserProjectPermission.objects.create(user=staff_user, project=project, admin=True)
field_project = (
request.getfixturevalue(field_project_attr) if field_project_attr else None
)
field = MetadataField.objects.create(
name="model_field", type="int", organisation=organisation, project=field_project
)
model_field = MetadataModelField.objects.create(
field=field, content_type=feature_content_type
)
url = reverse(
"api-v1:organisations:metadata-model-fields-detail",
args=[organisation.id, model_field.id],
)

# When
response = staff_client.delete(url)

# Then
assert response.status_code == expected_status
Loading