feat(roles): allow ML Data Manager to run batch ML jobs

[mihow]

Summary

• Grants the run_ml_job permission to the ML Data Manager role, which also flows to Project Manager via role inheritance
• Previously only superusers could run batch ML jobs; this was an intentional restriction during initial rollout that is no longer needed
• Existing projects pick up the new permission on the next migrate (the post_migrate signal recreates role groups for all projects)

Test plan

• New TestMLDataManagerCanRunBatchMLJob tests verify role-based permission flow end-to-end:
  • MLDataManager can run ML jobs
  • ProjectManager can run ML jobs
  • BasicMember cannot run ML jobs
  • run permission reflected in job detail response for MLDataManager
• Existing TestFineGrainedJobRunPermission tests still pass
• Existing TestRunSingleImageJobPermission tests still pass
• All 30 ami.users.tests role/membership tests pass
• Pre-commit hooks pass

Summary by CodeRabbit

• Bug Fixes

  • Restored ML job execution capability for the data manager role so they can run ML jobs and see the corresponding permission in job details.

• Tests

  • Added API tests verifying that data managers and project managers can run batch ML jobs while basic members cannot, and that the run permission appears in job responses.

[netlify]

✅ Deploy Preview for antenna-ssec canceled.

Name	Link
🔨 Latest commit	f904af4
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-ssec/deploys/69d5aff584610b0008e4d9ee

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	f904af4
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/69d5aff5a5aa370008215abf

[coderabbitai]

Warning

Rate limit exceeded

@mihow has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a5576304-7a33-49b1-af2a-c64a316ff7e0

📥 Commits

Reviewing files that changed from the base of the PR and between ff24aff and f904af4.

📒 Files selected for processing (1)

• ami/main/tests.py

📝 Walkthrough

Walkthrough

MLDataManager.permissions now includes Project.Permissions.RUN_ML_JOB. A new API test verifies that MLDataManager can run ML batch jobs and that the permission appears in job details. No other roles or control flow were changed.

Changes

Cohort / File(s)	Summary
Role Permissions ami/users/roles.py	Added Project.Permissions.RUN_ML_JOB to MLDataManager.permissions.
API Tests ami/main/tests.py	Added TestMLDataManagerCanRunBatchMLJob which creates roles/users, asserts POST /api/v2/jobs/{pk}/run/ returns 200 for MLDataManager and ProjectManager and 403 for BasicMember, and checks "run" appears in job user_permissions for MLDataManager.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A soft thump in code, a tiny celebratory hop,
MLDataManager's cleared to let models hop, skip, and top.
One permission added, tests gave a cheer,
Jobs may now run — carrots and code near! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: granting the ML Data Manager role permission to run batch ML jobs, which is the primary objective of the changeset.
Description check	✅ Passed	The PR description provides a clear summary, test plan with results, and deployment notes about role inheritance via migrate signal, but lacks a detailed 'How to Test' section and a formal Related Issues reference.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ml-data-manager-run-ml-job

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates project role permissions so that non-superusers (specifically ML Data Manager, and by inheritance Project Manager) can run batch ML jobs via the existing fine-grained run_ml_job permission.

Changes:

• Grant Project.Permissions.RUN_ML_JOB to the MLDataManager role permissions set.
• Remove the now-outdated inline comment indicating ML job running was temporarily revoked.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

ami/main/tests.py (1)

2030-2048: Optional: reduce duplication with a parameterized role matrix.

The three run-authorization tests are structurally identical and can be merged into one table-driven test (subTest) for easier maintenance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ami/main/tests.py` around lines 2030 - 2048, Replace the three near-duplicate
tests (test_ml_data_manager_can_run_ml_job, test_project_manager_can_run_ml_job,
test_basic_member_cannot_run_ml_job) with a single parameterized test that
iterates over a role→expected_status matrix; inside the loop use
self.client.force_authenticate(role_user), call job = self._create_ml_job() and
POST to f"/api/v2/jobs/{job.pk}/run/" and assert the response.status_code equals
the expected status, using subTest or pytest.mark.parametrize to keep separate
failures distinct.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@ami/main/tests.py`:
- Around line 2030-2048: Replace the three near-duplicate tests
(test_ml_data_manager_can_run_ml_job, test_project_manager_can_run_ml_job,
test_basic_member_cannot_run_ml_job) with a single parameterized test that
iterates over a role→expected_status matrix; inside the loop use
self.client.force_authenticate(role_user), call job = self._create_ml_job() and
POST to f"/api/v2/jobs/{job.pk}/run/" and assert the response.status_code equals
the expected status, using subTest or pytest.mark.parametrize to keep separate
failures distinct.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6370f7da-faf6-4c76-b645-342f70334708

📥 Commits

Reviewing files that changed from the base of the PR and between 94c9cf3 and ff24aff.

📒 Files selected for processing (1)

• ami/main/tests.py

[mihow]

Claude says: CodeRabbit's nitpick about consolidating the three duplicate test methods into a parameterized subTest has been addressed in commit f904af4.