Skip to content

[WEB-4544] chore: added field validations in serializer#7460

Merged
sriramveeraghanta merged 2 commits intopreviewfrom
issue-validations
Jul 25, 2025
Merged

[WEB-4544] chore: added field validations in serializer#7460
sriramveeraghanta merged 2 commits intopreviewfrom
issue-validations

Conversation

@NarayanBavisetti
Copy link
Collaborator

@NarayanBavisetti NarayanBavisetti commented Jul 23, 2025
edited by coderabbitai bot
Loading

Description

this pull request fixes the issue with the validation of the field in the Work Item model.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Summary by CodeRabbit

  • New Features

    • Improved validation for issue creation and draft issue creation, including checks to ensure assignees, labels, state, parent issues, and estimate points are valid and belong to the current project.
    • Added automatic HTML validation and sanitization for issue descriptions to prevent invalid HTML input.

  • Bug Fixes

    • Enhanced error handling to provide clearer validation messages when invalid or out-of-project references are detected during issue creation.

  • Style

    • Updated internal handling of assignee and label references for greater consistency and reliability.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jul 23, 2025
edited
Loading

Walkthrough

The changes introduce enhanced validation logic for issue and draft serializers, ensuring that related entities (such as assignees, labels, state, parent, and estimate point) belong to the correct project context. HTML content in descriptions is now parsed and sanitized. Related object creation is updated to use validated ID fields.

Changes

File(s) Change Summary
apps/api/plane/api/serializers/issue.py Adds validation for estimate_point existence within project/workspace; adjusts parent issue validation.
apps/api/plane/app/serializers/draft.py Overhauls validate method: parses/sanitizes HTML, validates assignees/labels/state/parent/estimate point; updates related object creation to use IDs.
apps/api/plane/app/serializers/issue.py Adds HTML validation; ensures assignees, labels, state, parent, and estimate point belong to project; updates label assignment logic to use IDs.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Serializer
    participant DB

    Client->>Serializer: Submit issue/draft data (with HTML, assignees, labels, etc.)
    Serializer->>DB: Validate estimate_point, parent, state, assignees, labels (by ID and project)
    DB-->>Serializer: Return validation results
    Serializer->>Serializer: Parse and sanitize description_html
    alt Validation fails
        Serializer-->>Client: Raise ValidationError
    else Validation succeeds
        Serializer->>DB: Create or update issue/draft with validated IDs
        DB-->>Serializer: Confirm creation/update
        Serializer-->>Client: Return success
    end
Loading

Estimated code review effort

3 (~45 minutes)

Suggested labels

ready to merge

Suggested reviewers

  • pablohashescobar
  • dheeru0198

Poem

A rabbit hops through fields of code,
Validating every winding road.
HTML is now pristine,
IDs checked, the logic clean.
Issues and drafts, all in line—
This patch will make your project shine!
🐇✨

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75ea97f and 01354d8.

📒 Files selected for processing (1)
  • apps/api/plane/app/serializers/draft.py (6 hunks)
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: vamsikrishnamathala
PR: makeplane/plane#7214
File: web/core/store/issue/helpers/base-issues.store.ts:117-117
Timestamp: 2025-06-16T07:23:39.497Z
Learning: In the updateIssueDates method of BaseIssuesStore (web/core/store/issue/helpers/base-issues.store.ts), the projectId parameter is intentionally made optional to support override implementations in subclasses. The base implementation requires projectId and includes an early return check, but making it optional allows derived classes to override the method with different parameter requirements.
apps/api/plane/app/serializers/draft.py (3)

Learnt from: vamsikrishnamathala
PR: #7214
File: web/core/store/issue/helpers/base-issues.store.ts:117-117
Timestamp: 2025-06-16T07:23:39.497Z
Learning: In the updateIssueDates method of BaseIssuesStore (web/core/store/issue/helpers/base-issues.store.ts), the projectId parameter is intentionally made optional to support override implementations in subclasses. The base implementation requires projectId and includes an early return check, but making it optional allows derived classes to override the method with different parameter requirements.

Learnt from: prateekshourya29
PR: #7094
File: web/core/store/user/base-permissions.store.ts:196-201
Timestamp: 2025-05-28T09:53:44.635Z
Learning: All role enums in this codebase (EUserPermissions, EUserWorkspaceRoles, EUserProjectRoles) use the same consistent numeric values: ADMIN = 20, MEMBER = 15, GUEST = 5. None of these enums have a value of 0, so truthy checks work correctly with these enum values.

Learnt from: prateekshourya29
PR: #7094
File: web/core/store/user/base-permissions.store.ts:196-201
Timestamp: 2025-05-28T09:53:44.635Z
Learning: The EUserPermissions enum in this codebase uses numeric values: ADMIN = 20, MEMBER = 15, GUEST = 5. All roles in this enum are always numbers, not string values.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (7)
apps/api/plane/app/serializers/draft.py (7)

1-1: LGTM! HTML parsing import added correctly.

The import of lxml.html is appropriate for the HTML parsing and sanitization functionality added in the validate method.

21-24: LGTM! Required imports added for enhanced validations.

The new imports (ProjectMember, EstimatePoint, and ROLE) are correctly added to support the project-scoped validation logic.

82-89: LGTM! Proper project member validation with role checking.

The validation correctly filters assignees to ensure they are active project members with at least MEMBER role. The use of ROLE.MEMBER.value is appropriate and follows the established enum pattern.

91-98: LGTM! Proper label validation with project scope.

The validation correctly filters labels to ensure they belong to the current project context.

160-167: LGTM! Correct use of assignee_id in bulk creation.

The change from using full assignee objects to assignee_id is correct and aligns with the validated list of IDs from the validate method.

176-183: LGTM! Correct use of label_id in bulk creation.

The change from using full label objects to label_id is correct and aligns with the validated list of IDs from the validate method.

234-241: LGTM! Correct use of assignee_id in update method.

The change to use assignee_id is consistent with the create method and properly handles the validated assignee IDs.

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@makeplane
Copy link

makeplane bot commented Jul 23, 2025

Pull Request Linked with Plane Work Items

Comment Automatically Generated by Plane

Copilot AI reviewed Jul 23, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request fixes validation issues in the Work Item model by adding comprehensive field validations and correcting database relationship references in the serializers. The changes ensure that all related entities (assignees, labels, states, parents, and estimate points) belong to the correct project scope and prevent invalid data from being saved.

  • Adds HTML validation for description fields using lxml library
  • Implements project-scoped validation for states, parents, labels, assignees, and estimate points
  • Fixes foreign key references to use ID-based assignments instead of object assignments

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
apps/api/plane/app/serializers/issue.py Adds comprehensive validation logic and fixes label/assignee FK references
apps/api/plane/app/serializers/draft.py Mirrors validation improvements from issue serializer for draft issues
apps/api/plane/api/serializers/issue.py Adds estimate point validation and improves parent issue validation scope

coderabbitai[bot]
coderabbitai bot reviewed Jul 23, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🔭 Outside diff range comments (2)
apps/api/plane/api/serializers/issue.py (1)

105-112: Validation logic contradicts the comment about cross-project parent issues.

The comment states "Check parent issue is from workspace as it can be cross workspace" (which seems to imply cross-project within the same workspace), but the validation now requires the parent issue to be from the same project. This is a breaking change if parent-child relationships were previously allowed across projects.

Consider either:

  1. Updating the comment to reflect the new stricter validation
  2. Removing the project_id filter if cross-project parent issues should be allowed
apps/api/plane/app/serializers/draft.py (1)

245-260: Critical bug: Incorrect field name in label bulk creation.

The update method incorrectly uses label=label instead of label_id=label_id. Since the validated data contains label IDs (not objects), this will cause a runtime error.

             DraftIssueLabel.objects.bulk_create(
                 [
                     DraftIssueLabel(
-                        label=label,
+                        label_id=label_id,
                         draft_issue=instance,
                         workspace_id=workspace_id,
                         project_id=project_id,
                         created_by_id=created_by_id,
                         updated_by_id=updated_by_id,
                     )
-                    for label in labels
+                    for label_id in labels
                 ],
                 batch_size=10,
             )
🧹 Nitpick comments (3)
apps/api/plane/app/serializers/draft.py (1)

90-97: Consider simplifying the label validation logic.

The validation correctly ensures labels belong to the project. However, the code can be simplified:

-        if attrs.get("label_ids"):
-            label_ids = [label.id for label in attrs["label_ids"]]
-            attrs["label_ids"] = list(
-                Label.objects.filter(
-                    project_id=self.context.get("project_id"), id__in=label_ids
-                ).values_list("id", flat=True)
-            )
+        if attrs.get("label_ids"):
+            label_ids = [label.id for label in attrs["label_ids"]]
+            attrs["label_ids"] = Label.objects.filter(
+                project_id=self.context.get("project_id"), id__in=label_ids
+            ).values_list("id", flat=True)

The list() wrapper is unnecessary as values_list() returns a QuerySet that behaves like a list.

apps/api/plane/app/serializers/issue.py (2)

143-151: Consider simplifying the label validation logic.

Similar to the draft serializer, the list() wrapper is unnecessary:

-        if attrs.get("label_ids"):
-            label_ids = [label.id for label in attrs["label_ids"]]
-            attrs["label_ids"] = list(
-                Label.objects.filter(
-                    project_id=self.context.get("project_id"),
-                    id__in=label_ids,
-                ).values_list("id", flat=True)
-            )
+        if attrs.get("label_ids"):
+            label_ids = [label.id for label in attrs["label_ids"]]
+            attrs["label_ids"] = Label.objects.filter(
+                project_id=self.context.get("project_id"),
+                id__in=label_ids,
+            ).values_list("id", flat=True)

177-186: Good implementation of estimate_point validation.

This validation correctly checks both workspace_id and project_id. However, the DraftIssueCreateSerializer only checks project_id. These should be made consistent.

Consider creating a shared validation mixin or utility function for common validations (estimate_point, parent, state) to ensure consistency across all issue-related serializers. This would prevent the validation logic from diverging between different serializers.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2629d7 and 75ea97f.

📒 Files selected for processing (3)
  • apps/api/plane/api/serializers/issue.py (2 hunks)
  • apps/api/plane/app/serializers/draft.py (6 hunks)
  • apps/api/plane/app/serializers/issue.py (6 hunks)
🧠 Learnings (1)
📓 Common learnings 
Learnt from: vamsikrishnamathala
PR: makeplane/plane#7214
File: web/core/store/issue/helpers/base-issues.store.ts:117-117
Timestamp: 2025-06-16T07:23:39.497Z
Learning: In the updateIssueDates method of BaseIssuesStore (web/core/store/issue/helpers/base-issues.store.ts), the projectId parameter is intentionally made optional to support override implementations in subclasses. The base implementation requires projectId and includes an early return check, but making it optional allows derived classes to override the method with different parameter requirements.
🧬 Code Graph Analysis (1)
apps/api/plane/app/serializers/issue.py (2)
apps/api/plane/db/models/issue.py (1)
  • Issue (104-260)
apps/api/plane/tests/unit/bg_tasks/test_copy_s3_objects.py (1)
  • issue (25-31)
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings 
Learnt from: vamsikrishnamathala
PR: makeplane/plane#7214
File: web/core/store/issue/helpers/base-issues.store.ts:117-117
Timestamp: 2025-06-16T07:23:39.497Z
Learning: In the updateIssueDates method of BaseIssuesStore (web/core/store/issue/helpers/base-issues.store.ts), the projectId parameter is intentionally made optional to support override implementations in subclasses. The base implementation requires projectId and includes an early return check, but making it optional allows derived classes to override the method with different parameter requirements.
🧬 Code Graph Analysis (1)
apps/api/plane/app/serializers/issue.py (2)
apps/api/plane/db/models/issue.py (1)
  • Issue (104-260)
apps/api/plane/tests/unit/bg_tasks/test_copy_s3_objects.py (1)
  • issue (25-31)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (7)
apps/api/plane/api/serializers/issue.py (1)

118-129: LGTM! Proper validation for estimate_point field.

The validation ensures that the estimate point belongs to the correct workspace and project context, maintaining data integrity. The implementation follows the established pattern for similar validations.

apps/api/plane/app/serializers/draft.py (4)

72-79: Good addition of HTML validation for security.

The HTML parsing and sanitization helps prevent XSS attacks. The implementation is consistent with similar validation in other serializers.

81-88: Excellent validation for assignees.

The filtering ensures only active project members with appropriate permissions (role >= 15) can be assigned to draft issues, maintaining data integrity and access control.

99-109: Proper validation for state field.

The validation ensures the state belongs to the correct project context with a clear error message.

155-185: Correct usage of ID fields in bulk create operations.

The changes properly use assignee_id and label_id to match the validated data structure after filtering. This ensures the bulk create operations work correctly with the ID lists.

apps/api/plane/app/serializers/issue.py (2)

125-132: ****

246-263: Correct implementation of label handling in create and update methods.

Both methods properly use label_id to match the validated data structure. The implementation is consistent and correct.

Also applies to: 298-317

dheeru0198
dheeru0198 reviewed Jul 23, 2025
View reviewed changes
@coderabbitai coderabbitai bot mentioned this pull request Jul 24, 2025
Merged
2 tasks
@sriramveeraghanta sriramveeraghanta merged commit 63d025c into preview Jul 25, 2025
5 of 6 checks passed
@sriramveeraghanta sriramveeraghanta deleted the issue-validations branch July 25, 2025 11:20
@coderabbitai coderabbitai bot mentioned this pull request Jul 29, 2025
Merged
1 task
sriramveeraghanta pushed a commit that referenced this pull request Jul 30, 2025
@NarayanBavisetti @sriramveeraghanta
[WEB-4544] chore: added field validations in serializer (#7460)
d4705e1 
* chore: added field validations in serializer

* chore: added enum for roles
@coderabbitai coderabbitai bot mentioned this pull request Jul 30, 2025
Merged
6 tasks
lifeiscontent pushed a commit that referenced this pull request Aug 18, 2025
@NarayanBavisetti @lifeiscontent
[WEB-4544] chore: added field validations in serializer (#7460)
7caf9c3 
* chore: added field validations in serializer

* chore: added enum for roles
lifeiscontent pushed a commit that referenced this pull request Aug 18, 2025
@NarayanBavisetti @lifeiscontent
[WEB-4544] chore: added field validations in serializer (#7460)
d7fd8b3 
* chore: added field validations in serializer

* chore: added enum for roles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@dheeru0198 dheeru0198 dheeru0198 approved these changes

Assignees

No one assigned

Labels

ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@NarayanBavisetti @dheeru0198 @sriramveeraghanta @pushya22