Skip to content

fix(api): handle null environment in validate_environment#6937

Open
wavebyrd wants to merge 5 commits intoFlagsmith:mainfrom
wavebyrd:fix/6597-validate-environment-none
Open

fix(api): handle null environment in validate_environment#6937
wavebyrd wants to merge 5 commits intoFlagsmith:mainfrom
wavebyrd:fix/6597-validate-environment-none

Conversation

@wavebyrd
Copy link

@wavebyrd wavebyrd commented Mar 12, 2026
edited
Loading

Summary

Fixes #6597

FeatureStateSerializerBasic.validate_environment raises an AttributeError when a request passes null for the environment field. The method tries to access .id on the environment parameter without first checking for None.

Since null=True on the environment column is a historical data layer detail and not intended API behaviour, this rejects null with a ValidationError instead of passing it through.

Changes

  • api/features/serializers.py: Added None check in validate_environment that raises ValidationError before accessing environment.id
  • api/tests/unit/features/test_unit_features_serializers.py: Added test verifying null environment is rejected with a validation error

Test plan

  • New unit test: test_feature_state_serializer_basic__null_environment__returns_validation_error verifies passing environment: None is rejected and does not raise AttributeError
  • CI passes existing test suite

@wavebyrd wavebyrd requested a review from a team as a code owner March 12, 2026 19:50
@wavebyrd wavebyrd requested review from emyller and removed request for a team March 12, 2026 19:50
@vercel
Copy link

vercel bot commented Mar 12, 2026

Someone is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the api Issue related to the REST API label Mar 12, 2026
cursor[bot]
cursor bot reviewed Mar 12, 2026
View reviewed changes
emyller
emyller requested changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@emyller emyller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution @wavebyrd!

As I understand, environment is nullable in the data layer only because we failed to constrain it after historical data. I believe the correct resolution might explore preventing a null environment being received in the validation layer.

@wavebyrd
Copy link
Author

wavebyrd commented Mar 12, 2026

Thanks for the feedback @emyller — you're right. Updated to raise a ValidationError instead of passing None through. The null environment is now explicitly rejected at the validation layer.

cursor[bot]
cursor bot reviewed Mar 12, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

api/features/serializers.py Outdated

def validate_environment(self, environment): # type: ignore[no-untyped-def]
if environment is None:
raise serializers.ValidationError("This field may not be null.")
Copy link

@cursor cursor bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ValidationError prevents intended context-based environment fallback

High Severity

Raising ValidationError in validate_environment when environment is None prevents the object-level validate() from ever running. In DRF, field-level validation errors block execution of validate(). The validate() method at line 609 has an intentional fallback — attrs.get("environment") or self.context["environment"] — designed to resolve environment from the serializer context when it's absent from request data. Since FeatureState.environment is null=True, DRF passes None through to validate_environment. Returning None here instead of raising would let the fallback work as intended.

Additional Locations (1)
Fix in Cursor Fix in Web

@wavebyrd wavebyrd force-pushed the fix/6597-validate-environment-none branch from 702d558 to bd4b8b3 Compare March 12, 2026 21:05
@cursor
Copy link

cursor bot commented Mar 12, 2026

You have used all of your free Bugbot PR reviews.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

@wavebyrd
Copy link
Author

wavebyrd commented Mar 13, 2026

Moved the null check into validate() so the context fallback still works. If environment is None after checking both the payload and context, it now raises a ValidationError there instead.

@wavebyrd wavebyrd force-pushed the fix/6597-validate-environment-none branch from de112d6 to d9bf73d Compare March 13, 2026 21:23
@wavebyrd wavebyrd requested review from a team as code owners March 13, 2026 21:23
@wavebyrd wavebyrd requested review from Zaimwa9, adamvialpando and germangarces and removed request for a team March 13, 2026 21:23
@github-actions github-actions bot added front-end Issue related to the React Front End Dashboard docs Documentation updates infrastructure labels Mar 13, 2026
@matthewelwell
Copy link
Contributor

matthewelwell commented Mar 16, 2026

Hi @wavebyrd , can you check this PR please - it looks like you've perhaps made a mistake in a rebase or merge because it's showing 3000+ files changed.

@matthewelwell matthewelwell mentioned this pull request Mar 16, 2026
Open
4 tasks
wavebyrd and others added 4 commits March 16, 2026 09:15
@wavebyrd
fix(api): handle null environment in validate_environment (Flagsmith#…
35cf9bf 
…6597)

When a request passes a null environment value to the featurestates
endpoint, `validate_environment` raises an `AttributeError` because
it tries to access `.id` on `None`. Guard against `None` and return
early, letting the broader `validate` method resolve the environment
from the serialiser context.
@wavebyrd
Reject null environment with a validation error
556c327 
Address review feedback: raise ValidationError instead of passing
null through, since the nullable environment column is a historical
data layer artefact and not intended API behaviour.
@pre-commit-ci @wavebyrd
[pre-commit.ci] auto fixes from pre-commit.com hooks
246d558 
for more information, see https://pre-commit.ci
@wavebyrd
Move null environment check to object-level validate()
02253cf 
Field-level validate_environment was blocking the context fallback
in validate() from ever running. Now validate_environment just guards
the .id access, and validate() resolves environment from context
before rejecting null.
@wavebyrd wavebyrd force-pushed the fix/6597-validate-environment-none branch from 9576e83 to 02253cf Compare March 16, 2026 13:15
@wavebyrd
Copy link
Author

wavebyrd commented Mar 16, 2026

Fixed the rebase - should now show only the 4 commits for this fix. Sorry about that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@emyller emyller emyller requested changes

@adamvialpando adamvialpando Awaiting requested review from adamvialpando adamvialpando was automatically assigned from Flagsmith/flagsmith-docs

@germangarces germangarces Awaiting requested review from germangarces germangarces was automatically assigned from Flagsmith/flagsmith-infrastructure

@Zaimwa9 Zaimwa9 Awaiting requested review from Zaimwa9 Zaimwa9 was automatically assigned from Flagsmith/flagsmith-front-end

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

api Issue related to the REST API docs Documentation updates front-end Issue related to the React Front End Dashboard infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

500 when calling /api/v1/features/featurestates/{pk}/ with empty environment

3 participants

@wavebyrd @matthewelwell @emyller