Skip to content

fix: validate registration invite before password validation#7711

Open
10done wants to merge 1 commit into
Flagsmith:mainfrom
10done:fix/registration-invite-validation-ordering
Open

fix: validate registration invite before password validation#7711
10done wants to merge 1 commit into
Flagsmith:mainfrom
10done:fix/registration-invite-validation-ordering

Conversation

@10done
Copy link
Copy Markdown
Contributor

@10done 10done commented Jun 5, 2026
edited
Loading

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

Fixes #7695
Moved _validate_registration_invite() to execute before super().validate()
in CustomUserCreateSerializer.validate().

Uninvited users should be rejected immediately with 403 before the server
performs any further validation. The previous ordering also had a minor
security implication — it leaked password rule feedback to users who were
not authorised to register at all.

How did you test this code?

  • test_register__without_invite_when_disabled__returns_forbidden — passes
    deterministically
  • Full custom_auth unit + integration test suite — all passing

@10done 10done requested a review from a team as a code owner June 5, 2026 01:10
@10done 10done requested review from khvn26 and removed request for a team June 5, 2026 01:10
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 5, 2026

@10done is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

@10done 10done changed the title Validating registration before password validation fix: validate registration invite before password validation Jun 5, 2026
@github-actions github-actions Bot added the api Issue related to the REST API label Jun 5, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 5, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.37%. Comparing base (cbcac64) to head (529d57f).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7711      +/-   ##
==========================================
- Coverage   98.52%   98.37%   -0.16%     
==========================================
  Files        1444     1444              
  Lines       54971    54968       -3     
==========================================
- Hits        54161    54074      -87     
- Misses        810      894      +84

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khvn26 khvn26 Awaiting requested review from khvn26 khvn26 is a code owner automatically assigned from Flagsmith/flagsmith-back-end

At least 1 approving review is required to merge this pull request.

Assignees

@khvn26 khvn26

Labels

api Issue related to the REST API

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Flaky test_register__without_invite_when_disabled__returns_forbidden

2 participants

@10done @khvn26