Address review: reject blank label text, drop empty strings before create

JSv4 · JSv4 · commit 581dc1d4b97e · 2026-04-28T18:56:30.000-05:00
- Reject text composed of whitespace early with a stable error message,
  matching the reviewer's request that text not silently fall back
  to the Text Label model default
- Tighten create_kwargs filter to drop empty strings as well as None,
  preventing blank values from bypassing model defaults at the DB level
- Add regression test for the new validation path
diff --git a/config/graphql/label_mutations.py b/config/graphql/label_mutations.py
@@ -237,6 +237,19 @@ def mutate(
         obj = None
         obj_id = None
 
+        # Reject blank ``text`` early.  ``text`` is GraphQL-optional so the
+        # model default ("Text Label") would silently apply, which produces
+        # surprising labels for clients that forgot to pass a value or
+        # passed an empty string.  Django's ``blank=False`` is form-only
+        # and is NOT enforced by ``objects.create()``.
+        if text is not None and not text.strip():
+            return CreateLabelForLabelsetMutation(
+                obj=None,
+                obj_id=None,
+                message="Label text cannot be blank.",
+                ok=False,
+            )
+
         # Validate color format (defense in depth)
         is_valid_color, color_error = validate_color(color)
         if not is_valid_color:
@@ -255,8 +268,10 @@ def mutate(
                 # Generic deny path — same message and code path as not-found
                 raise LabelSet.DoesNotExist()
             logger.debug("CreateLabelForLabelsetMutation - mutate / Labelset", labelset)
-            # Drop None values so model field defaults apply (description,
-            # color, icon, text are NOT NULL with sensible defaults).
+            # Drop None and empty-string values so model field defaults
+            # apply (description, color, icon, text are NOT NULL with
+            # sensible defaults).  Empty strings would bypass those
+            # defaults at the DB level and write a row with blank values.
             create_kwargs = {
                 k: v
                 for k, v in {
@@ -266,7 +281,7 @@ def mutate(
                     "icon": icon,
                     "label_type": label_type,
                 }.items()
-                if v is not None
+                if v is not None and v != ""
             }
             obj = AnnotationLabel.objects.create(
                 creator=info.context.user, **create_kwargs
diff --git a/opencontractserver/tests/test_label_mutations.py b/opencontractserver/tests/test_label_mutations.py
@@ -362,3 +362,19 @@ def test_non_owner_with_explicit_update_permission_can_create(self) -> None:
         new_label = self.labelset.annotation_labels.first()
         self.assertEqual(new_label.text, "Collaborator Label")
         self.assertEqual(new_label.creator_id, self.other_user.id)
+
+    def test_blank_text_is_rejected(self) -> None:
+        """An empty/whitespace ``text`` must NOT silently fall back to the
+        ``"Text Label"`` model default — clients should see a validation error.
+        """
+
+        result = self.client.execute(
+            CREATE_LABEL_FOR_LABELSET_MUTATION,
+            variables=self._create_variables("   "),
+        )
+
+        self.assertIsNone(result.get("errors"))
+        data = result["data"]["createAnnotationLabelForLabelset"]
+        self.assertFalse(data["ok"])
+        self.assertIn("blank", data["message"].lower())
+        self.assertEqual(self.labelset.annotation_labels.count(), 0)
