Address PR #1384 review: add CreateLabelForLabelsetMutation tests

JSv4 · JSv4 · commit 691d65e41a0e · 2026-04-26T00:09:47.000-05:00
Reviewer flagged that the behavioral change to CreateLabelForLabelsetMutation
(creator-only -&gt; guardian UPDATE) lacked test coverage matching the
RemoveLabelsFromLabelsetMutation suite. Adds CreateLabelForLabelsetMutationTestCase
covering: creator happy path, non-owner without permission rejected, is_public
alone insufficient, and non-owner with explicit UPDATE grant succeeds.

Also fixes the minor style nit on the IDOR-deny path - raise the exception with
parentheses for consistency with idiomatic Python.
diff --git a/config/graphql/label_mutations.py b/config/graphql/label_mutations.py
@@ -240,7 +240,7 @@ def mutate(root, info, labelset_id, text, description, color, icon, label_type):
                 include_group_permissions=True,
             ):
                 # Generic deny path — same message and code path as not-found
-                raise LabelSet.DoesNotExist
+                raise LabelSet.DoesNotExist()
             logger.debug("CreateLabelForLabelsetMutation - mutate / Labelset", labelset)
             obj = AnnotationLabel.objects.create(
                 text=text,
@@ -305,7 +305,7 @@ def mutate(root, info, label_ids, labelset_id):
                 include_group_permissions=True,
             ):
                 # Generic deny path — same message and code path as not-found
-                raise LabelSet.DoesNotExist
+                raise LabelSet.DoesNotExist()
             labelset.annotation_labels.remove(*label_pks)
             ok = True
             message = "Success"
diff --git a/opencontractserver/tests/test_label_mutations.py b/opencontractserver/tests/test_label_mutations.py
@@ -37,6 +37,27 @@ def __init__(self, user):
 """
 
 
+CREATE_LABEL_FOR_LABELSET_MUTATION = """
+    mutation CreateLabelForLabelset(
+        $labelsetId: String!
+        $text: String
+        $color: String
+        $labelType: String
+    ) {
+        createAnnotationLabelForLabelset(
+            labelsetId: $labelsetId
+            text: $text
+            color: $color
+            labelType: $labelType
+        ) {
+            ok
+            message
+            objId
+        }
+    }
+"""
+
+
 class RemoveLabelsFromLabelsetMutationTestCase(TestCase):
     """Regression coverage for issue #1359."""
 
@@ -226,3 +247,118 @@ def test_remove_labels_allows_non_owner_with_explicit_update_permission(
         )
         remaining = set(self.labelset.annotation_labels.values_list("pk", flat=True))
         self.assertEqual(remaining, {self.label_b.pk, self.label_c.pk})
+
+
+class CreateLabelForLabelsetMutationTestCase(TestCase):
+    """Coverage for ``CreateLabelForLabelsetMutation`` permission gating.
+
+    The mutation moved from creator-only to guardian-permission-based, so we
+    pin the four cases reviewers asked for: creator happy path, non-creator
+    rejection, ``is_public`` is not enough, and explicit ``UPDATE`` works.
+    """
+
+    def setUp(self) -> None:
+        self.user = User.objects.create_user(
+            username="testuser", password="testpassword"
+        )
+        self.other_user = User.objects.create_user(
+            username="otheruser", password="otherpassword"
+        )
+
+        self.client = Client(schema, context_value=TestContext(self.user))
+        self.other_client = Client(schema, context_value=TestContext(self.other_user))
+
+        self.labelset = LabelSet.objects.create(
+            title="Test Labelset",
+            description="Test labelset",
+            creator=self.user,
+        )
+        set_permissions_for_obj_to_user(
+            self.user, self.labelset, [PermissionTypes.CRUD]
+        )
+
+    def _create_variables(self, text: str = "New Label") -> dict:
+        return {
+            "labelsetId": to_global_id("LabelSetType", self.labelset.id),
+            "text": text,
+            "color": "#ABCDEF",
+            "labelType": LabelType.SPAN_LABEL,
+        }
+
+    def test_creator_can_create_label(self) -> None:
+        """Regression guard: the creator's happy path still works."""
+
+        result = self.client.execute(
+            CREATE_LABEL_FOR_LABELSET_MUTATION,
+            variables=self._create_variables("Creator Label"),
+        )
+
+        self.assertIsNone(result.get("errors"))
+        data = result["data"]["createAnnotationLabelForLabelset"]
+        self.assertTrue(
+            data["ok"],
+            msg=f"Mutation did not succeed. Message: {data['message']}",
+        )
+        self.assertEqual(data["message"], "SUCCESS")
+        self.assertIsNotNone(data["objId"])
+        self.assertEqual(self.labelset.annotation_labels.count(), 1)
+        self.assertEqual(self.labelset.annotation_labels.first().text, "Creator Label")
+
+    def test_non_owner_without_permission_is_rejected(self) -> None:
+        """A user with no permission on the labelset cannot add labels."""
+
+        result = self.other_client.execute(
+            CREATE_LABEL_FOR_LABELSET_MUTATION,
+            variables=self._create_variables("Should Not Exist"),
+        )
+
+        self.assertIsNone(result.get("errors"))
+        data = result["data"]["createAnnotationLabelForLabelset"]
+        self.assertFalse(data["ok"])
+        self.assertEqual(self.labelset.annotation_labels.count(), 0)
+        # No orphan AnnotationLabel should leak when the caller is unauthorized
+        self.assertFalse(
+            AnnotationLabel.objects.filter(text="Should Not Exist").exists()
+        )
+
+    def test_non_owner_rejected_even_when_labelset_is_public(self) -> None:
+        """``is_public`` is READ-only and must not grant CREATE rights."""
+
+        self.labelset.is_public = True
+        self.labelset.save()
+
+        result = self.other_client.execute(
+            CREATE_LABEL_FOR_LABELSET_MUTATION,
+            variables=self._create_variables("Public Should Not Help"),
+        )
+
+        self.assertIsNone(result.get("errors"))
+        data = result["data"]["createAnnotationLabelForLabelset"]
+        self.assertFalse(data["ok"])
+        self.assertEqual(self.labelset.annotation_labels.count(), 0)
+        self.assertFalse(
+            AnnotationLabel.objects.filter(text="Public Should Not Help").exists()
+        )
+
+    def test_non_owner_with_explicit_update_permission_can_create(self) -> None:
+        """A collaborator with guardian UPDATE on the labelset may add labels."""
+
+        set_permissions_for_obj_to_user(
+            self.other_user, self.labelset, [PermissionTypes.UPDATE]
+        )
+
+        result = self.other_client.execute(
+            CREATE_LABEL_FOR_LABELSET_MUTATION,
+            variables=self._create_variables("Collaborator Label"),
+        )
+
+        self.assertIsNone(result.get("errors"))
+        data = result["data"]["createAnnotationLabelForLabelset"]
+        self.assertTrue(
+            data["ok"],
+            msg=f"Mutation did not succeed. Message: {data['message']}",
+        )
+        self.assertEqual(self.labelset.annotation_labels.count(), 1)
+        new_label = self.labelset.annotation_labels.first()
+        self.assertEqual(new_label.text, "Collaborator Label")
+        self.assertEqual(new_label.creator_id, self.other_user.id)
