Fix webhook creation/filtering with invalid org

CHANGELOG.md

@@ -63,6 +63,7 @@ Tracks can be exported/imported to/from Datumaro and Sly Pointcloud formats (<ht
 - Clean up disk space after a project is removed (<https://github.com/opencv/cvat/pull/5632>)
 - \[Server API\] Various errors in the generated schema (<https://github.com/opencv/cvat/pull/5575>)
 - SiamMask and TransT serverless functions (<https://github.com/opencv/cvat/pull/5658>)
+- An invalid project/org handling in webhooks (<https://github.com/opencv/cvat/pull/5707>)
 
 ### Security
 - Fixed vulnerability with social authentication (<https://github.com/opencv/cvat/pull/5521>)

cvat/apps/webhooks/serializers.py

@@ -2,15 +2,18 @@
 #
 # SPDX-License-Identifier: MIT
 
+from rest_framework import serializers
+
+from cvat.apps.engine.models import Project
+from cvat.apps.engine.serializers import BasicUserSerializer, WriteOnceMixin
+
 from .event_type import EventTypeChoice, ProjectEvents, OrganizationEvents
 from .models import (
     Webhook,
     WebhookContentTypeChoice,
     WebhookTypeChoice,
     WebhookDelivery,
 )
-from rest_framework import serializers
-from cvat.apps.engine.serializers import BasicUserSerializer, WriteOnceMixin
 
 
 class EventTypeValidator:
@@ -126,6 +129,9 @@ class Meta:
         validators = [EventTypeValidator()]
 
     def create(self, validated_data):
+        if (project_id := validated_data.get('project_id')) is not None:
+            validated_data['organization'] = Project.objects.get(pk=project_id).organization
+
         db_webhook = Webhook.objects.create(**validated_data)
         return db_webhook
 

cvat/apps/webhooks/signals.py

@@ -98,7 +98,6 @@ def select_webhooks(project_id, org_id, event):
             is_active=True,
             events__contains=event,
             type=WebhookTypeChoice.PROJECT,
-            organization=org_id,
             project=project_id,
         )
         selected_webhooks += list(webhooks)

tests/python/rest_api/test_webhooks.py

@@ -266,6 +266,22 @@ def test_can_create_without_unnecessary_fields(self):
 
         assert response.status_code == HTTPStatus.CREATED
 
+    def test_can_create_with_mismatching_project_org_fields(self, projects_by_org):
+        # In this case we could either fail or ignore invalid query param
+        # Currently, the invalid org id will be ignored and the value
+        # will be taken from the project.
+        post_data = deepcopy(self.proj_webhook)
+        org_id = next(iter(projects_by_org))
+        project = projects_by_org[org_id][0]
+        post_data["project_id"] = project["id"]
+        org_id = next(k for k in projects_by_org if k != org_id)
+
+        response = post_method("admin1", "webhooks", post_data, org_id=org_id)
+
+        assert response.status_code == HTTPStatus.CREATED
+        assert response.json()["project_id"] == post_data["project_id"]
+        assert response.json()["organization"] == project["organization"]
+
     def test_cannot_create_without_target_url(self):
         post_data = deepcopy(self.proj_webhook)
         post_data.pop("target_url")