Fix memeverships-bulk-create validator

taiga/projects/validators.py

@@ -24,7 +24,7 @@ from taiga.base.api import validators
 from taiga.base.exceptions import ValidationError
 from taiga.base.fields import JsonField
 from taiga.base.fields import PgArrayField
-from taiga.users.validators import RoleExistsValidator
+from taiga.users.models import Role
 
 from .tagging.fields import TagsField
 
@@ -200,16 +200,27 @@ class MembershipAdminValidator(MembershipValidator):
         exclude = ("token",)
 
 
-class MemberBulkValidator(RoleExistsValidator, validators.Validator):
+class _MemberBulkValidator(validators.Validator):
     email = serializers.EmailField()
     role_id = serializers.IntegerField()
 
 
 class MembersBulkValidator(ProjectExistsValidator, validators.Validator):
     project_id = serializers.IntegerField()
-    bulk_memberships = MemberBulkValidator(many=True)
+    bulk_memberships = _MemberBulkValidator(many=True)
     invitation_extra_text = serializers.CharField(required=False, max_length=255)
 
+    def validate_bulk_memberships(self, attrs, source):
+        filters = {
+            "project__id": attrs["project_id"],
+            "id__in": [r["role_id"] for r in attrs["bulk_memberships"]]
+        }
+
+        if Role.objects.filter(**filters).count() != len(set(filters["id__in"])):
+            raise ValidationError(_("Invalid role ids. All roles must belong to the same project."))
+
+        return attrs
+
 
 ######################################################
 # Projects

taiga/users/validators.py

@@ -29,18 +29,10 @@ from .models import User, Role
 import re
 
 
-class RoleExistsValidator:
-    def validate_role_id(self, attrs, source):
-        value = attrs[source]
-        if not Role.objects.filter(pk=value).exists():
-            msg = _("There's no role with that id")
-            raise ValidationError(msg)
-        return attrs
-
-
 ######################################################
 # User
 ######################################################
+
 class UserValidator(validators.ModelValidator):
     class Meta:
         model = User

tests/integration/resources_permissions/test_projects_choices_resources.py

@@ -2055,6 +2055,7 @@ def test_membership_action_bulk_create(client, data):
     results = helper_test_http_method(client, 'post', url, bulk_data, users)
     assert results == [401, 403, 403, 403, 451]
 
+
 def test_membership_action_resend_invitation(client, data):
     public_invitation = f.InvitationFactory(project=data.public_project, role__project=data.public_project)
     private_invitation1 = f.InvitationFactory(project=data.private_project1, role__project=data.private_project1)

tests/integration/test_memberships.py

@@ -72,6 +72,30 @@ def test_api_create_bulk_members(client):
     assert response.data[1]["email"] == joseph.email
 
 
+def test_api_create_bulk_members_with_invalid_roles(client):
+    project = f.ProjectFactory()
+    john = f.UserFactory.create()
+    joseph = f.UserFactory.create()
+    tester = f.RoleFactory(name="Tester")
+    gamer = f.RoleFactory(name="Gamer")
+    f.MembershipFactory(project=project, user=project.owner, is_admin=True)
+
+    url = reverse("memberships-bulk-create")
+
+    data = {
+        "project_id": project.id,
+        "bulk_memberships": [
+            {"role_id": tester.pk, "email": john.email},
+            {"role_id": gamer.pk, "email": joseph.email},
+        ]
+    }
+    client.login(project.owner)
+    response = client.json.post(url, json.dumps(data))
+
+    assert response.status_code == 400
+    assert "bulk_memberships" in response.data
+
+
 def test_api_create_bulk_members_with_allowed_domain(client):
     project = f.ProjectFactory()
     john = f.UserFactory.create()