Tighten checks for project leaders on creating a Program

[kasya]

Tighten a check for project leader on creating a Program in Mentorship portal.
Resolves #4283 and other issues where Chapter leaders seemed to be able to create a program.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1cf67891-db55-4b91-8910-3988b714cbec

📥 Commits

Reviewing files that changed from the base of the PR and between 97b5469 and 0faf293.

📒 Files selected for processing (3)

• backend/apps/github/models/user.py
• backend/tests/unit/apps/github/models/user_is_project_leader_test.py
• backend/tests/unit/apps/owasp/api/internal/queries/project_test.py

---

Summary by CodeRabbit

• Bug Fixes
  • Program creation now denies requests from users without a linked GitHub account or without project-leader status, with a clear permission message.
• Refactor
  • Leader-membership lookup consolidated to a shared helper for consistent leader resolution.
• Tests
  • Unit tests added/updated to cover permission checks and the revised leader-resolution behavior.

Walkthrough

Centralizes leader membership lookup on the GitHub user model, makes ProjectQuery.is_project_leader return GithubUser.is_project_leader, and requires project-leader status to create mentorship programs; tests added/updated accordingly.

Changes

Leader Detection Refactor

Layer / File(s)	Summary
Entity Leader Utility in GitHub User Model backend/apps/github/models/user.py, backend/tests/unit/apps/github/models/user_is_project_leader_test.py	New User._get_leader_memberships(entity_model) helper centralizes active, reviewed EntityMember leader queries; existing leader ID extraction is updated to reuse it; tests added for is_project_leader.
Project Query Resolution Delegation backend/apps/owasp/api/internal/queries/project.py, backend/tests/unit/apps/owasp/api/internal/queries/project_test.py	ProjectQuery.is_project_leader loads GithubUser by login and returns github_user.is_project_leader instead of inline substring-matching of leaders_raw; removed unused Q import; tests refactored to patch GithubUser.objects.get and added blank-display-name case.
Program Creation Authorization Gate backend/apps/mentorship/api/internal/mutations/program.py, backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py	ProgramMutation.create_program requires user.github_user and user.github_user.is_project_leader true, otherwise logs a warning and raises PermissionDenied; existing tests updated to include mocked github_user, and negative tests added for missing/unauthorized users.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested reviewers

• arkid15r
• ahmedxgouda

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: tightening checks for project leaders when creating a Program. It directly relates to the primary objective of resolving false positive project leader detection.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation to tighten project leader checks on Program creation and referencing the linked issue #4283.
Linked Issues check	✅ Passed	The PR fully addresses issue #4283's objective to prevent false project leader detection by implementing explicit GitHub login matching instead of substring matching across multiple components.
Out of Scope Changes check	✅ Passed	All changes are directly related to tightening project leader checks. The modifications to User model, queries, mutations, and tests all focus on eliminating substring-based matching and implementing explicit leader verification.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tighten-leader-check-for-program-creation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.88%. Comparing base (bf6e69b) to head (0faf293).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4695   +/-   ##
=======================================
  Coverage   98.88%   98.88%           
=======================================
  Files         538      538           
  Lines       17143    17151    +8     
  Branches     2405     2458   +53     
=======================================
+ Hits        16951    16959    +8     
  Misses        103      103           
  Partials       89       89           

Flag	Coverage Δ
backend	99.47% <100.00%> (+<0.01%)	⬆️
frontend	97.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
backend/apps/github/models/user.py	100.00% <100.00%> (ø)
.../apps/mentorship/api/internal/mutations/program.py	96.42% <100.00%> (+0.13%)	⬆️
backend/apps/owasp/api/internal/queries/project.py	100.00% <100.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf6e69b...0faf293. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 6 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[cubic-dev-ai]

0 issues found across 8 files (changes from recent commits).

_{Re-trigger cubic}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py`:
- Around line 216-226: The tests that exercise the allow/validation path for
create_program currently don't set the authorization precondition; explicitly
set user.github_user.is_project_leader = True in those success/validation-path
tests (the ones that build input_data and call the create_program mutation
without expecting PermissionDenied) so they mirror the denial-path's explicit
leader flag and encode the required precondition; update the relevant test
functions that call create_program (and any helpers like _make_info if used
there) to ensure the user is a project leader before invoking the mutation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f94704a7-e91b-4ee1-be46-fbc006771dd7

📥 Commits

Reviewing files that changed from the base of the PR and between b7b6b84 and 289eb2b.

📒 Files selected for processing (6)

• backend/apps/github/models/user.py
• backend/apps/mentorship/api/internal/mutations/program.py
• backend/apps/owasp/api/internal/queries/project.py
• backend/tests/unit/apps/github/models/user_is_project_leader_test.py
• backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py
• backend/tests/unit/apps/owasp/api/internal/queries/project_test.py

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

_{Re-trigger cubic}