Tighten checks for project leaders on creating a Program

[kasya]

Tighten a check for project leader on creating a Program in Mentorship portal.
Resolves #4283 and other issues where Chapter leaders seemed to be able to create a program.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: df85cfea-218e-4f47-ac39-6bee8ce03c9a

📥 Commits

Reviewing files that changed from the base of the PR and between 289eb2b and 97b5469.

📒 Files selected for processing (1)

• backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py

---

Summary by CodeRabbit

• Bug Fixes
  • Program creation now requires a linked GitHub account with project-leader status; unauthorized attempts are denied with a clear permission message.
• Refactor
  • Leader membership lookup logic has been centralized to improve consistency.
• Tests
  • Unit tests added/updated to cover the new permission checks and leader-resolution behavior.

Walkthrough

The PR centralizes leader membership lookup on the GitHub user model, updates ProjectQuery.is_project_leader to return GithubUser.is_project_leader, and adds a project-leader authorization check to ProgramMutation.create_program; tests updated/added accordingly.

Changes

Leader Detection Refactor

Layer / File(s)	Summary
Entity Leader Utility in GitHub User Model backend/apps/github/models/user.py, backend/tests/unit/apps/github/models/user_is_project_leader_test.py	New User._get_leader_memberships(entity_model) helper centralizes active, reviewed EntityMember leader queries; existing leader ID extraction is updated to reuse it; tests added for is_project_leader.
Project Query Resolution Delegation backend/apps/owasp/api/internal/queries/project.py, backend/tests/unit/apps/owasp/api/internal/queries/project_test.py	ProjectQuery.is_project_leader loads GithubUser by login and returns github_user.is_project_leader instead of inline substring-matching of leaders_raw; removed unused Q import; tests refactored to patch GithubUser.objects.get and added blank-display-name case.
Program Creation Authorization Gate backend/apps/mentorship/api/internal/mutations/program.py, backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py	ProgramMutation.create_program requires user.github_user and user.github_user.is_project_leader true, otherwise logs a warning and raises PermissionDenied; existing tests updated to include mocked github_user, and negative tests added for missing/unauthorized users.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested reviewers

• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: tightening checks for project leaders on program creation, which is the primary objective of the pull request.
Description check	✅ Passed	The description is related to the changeset, mentioning issue #4283 about preventing false project leader detection and tightening checks for program creation.
Linked Issues check	✅ Passed	The PR addresses issue #4283 by replacing substring matching with explicit GitHub login matching via GithubUser.is_project_leader, eliminating false positives and ensuring only authorized project leaders can create programs.
Out of Scope Changes check	✅ Passed	All changes are focused on fixing the project leader detection logic to prevent false positives, with supporting test coverage and refactoring of related helper methods.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tighten-leader-check-for-program-creation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.88%. Comparing base (25c4ec4) to head (7ad81a8).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4695   +/-   ##
=======================================
  Coverage   98.88%   98.88%           
=======================================
  Files         538      538           
  Lines       17143    17152    +9     
  Branches     2457     2406   -51     
=======================================
+ Hits        16951    16960    +9     
  Misses        103      103           
  Partials       89       89           

Flag	Coverage Δ
backend	99.47% <100.00%> (+<0.01%)	⬆️
frontend	97.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
backend/apps/github/models/user.py	100.00% <100.00%> (ø)
.../apps/mentorship/api/internal/mutations/program.py	96.42% <100.00%> (+0.13%)	⬆️
backend/apps/owasp/api/internal/queries/project.py	100.00% <100.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 25c4ec4...7ad81a8. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 6 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[cubic-dev-ai]

0 issues found across 8 files (changes from recent commits).

_{Re-trigger cubic}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py`:
- Around line 216-226: The tests that exercise the allow/validation path for
create_program currently don't set the authorization precondition; explicitly
set user.github_user.is_project_leader = True in those success/validation-path
tests (the ones that build input_data and call the create_program mutation
without expecting PermissionDenied) so they mirror the denial-path's explicit
leader flag and encode the required precondition; update the relevant test
functions that call create_program (and any helpers like _make_info if used
there) to ensure the user is a project leader before invoking the mutation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f94704a7-e91b-4ee1-be46-fbc006771dd7

📥 Commits

Reviewing files that changed from the base of the PR and between b7b6b84 and 289eb2b.

📒 Files selected for processing (6)

• backend/apps/github/models/user.py
• backend/apps/mentorship/api/internal/mutations/program.py
• backend/apps/owasp/api/internal/queries/project.py
• backend/tests/unit/apps/github/models/user_is_project_leader_test.py
• backend/tests/unit/apps/mentorship/api/internal/mutations/program_mutation_test.py
• backend/tests/unit/apps/owasp/api/internal/queries/project_test.py

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud