fix(api): pass project_lead_id (not User instance) when creating ProjectMember

jamartineztelecoengineer84-dotcom · jamartineztelecoengineer84-dotcom · commit 4d606fec6648 · 2026-04-27T20:08:59.000Z
The create-project endpoint built a ProjectMember row with
member_id=serializer.instance.project_lead, which resolves to a User
instance via Django's related descriptor instead of a UUID. Django's
UUIDField coercion then fails with AttributeError: 'User' object has
no attribute 'replace', which the generic exception handler converts
to a 400 "Please provide valid detail" — but only after the Project
row was already persisted, leaving an orphaned project without
default states.

Fix:
- Use project_lead_id (FK ID, no descriptor lookup) on both the guard
  comparison and the ProjectMember creation.
- Wrap the post-save flow in transaction.atomic() so any future
  exception triggers a clean rollback.
- Defer model_activity.delay() with transaction.on_commit() so the
  activity log only fires after a successful commit.
- Capture the exception with log_exception() in the generic catch so
  future regressions surface in api logs.

Note: a related data integrity issue exists where
ProjectCreateSerializer doesn't create a ProjectIdentifier row
(unlike its frontend counterpart). Out of scope here, will follow
up in a separate PR.
diff --git a/apps/api/plane/api/views/project.py b/apps/api/plane/api/views/project.py
@@ -6,7 +6,7 @@
 import json
 
 # Django imports
-from django.db import IntegrityError
+from django.db import IntegrityError, transaction
 from django.db.models import Exists, F, Func, OuterRef, Prefetch, Q, Subquery, Count
 from django.db.models.functions import Coalesce
 from django.utils import timezone
@@ -38,6 +38,7 @@
     ProjectPage,
 )
 from plane.bgtasks.webhook_task import model_activity, webhook_activity
+from plane.utils.exception_logger import log_exception
 from .base import BaseAPIView
 from plane.utils.host import base_host
 from plane.api.serializers import (
@@ -223,48 +224,59 @@ def post(self, request, slug):
             serializer = ProjectCreateSerializer(data={**request.data}, context={"workspace_id": workspace.id})
 
             if serializer.is_valid():
-                serializer.save()
-
-                # Add the user as Administrator to the project
-                _ = ProjectMember.objects.create(project_id=serializer.instance.id, member=request.user, role=20)
+                with transaction.atomic():
+                    serializer.save()
+
+                    # Add the creator as Administrator of the project.
+                    _ = ProjectMember.objects.create(project_id=serializer.instance.id, member=request.user, role=20)
+
+                    # If a different project_lead was provided, add them as
+                    # Administrator too. Use project_lead_id (the FK column)
+                    # rather than project_lead (the related descriptor, which
+                    # would resolve to a User instance and break UUID coercion
+                    # downstream in ProjectMember.objects.create).
+                    if (
+                        serializer.instance.project_lead_id is not None
+                        and serializer.instance.project_lead_id != request.user.id
+                    ):
+                        ProjectMember.objects.create(
+                            project_id=serializer.instance.id,
+                            member_id=serializer.instance.project_lead_id,
+                            role=20,
+                        )
 
-                if serializer.instance.project_lead is not None and str(serializer.instance.project_lead) != str(
-                    request.user.id
-                ):
-                    ProjectMember.objects.create(
-                        project_id=serializer.instance.id,
-                        member_id=serializer.instance.project_lead,
-                        role=20,
+                    State.objects.bulk_create(
+                        [
+                            State(
+                                name=state["name"],
+                                color=state["color"],
+                                project=serializer.instance,
+                                sequence=state["sequence"],
+                                workspace=serializer.instance.workspace,
+                                group=state["group"],
+                                default=state.get("default", False),
+                                created_by=request.user,
+                            )
+                            for state in DEFAULT_STATES
+                        ]
                     )
 
-                State.objects.bulk_create(
-                    [
-                        State(
-                            name=state["name"],
-                            color=state["color"],
-                            project=serializer.instance,
-                            sequence=state["sequence"],
-                            workspace=serializer.instance.workspace,
-                            group=state["group"],
-                            default=state.get("default", False),
-                            created_by=request.user,
+                    project = self.get_queryset().filter(pk=serializer.instance.id).first()
+
+                    # Defer the activity-log task until the surrounding
+                    # transaction commits, so it never fires on a rolled-back
+                    # creation.
+                    transaction.on_commit(
+                        lambda: model_activity.delay(
+                            model_name="project",
+                            model_id=str(project.id),
+                            requested_data=request.data,
+                            current_instance=None,
+                            actor_id=request.user.id,
+                            slug=slug,
+                            origin=base_host(request=request, is_app=True),
                         )
-                        for state in DEFAULT_STATES
-                    ]
-                )
-
-                project = self.get_queryset().filter(pk=serializer.instance.id).first()
-
-                # Model activity
-                model_activity.delay(
-                    model_name="project",
-                    model_id=str(project.id),
-                    requested_data=request.data,
-                    current_instance=None,
-                    actor_id=request.user.id,
-                    slug=slug,
-                    origin=base_host(request=request, is_app=True),
-                )
+                    )
 
                 serializer = ProjectSerializer(project)
                 return Response(serializer.data, status=status.HTTP_201_CREATED)
@@ -282,6 +294,14 @@ def post(self, request, slug):
                 {"identifier": "The project identifier is already taken"},
                 status=status.HTTP_409_CONFLICT,
             )
+        except Exception as e:
+            # Surface unexpected failures in the api logs so future regressions
+            # are debuggable. Keep the public response generic.
+            log_exception(e)
+            return Response(
+                {"error": "Please provide valid detail"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
 
 
 class ProjectDetailAPIEndpoint(BaseAPIView):
