Flagsmith · MartinLam12 · Mar 7, 2026 · Mar 8, 2026 · Mar 8, 2026 · Mar 13, 2026
@@ -40,7 +40,8 @@ def has_permission(self, request, view):  # type: ignore[no-untyped-def]
                 project_lookup = Q(id=project_id)
                 project = Project.objects.get(project_lookup)
                 return request.user.has_project_permission(CREATE_ENVIRONMENT, project)
-            except Project.DoesNotExist:
+            # We catch ValueError and TypeError here to resolve previous issues with invalid project IDs
+            except (Project.DoesNotExist, ValueError, TypeError):
                 return False
 
         # return true as all users can list and obj permissions will be handled later

@@ -146,6 +146,39 @@ def test_project_user_without_create_environment_permission_cannot_create_enviro
     assert result is False
 
 
+# created additional tests to cover edge cases around project ID validation in environment creation
-# created additional tests to cover edge cases around project ID validation in environment creation
-# created additional tests to cover edge cases around project ID validation in environment creation
+def test_create_environment__invalid_project_id_string__returns_false(
+    admin_user: FFAdminUser,
+) -> None:
+    # Given
+    mock_view.action = "create"
+    mock_view.detail = False
+    mock_request.user = admin_user
+    mock_request.data = {"project": "not-a-valid-id", "name": "Test environment"}
+
+    # When
+    result = environment_permissions.has_permission(mock_request, mock_view)  # type: ignore[no-untyped-call]
+
+    # Then
+    assert result is False
+
+
+def test_create_environment__none_project_id__returns_false(
+    admin_user: FFAdminUser,
+) -> None:
+    # Given
+    mock_view.action = "create"
+    mock_view.detail = False
+    mock_request.user = admin_user
+    mock_request.data = {"name": "Test environment"}
+
+    # When
+    result = environment_permissions.has_permission(mock_request, mock_view)  # type: ignore[no-untyped-call]
+
+    # Then
+    assert result is False
+
+
 def test_all_users_can_list_environments_for_project(
     staff_user: FFAdminUser,
 ) -> None: