ref(feedback): return 400 for failed validation in userreport endpoint (#90032)

aliu39 · web-flow · commit 4490518cde0e · 2025-05-08T14:55:28.000-04:00
Follow up to #89999
diff --git a/src/sentry/ingest/userreport.py b/src/sentry/ingest/userreport.py
@@ -5,12 +5,13 @@
 import uuid
 from datetime import datetime, timedelta
 
-from django.core.exceptions import ValidationError
+from django.core.exceptions import PermissionDenied, ValidationError
 from django.core.validators import validate_email
 from django.db import IntegrityError, router
 from django.utils import timezone
 
 from sentry import eventstore, options
+from sentry.api.exceptions import BadRequest
 from sentry.constants import DataCategory
 from sentry.eventstore.models import Event, GroupEvent
 from sentry.feedback.lib.types import UserReportDict
@@ -61,9 +62,14 @@ def save_userreport(
                 category=DataCategory.USER_REPORT_V2,
                 quantity=1,
             )
+            if (
+                source == FeedbackCreationSource.USER_REPORT_DJANGO_ENDPOINT
+                or source == FeedbackCreationSource.CRASH_REPORT_EMBED_FORM
+            ):
+                raise PermissionDenied()
             return None
 
-        should_filter, metrics_reason, outcomes_reason = validate_user_report(
+        should_filter, metrics_reason, display_reason = validate_user_report(
             report, project.id, source=source
         )
         if should_filter:
@@ -76,12 +82,17 @@ def save_userreport(
                 project_id=project.id,
                 key_id=None,
                 outcome=Outcome.INVALID,
-                reason=outcomes_reason,
+                reason=display_reason,
                 timestamp=start_time,
                 event_id=None,  # Note report["event_id"] is id of the associated event, not the report itself.
                 category=DataCategory.USER_REPORT_V2,
                 quantity=1,
             )
+            if (
+                source == FeedbackCreationSource.USER_REPORT_DJANGO_ENDPOINT
+                or source == FeedbackCreationSource.CRASH_REPORT_EMBED_FORM
+            ):
+                raise BadRequest(display_reason)
             return None
 
         # XXX(dcramer): enforce case insensitivity by coercing this to a lowercase string
@@ -207,7 +218,7 @@ def validate_user_report(
 
     Reformatting: strips whitespace from comments and dashes from event_id.
 
-    Returns a tuple of (should_filter, metrics_reason, outcomes_reason). XXX: ensure metrics and outcome reasons have bounded cardinality.
+    Returns a tuple of (should_filter, metrics_reason, display_reason). XXX: ensure metrics and outcome reasons have bounded cardinality.
 
     At the moment we do not raise validation errors.
     """
diff --git a/tests/sentry/api/endpoints/test_project_user_reports.py b/tests/sentry/api/endpoints/test_project_user_reports.py
@@ -498,3 +498,41 @@ def test_simple_shim_to_feedback_no_event_should_not_call(
         assert report.comments == "It broke!"
 
         assert len(mock_produce_occurrence_to_kafka.mock_calls) == 0
+
+    @patch("sentry.ingest.userreport.validate_user_report")
+    def test_validation_error(self, mock_validate_user_report):
+        mock_validate_user_report.return_value = (True, "data_invalid", "Data invalid")
+        self.login_as(user=self.user)
+        url = _make_url(self.project)
+
+        response = self.client.post(
+            url,
+            data={
+                "event_id": self.event.event_id,
+                "email": "foo@example.com",
+                "name": "Foo Bar",
+                "comments": "It broke!",
+            },
+        )
+
+        assert response.status_code == 400, response.content
+        assert UserReport.objects.count() == 0
+
+    @patch("sentry.ingest.userreport.is_in_feedback_denylist")
+    def test_denylist(self, mock_is_in_feedback_denylist):
+        mock_is_in_feedback_denylist.return_value = True
+        self.login_as(user=self.user)
+        url = _make_url(self.project)
+
+        response = self.client.post(
+            url,
+            data={
+                "event_id": self.event.event_id,
+                "email": "foo@example.com",
+                "name": "Foo Bar",
+                "comments": "It broke!",
+            },
+        )
+
+        assert response.status_code == 403, response.content
+        assert UserReport.objects.count() == 0
