Skip to content

fix(seer explorer): Restrict to orgs with open membership #101178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 8, 2025
Merged

fix(seer explorer): Restrict to orgs with open membership #101178

merged 1 commit into from
Oct 8, 2025
+47 −0

Conversation

roaga
Copy link
Member

@roaga roaga commented Oct 8, 2025

Only allows orgs with organization.flags.allow_joinleave set to true to use Seer Explorer. This is because Explorer requires aggregating context across all projects, which violates permissions if some members aren't allowed to access some projects.

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Oct 8, 2025
@jasonyuezhang jasonyuezhang mentioned this pull request Oct 8, 2025
Open
@roaga roaga marked this pull request as ready for review October 8, 2025 18:24
@roaga roaga requested a review from a team as a code owner October 8, 2025 18:24
@roaga roaga merged commit 65e1a8b into master Oct 8, 2025
65 checks passed
@roaga roaga deleted the explorer/restrict-to-open-membership branch October 8, 2025 18:26
seer-by-sentry[bot]
seer-by-sentry bot reviewed Oct 8, 2025
View reviewed changes
src/sentry/seer/endpoints/organization_seer_explorer_chat.py
Comment on lines +155 to +161
if not organization.flags.allow_joinleave:
return Response(
{
"detail": "Organization does not have open team membership enabled. Seer requires this to aggregate context across all projects and allow members to ask questions freely."
},
status=403,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential bug: Insufficient access control logic denies access to users with global roles.

  • Description: The access control logic incorrectly denies access to users with high-level permissions (e.g., org:admin, org:write). The code checks only the organization.flags.allow_joinleave flag, but it should use the request.access.has_global_access property, which correctly grants access to users with global roles regardless of the allow_joinleave setting. This results in a functional bug where legitimate users are blocked from the feature.

  • Suggested fix: Replace the check if not organization.flags.allow_joinleave: with if not request.access.has_global_access: to correctly account for users who have global project access through their organizational role.
    severity: 3.0, confidence: 5.0

Did we get this right? 👍 / 👎 to inform future reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seer-by-sentry seer-by-sentry[bot] seer-by-sentry[bot] left review comments

@JoshFerge JoshFerge JoshFerge approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roaga @JoshFerge