Skip to content

feat(preprod): Add org-scoped build-details endpoint and auto-resolve project#109111

Open
NicoHinderling wants to merge 1 commit intomasterfrom
02-23-feat_preprod_add_org-based_build-details_endpoint
Open

feat(preprod): Add org-scoped build-details endpoint and auto-resolve project#109111
NicoHinderling wants to merge 1 commit intomasterfrom
02-23-feat_preprod_add_org-based_build-details_endpoint

Conversation

@NicoHinderling
Copy link
Contributor

@NicoHinderling NicoHinderling commented Feb 23, 2026
edited
Loading

Add a new organization-scoped build-details API endpoint at
/organizations/{org}/preprodartifacts/{artifactId}/build-details/
that returns build details including project_id and project_slug
without requiring the project slug in the URL path.

This enables preprod URLs like /preprod/size/12345/ to work without
requiring ?project= upfront, improving UX for shared links. When a
user opens a link without the project query param, the frontend fetches
build details from the org-scoped endpoint, extracts the project ID
from the response, and automatically adds it to the URL via a
useResolveProjectFromArtifact hook.

  • New OrganizationPreprodBuildDetailsEndpoint with IDOR protection
    (scopes artifact lookup by project__organization_id)

@NicoHinderling Graphite App
Copy link
Contributor Author

NicoHinderling commented Feb 23, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@NicoHinderling NicoHinderling mentioned this pull request Feb 23, 2026
Open
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Feb 23, 2026
@NicoHinderling NicoHinderling changed the title feat(preprod): Add org-based build-details endpoint feat(preprod): Add org-scoped build-details endpoint and auto-resolve project Feb 23, 2026
@NicoHinderling NicoHinderling marked this pull request as ready for review February 23, 2026 19:27
@NicoHinderling NicoHinderling requested a review from a team as a code owner February 23, 2026 19:27
@NicoHinderling NicoHinderling mentioned this pull request Feb 23, 2026
Closed
@github-actions github-actions bot added the Scope: Frontend Automatically applied to PRs that change frontend components label Feb 23, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 23, 2026

🚨 Warning: This pull request contains Frontend and Backend changes!

It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently.

Have questions? Please ask in the #discuss-dev-infra channel.

cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
@NicoHinderling NicoHinderling force-pushed the 02-23-feat_preprod_add_org-based_build-details_endpoint branch from 11d3577 to 15af452 Compare February 23, 2026 19:55
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
@NicoHinderling NicoHinderling force-pushed the 02-23-feat_preprod_add_org-based_build-details_endpoint branch from 15af452 to c97117e Compare February 23, 2026 21:23
@NicoHinderling NicoHinderling force-pushed the 02-23-feat_preprod_add_org-based_build-details_endpoint branch from c97117e to 6a65e58 Compare February 23, 2026 21:32
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

src/sentry/preprod/api/endpoints/organization_preprod_build_details.py
).get(
id=int(artifact_id),
project__organization_id=organization.id,
)
Copy link
Contributor

@cursor cursor bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Org build details bypasses project access

High Severity

OrganizationPreprodBuildDetailsEndpoint fetches PreprodArtifact by project__organization_id only and never scopes to projects the requester can access. An org member without access to a given project could retrieve build details for that project if they know/guess the artifact_id, leaking project_id, project_slug, and build metadata.

Fix in Cursor Fix in Web

Copy link
Contributor Author

@NicoHinderling NicoHinderling Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think thats not a real concern

@NicoHinderling NicoHinderling mentioned this pull request Feb 23, 2026
Closed
@NicoHinderling NicoHinderling force-pushed the 02-23-feat_preprod_add_org-based_build-details_endpoint branch from 6a65e58 to 4c347e9 Compare February 23, 2026 23:39
@NicoHinderling NicoHinderling force-pushed the 02-23-feat_preprod_add_org-based_build-details_endpoint branch from 4c347e9 to 828775b Compare February 24, 2026 00:26
This was referenced Feb 24, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components Scope: Frontend Automatically applied to PRs that change frontend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NicoHinderling