Skip to content

feat: Restrict superuser attributes to permission #29604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dcramer merged 1 commit into from
Oct 27, 2021
Merged

feat: Restrict superuser attributes to permission #29604

dcramer merged 1 commit into from
Oct 27, 2021

Conversation

@dcramer
Copy link
Member

@dcramer dcramer commented Oct 27, 2021

Add the 'users.admin' permission and restrict superuser-style mutations on users to superusers which have this permission.

@dcramer
feat: Restrict superuser attributes to permission
55e0f32 
Add the 'users.admin' permission and restrict superuser-style mutations on users to superusers which have this permission.
@dcramer dcramer requested review from a team, markstory and wedamija October 27, 2021 17:40
wedamija
wedamija reviewed Oct 27, 2021
View reviewed changes
Copy link
Member

@wedamija wedamija left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if there's a way we can just build this into is_active_superuser so that we don't have to add these has_permission calls everywhere.

src/sentry/conf/server.py
# This is customizable for sentry.io, but generally should only be additive
# (currently the values not used anymore so this is more for documentation purposes)
SENTRY_USER_PERMISSIONS = ("broadcasts.admin",)
SENTRY_USER_PERMISSIONS = ("broadcasts.admin", "users.admin")
Copy link
Member

@wedamija wedamija Oct 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we should just delete this? Unless you're planning on using it as part of your upcoming changes

Copy link
Member Author

@dcramer dcramer Oct 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wedamija i wanted to keep it as a way of documenting perms. it could have uses, though I dont know that it does yet today

@dcramer
Copy link
Member Author

dcramer commented Oct 27, 2021

@wedamija yeah probably good idea. i can f/u with refactoring and adding that in with another branch. probably need some test helpers to reduce boilerplate too.

markstory
markstory approved these changes Oct 27, 2021
View reviewed changes
Copy link
Member

@markstory markstory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. We don't use the isStaff, isSuperuser flags in the admin UI so they should be safe to hide from most staff users.

@markstory
Copy link
Member

markstory commented Oct 27, 2021

I'm wondering if there's a way we can just build this into is_active_superuser so that we don't have to add these has_permission calls everywhere.

Would be nice if this were part of the permissions checks that endpoints do automatically.

@dcramer
Copy link
Member Author

dcramer commented Oct 27, 2021

Also f/u need more audit trail on these changes

@dcramer dcramer merged commit 7426229 into master Oct 27, 2021
@dcramer dcramer deleted the feat/restrict-superuser-props branch October 27, 2021 19:28
@github-actions github-actions bot locked and limited conversation to collaborators Nov 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wedamija wedamija wedamija left review comments

@markstory markstory markstory approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dcramer @markstory @wedamija