Skip to content

fix(dashboards): stricter permission check when dashboards cover all/my projects #78615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oioki merged 2 commits into from
Oct 7, 2024
Merged

fix(dashboards): stricter permission check when dashboards cover all/my projects #78615

oioki merged 2 commits into from
Oct 7, 2024

Conversation

@oioki
Copy link
Member

@oioki oioki commented Oct 4, 2024

When Open Membership is disabled, it is expected to have more granular access to certain objects that are associated with projects. First version of project-level access on dashboards was implemented in #70228

However, dashboards that cover "All Projects" or "My Projects" do not have explicit project ids, therefore we need to do a different check. After this PR, we will allow access to such dashboards only in these cases:

  • if Open Membership is enabled;
  • if actor is a Manager/Owner (having org:write scope);
  • if actor is the original creator of a dashboard.

@oioki oioki requested a review from a team October 4, 2024 15:17
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Oct 4, 2024
@codecov
Copy link

codecov bot commented Oct 4, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 77.77778% with 2 lines in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...rc/sentry/api/endpoints/organization_dashboards.py 77.77% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #78615      +/-   ##
==========================================
- Coverage   78.14%   78.14%   -0.01%     
==========================================
  Files        7099     7100       +1     
  Lines      312836   312695     -141     
  Branches    51085    51072      -13     
==========================================
- Hits       244481   244364     -117     
+ Misses      61975    61963      -12     
+ Partials     6380     6368      -12

gggritso
gggritso approved these changes Oct 4, 2024
View reviewed changes
Copy link
Member

@gggritso gggritso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@oioki @gggritso
Update src/sentry/api/endpoints/organization_dashboards.py
827b72a 
Co-authored-by: George Gritsouk <989898+gggritso@users.noreply.github.com>
@oioki oioki enabled auto-merge (squash) October 7, 2024 08:07
@oioki oioki merged commit e282378 into master Oct 7, 2024
@oioki oioki deleted the fix/stricter-all-projects-dashboard-permissions branch October 7, 2024 08:42
@oioki oioki mentioned this pull request Oct 9, 2024
Merged
oioki added a commit that referenced this pull request Oct 10, 2024
@oioki
fix(discovery): stricter permission check when saved queries cover al…
c246476 
…l/my projects (#78830)

Similar to #78615

When Open Membership is disabled, it is expected to have more granular
access to certain objects that are associated with projects. First
version of project-level access on saved queries was implemented in
#72159

However, saved queries that cover "All Projects" or "My Projects" do not
have explicit project ids, therefore we need to do a different check.
After this PR, we will allow access to such saved queries only in these
cases:
* if Open Membership is enabled;
* if actor is a Manager/Owner (having `org:write` scope);
* if actor is the original creator of a saved query.
@github-actions github-actions bot locked and limited conversation to collaborators Oct 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gggritso gggritso gggritso approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oioki @gggritso