Skip to content

fix(discovery): stricter permission check when saved queries cover all/my projects #78830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oioki merged 1 commit into from
Oct 10, 2024
Merged

fix(discovery): stricter permission check when saved queries cover all/my projects #78830

oioki merged 1 commit into from
Oct 10, 2024

Conversation

@oioki
Copy link
Member

@oioki oioki commented Oct 9, 2024

Similar to #78615

When Open Membership is disabled, it is expected to have more granular access to certain objects that are associated with projects. First version of project-level access on saved queries was implemented in #72159

However, saved queries that cover "All Projects" or "My Projects" do not have explicit project ids, therefore we need to do a different check. After this PR, we will allow access to such saved queries only in these cases:

  • if Open Membership is enabled;
  • if actor is a Manager/Owner (having org:write scope);
  • if actor is the original creator of a saved query.

@oioki oioki requested review from a team as code owners October 9, 2024 10:02
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Oct 9, 2024
@codecov
Copy link

codecov bot commented Oct 9, 2024

Codecov Report

Attention: Patch coverage is 55.55556% with 4 lines in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/sentry/discover/endpoints/bases.py 55.55% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##           master   #78830    +/-   ##
========================================
  Coverage   78.22%   78.22%            
========================================
  Files        7105     7104     -1     
  Lines      313156   313266   +110     
  Branches    51131    51148    +17     
========================================
+ Hits       244976   245063    +87     
- Misses      61817    61835    +18     
- Partials     6363     6368     +5

gggritso
gggritso approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@gggritso gggritso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒

@oioki oioki merged commit c246476 into master Oct 10, 2024
@oioki oioki deleted the fix/stricter-all-projects-savedquery-permissions branch October 10, 2024 07:17
@github-actions github-actions bot locked and limited conversation to collaborators Oct 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gggritso gggritso gggritso approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oioki @gggritso