App platform/update permissions token auth (#14046)

* ref(app-platform): Use published_scope map as default

Author: MeredithAnya

src/sentry/api/bases/sentryapps.py

@@ -45,7 +45,16 @@ def wrapped(self, *args, **kwargs):
 
 class SentryAppsPermission(SentryPermission):
     scope_map = {
-        'GET': (),  # Public endpoint.
+        # GET is ideally a public endpoint but for now we are allowing for
+        # anyone who has member permissions or above.
+        'GET': ('event:read',
+                'event:write',
+                'event:admin',
+                'project:releases',
+                'project:read',
+                'org:read',
+                'member:read',
+                'team:read',),
         'POST': ('org:read', 'org:integrations', 'org:write', 'org:admin'),
     }
 
@@ -118,12 +127,25 @@ class SentryAppPermission(SentryPermission):
     }
 
     published_scope_map = {
-        'GET': (),  # Public endpoint.
+        # GET is ideally a public endpoint but for now we are allowing for
+        # anyone who has member permissions or above.
+        'GET': ('event:read',
+                'event:write',
+                'event:admin',
+                'project:releases',
+                'project:read',
+                'org:read',
+                'member:read',
+                'team:read',),
         'PUT': ('org:write', 'org:admin'),
         'POST': ('org:write', 'org:admin'),
         'DELETE': ('org:admin'),
     }
 
+    @property
+    def scope_map(self):
+        return self.published_scope_map
+
     def has_object_permission(self, request, view, sentry_app):
         if not hasattr(request, 'user') or not request.user:
             return False

tests/sentry/api/bases/test_sentryapps.py

@@ -36,6 +36,12 @@ def test_request_user_is_not_app_owner_fails(self):
         with self.assertRaises(Http404):
             self.permission.has_object_permission(self.request, None, self.sentry_app)
 
+    def test_has_permission(self):
+        from sentry.models import ApiToken
+        token = ApiToken.objects.create(user=self.user, scope_list=['event:read', 'org:read'])
+        self.request = self.make_request(user=None, auth=token, method='GET')
+        assert self.permission.has_permission(self.request, None)
+
 
 class SentryAppBaseEndpointTest(TestCase):
     def setUp(self):