From c06cd2d3e9bf1e4f74f0e135bf9704d6ce9cf6cf Mon Sep 17 00:00:00 2001 From: Meredith Date: Tue, 16 Jul 2019 16:04:56 -0700 Subject: [PATCH 1/3] ref(app-platform): Use published_scope map as default --- src/sentry/api/bases/sentryapps.py | 14 +++++++++++++- tests/sentry/api/bases/test_sentryapps.py | 6 ++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/sentry/api/bases/sentryapps.py b/src/sentry/api/bases/sentryapps.py index ef443b4f5465c7..6ab326a9613c53 100644 --- a/src/sentry/api/bases/sentryapps.py +++ b/src/sentry/api/bases/sentryapps.py @@ -118,12 +118,24 @@ class SentryAppPermission(SentryPermission): } published_scope_map = { - 'GET': (), # Public endpoint. + # Public endpoint. + 'GET': ('event:read', + 'event:write', + 'event:admin', + 'project:releases', + 'project:read', + 'org:read', + 'member:read', + 'team:read',), 'PUT': ('org:write', 'org:admin'), 'POST': ('org:write', 'org:admin'), 'DELETE': ('org:admin'), } + @property + def scope_map(self): + return self.published_scope_map + def has_object_permission(self, request, view, sentry_app): if not hasattr(request, 'user') or not request.user: return False diff --git a/tests/sentry/api/bases/test_sentryapps.py b/tests/sentry/api/bases/test_sentryapps.py index 29466d5c43e14c..75d50a6a438982 100644 --- a/tests/sentry/api/bases/test_sentryapps.py +++ b/tests/sentry/api/bases/test_sentryapps.py @@ -36,6 +36,12 @@ def test_request_user_is_not_app_owner_fails(self): with self.assertRaises(Http404): self.permission.has_object_permission(self.request, None, self.sentry_app) + def test_has_permission(self): + from sentry.models import ApiToken + token = ApiToken.objects.create(user=self.user, scope_list=['event:read', 'org:read']) + self.request = self.make_request(user=None, auth=token, method='GET') + assert self.permission.has_permission(self.request, None) + class SentryAppBaseEndpointTest(TestCase): def setUp(self): From a5608372e1fa872e55c0d5a691cfd990311c9cf7 Mon Sep 17 00:00:00 2001 From: Meredith Date: Tue, 16 Jul 2019 16:06:47 -0700 Subject: [PATCH 2/3] for sentryAppsPermission too --- src/sentry/api/bases/sentryapps.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/sentry/api/bases/sentryapps.py b/src/sentry/api/bases/sentryapps.py index 6ab326a9613c53..8bfcb791def54c 100644 --- a/src/sentry/api/bases/sentryapps.py +++ b/src/sentry/api/bases/sentryapps.py @@ -45,7 +45,15 @@ def wrapped(self, *args, **kwargs): class SentryAppsPermission(SentryPermission): scope_map = { - 'GET': (), # Public endpoint. + # Public endpoint. + 'GET': ('event:read', + 'event:write', + 'event:admin', + 'project:releases', + 'project:read', + 'org:read', + 'member:read', + 'team:read',), 'POST': ('org:read', 'org:integrations', 'org:write', 'org:admin'), } From ae726d18914dc14337e18c5aff00434d64a76ef7 Mon Sep 17 00:00:00 2001 From: Meredith Date: Thu, 18 Jul 2019 11:13:52 -0700 Subject: [PATCH 3/3] add comment --- src/sentry/api/bases/sentryapps.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/sentry/api/bases/sentryapps.py b/src/sentry/api/bases/sentryapps.py index 8bfcb791def54c..c18f6015b22e1e 100644 --- a/src/sentry/api/bases/sentryapps.py +++ b/src/sentry/api/bases/sentryapps.py @@ -45,7 +45,8 @@ def wrapped(self, *args, **kwargs): class SentryAppsPermission(SentryPermission): scope_map = { - # Public endpoint. + # GET is ideally a public endpoint but for now we are allowing for + # anyone who has member permissions or above. 'GET': ('event:read', 'event:write', 'event:admin', @@ -126,7 +127,8 @@ class SentryAppPermission(SentryPermission): } published_scope_map = { - # Public endpoint. + # GET is ideally a public endpoint but for now we are allowing for + # anyone who has member permissions or above. 'GET': ('event:read', 'event:write', 'event:admin',