fix(integrations): do not show integrations if no org:read scope (#82083

)
getsentry · Dec 16, 2024 · 2794329 · 2794329
1 parent d37b36e
commit 2794329
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 1 deletion.
diff --git a/src/sentry/api/endpoints/user_organizationintegrations.py b/src/sentry/api/endpoints/user_organizationintegrations.py
@@ -8,6 +8,7 @@
 from sentry.api.serializers import serialize
 from sentry.constants import ObjectStatus
 from sentry.integrations.models.organization_integration import OrganizationIntegration
+from sentry.organizations.services.organization import organization_service
 from sentry.users.api.bases.user import UserEndpoint
 from sentry.users.services.user.service import user_service
 
@@ -33,8 +34,15 @@ def get(self, request: Request, user) -> Response:
             if request.user.id is not None
             else ()
         )
+        organization_ids = []
+        for o in organizations:
+            org_context = organization_service.get_organization_by_id(
+                id=o.id, user_id=request.user.id
+            )
+            if org_context and org_context.member and "org:read" in org_context.member.scopes:
+                organization_ids.append(o.id)
         queryset = OrganizationIntegration.objects.filter(
-            organization_id__in=[o.id for o in organizations],
+            organization_id__in=organization_ids,
             status=ObjectStatus.ACTIVE,
             integration__status=ObjectStatus.ACTIVE,
         )

diff --git a/tests/sentry/integrations/api/endpoints/test_user_organizationintegration.py b/tests/sentry/integrations/api/endpoints/test_user_organizationintegration.py
@@ -1,7 +1,41 @@
+from unittest.mock import patch
+
+import orjson
+
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.silo import control_silo_test
 
 
+class MockOrganizationRoles:
+    TEST_ORG_ROLES = [
+        {
+            "id": "alice",
+            "name": "Alice",
+            "desc": "In Wonderland",
+            "scopes": ["rabbit:follow"],
+        },
+        {
+            "id": "owner",
+            "name": "Owner",
+            "desc": "Minimal version of Owner",
+            "scopes": ["org:admin"],
+        },
+    ]
+
+    TEST_TEAM_ROLES = [
+        {"id": "alice", "name": "Alice", "desc": "In Wonderland"},
+    ]
+
+    def __init__(self):
+        from sentry.roles.manager import RoleManager
+
+        self.default_manager = RoleManager(self.TEST_ORG_ROLES, self.TEST_TEAM_ROLES)
+        self.organization_roles = self.default_manager.organization_roles
+
+    def get(self, x):
+        return self.organization_roles.get(x)
+
+
 @control_silo_test
 class UserOrganizationIntegationTest(APITestCase):
     endpoint = "sentry-api-0-user-organization-integrations"
@@ -20,3 +54,21 @@ def test_simple(self):
 
         response = self.get_success_response(self.user.id)
         assert response.data[0]["organizationId"] == self.organization.id
+
+    def test_billing_users_dont_see_integrations(self):
+        integration = self.create_provider_integration(provider="github")
+
+        self.create_organization_integration(
+            organization_id=self.organization.id, integration_id=integration.id
+        )
+
+        mock_org_roles = MockOrganizationRoles()
+        with patch("sentry.roles.organization_roles.get", mock_org_roles.get):
+            alice = self.create_user()
+            self.create_member(user=alice, organization=self.organization, role="alice")
+            self.login_as(alice)
+
+            response = self.get_success_response(alice.id)
+            assert response.status_code == 200
+            content = orjson.loads(response.content)
+            assert content == []