fix(deploys): Fix permissions for deploy endpoint projects #78026
Conversation
github-actions
bot
added
the
Scope: Backend
|
Will this break a corresponding endpoint calls for tokens that have |
|
@oioki, a token that only has I think it would be possible to make this change in a way which would be backwards compatible. Should I do that? |
Currently, in order to link specific projects to a deploy, e.g. via the `sentry-cli deploys new` command, users must provide a token with the `project:read` scope. This is inconsistent with the `sentry-cli releases new` command, which allows users to create a new release associated with only some projects by using the `org:read` and `project:release` scopes. This PR proposes allowing specifying projects for a deploy using a token with `project:releases` scope. Fixes #78025
Changing the scope to `project:releases` breaks this endpoint for tokens that could previously specify specific projects for the deploy via this endpoint via `project:read` (in practice, `project:write` was also required, since the endpoint cannot be accessed only with `project:read`).
szokeasaurusrex
force-pushed
the
szokeasaurusrex/deploys-project-permissions
branch
from
e32fdd3 to
3becb44
Compare
|
@oioki, I changed the code so it should now remain backwards-compatible with tokens that have |
Codecov ReportAttention: Patch coverage is ✅ All tests successful. No failed tests found.
Additional details and impacted files@@ Coverage Diff @@
## master #78026 +/- ##
==========================================
- Coverage 78.40% 78.29% -0.12%
==========================================
Files 7154 7077 -77
Lines 316431 314216 -2215
Branches 43612 43300 -312
==========================================
- Hits 248112 246002 -2110
+ Misses 61982 56530 -5452
- Partials 6337 11684 +5347 |
|
@getsentry/security Can I get a review here? |
|
Mind creating a test that covers this case? |
I am not really sure how to test this @oioki. I have already spent more than an hour trying to figure it out without making much progress, so it is probably more productive if someone more familiar with this code adds the test @iamrajjoshi or @snigdhas, would either of you know how to test this change? Looks like you all edited the code most recently. If you need time to investigate, we can merge this change and open an issue to add tests. |
|
@szokeasaurusrex this test looks like it might mimic similar behavior of setting a specific scope and using the API token to test behavior |
|
This pull request has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you add the label "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
|
This pull request has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you add the label "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
|
This pull request has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you add the label "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
Currently, in order to link specific projects to a deploy, e.g. via the
sentry-cli deploys newcommand, users must provide a token with theproject:readscope. This is inconsistent with thesentry-cli releases newcommand, which allows users to create a new release associated with only some projects by using theorg:readandproject:releasescopes.This PR proposes allowing specifying projects for a deploy using a token with
project:releasesscope.Fixes #78025