Skip to content

fix(superuser): Being superuser:read even if you're org owner results in fewer permissions #87689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 24, 2025
Merged

fix(superuser): Being superuser:read even if you're org owner results in fewer permissions #87689

merged 3 commits into from
Mar 24, 2025

Conversation

leedongwei
Copy link
Member

If you're in superuser mode with only superuser.read permissions, and you're browsing a Sentry organization where you're the owner, you'll find that you have fewer permissions than expected.

Before

Screenshot 2025-03-23 at 4 50 25 PM

After

Screenshot 2025-03-23 at 4 49 41 PM

@leedongwei leedongwei requested review from a team as code owners March 23, 2025 23:53
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Mar 23, 2025
@codecov Codecov
Copy link

codecov bot commented Mar 24, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/sentry/auth/access.py 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #87689       +/-   ##
===========================================
+ Coverage   51.76%   67.99%   +16.22%     
===========================================
  Files        9882     9885        +3     
  Lines      561062   561429      +367     
  Branches    22134    22134               
===========================================
+ Hits       290421   381725    +91304     
+ Misses     270240   179303    -90937     
  Partials      401      401

@armenzg
Copy link
Member

armenzg commented Mar 24, 2025

Is this a recent regression?
I noticed this issue in the last week: #87706

cathteng
cathteng approved these changes Mar 24, 2025
View reviewed changes
tests/sentry/auth/test_access.py
result = self.from_request(request, self.org)
assert result.scopes == SUPERUSER_READONLY_SCOPES
assert result.scopes == set(member.get_scopes()).union(SUPERUSER_READONLY_SCOPES)

# readonly scopes does not override owner scopes if passed in
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: update comment?

Copy link
Member

@iamrajjoshi iamrajjoshi Mar 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@leedongwei leedongwei mentioned this pull request Mar 24, 2025
Closed
@iamrajjoshi iamrajjoshi merged commit edee237 into master Mar 24, 2025
48 checks passed
@iamrajjoshi iamrajjoshi deleted the dlee/fix-evan-superuser-problem branch March 24, 2025 20:41
andrewshie-sentry pushed a commit that referenced this pull request Mar 27, 2025
@leedongwei @iamrajjoshi @andrewshie-sentry
fix(superuser): Being superuser:read even if you're org owner results…
e45a76a 
… in fewer permissions (#87689)

If you're in superuser mode with only `superuser.read` permissions, and
you're browsing a Sentry organization where you're the owner, you'll
find that you have fewer permissions than expected.


### Before
![Screenshot 2025-03-23 at 4 50
25 PM](https://github.com/user-attachments/assets/a4046a4e-aaa9-43ee-98d4-b16acb55abc5)


### After
![Screenshot 2025-03-23 at 4 49
41 PM](https://github.com/user-attachments/assets/c859b0db-623f-405c-91d8-85969ea5ff1c)

---------

Co-authored-by: Raj Joshi <[email protected]>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@iamrajjoshi iamrajjoshi iamrajjoshi left review comments

@cathteng cathteng cathteng approved these changes

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@leedongwei @armenzg @iamrajjoshi @cathteng