Skip to content

Commit a501234

Browse files
oiokiandrewshie-sentry
oioki
authored and
andrewshie-sentry
committed
fix(flags): separate permission class (#82463)
1 parent 6edad51 commit a501234

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed

src/sentry/api/bases/organization.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -230,6 +230,14 @@ class OrganizationMetricsPermission(OrganizationPermission):
230230
}
231231

232232

233+
class OrganizationFlagWebHookSigningSecretPermission(OrganizationPermission):
234+
scope_map = {
235+
"GET": ["org:read", "org:write", "org:admin"],
236+
"POST": ["org:read", "org:write", "org:admin"],
237+
"DELETE": ["org:write", "org:admin"],
238+
}
239+
240+
233241
class ControlSiloOrganizationEndpoint(Endpoint):
234242
"""
235243
A base class for endpoints that use an organization scoping but lives in the control silo

src/sentry/flags/endpoints/secrets.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,10 @@
1111
from sentry.api.api_owners import ApiOwner
1212
from sentry.api.api_publish_status import ApiPublishStatus
1313
from sentry.api.base import region_silo_endpoint
14-
from sentry.api.bases.organization import OrganizationEndpoint, OrgAuthTokenPermission
14+
from sentry.api.bases.organization import (
15+
OrganizationEndpoint,
16+
OrganizationFlagWebHookSigningSecretPermission,
17+
)
1518
from sentry.api.paginator import OffsetPaginator
1619
from sentry.api.serializers import Serializer, register, serialize
1720
from sentry.flags.models import FlagWebHookSigningSecretModel
@@ -46,7 +49,7 @@ class FlagWebhookSigningSecretValidator(serializers.Serializer):
4649
@region_silo_endpoint
4750
class OrganizationFlagsWebHookSigningSecretsEndpoint(OrganizationEndpoint):
4851
owner = ApiOwner.REPLAY
49-
permission_classes = (OrgAuthTokenPermission,)
52+
permission_classes = (OrganizationFlagWebHookSigningSecretPermission,)
5053
publish_status = {
5154
"GET": ApiPublishStatus.PRIVATE,
5255
"POST": ApiPublishStatus.PRIVATE,
@@ -95,7 +98,7 @@ def post(self, request: Request, organization: Organization) -> Response:
9598
@region_silo_endpoint
9699
class OrganizationFlagsWebHookSigningSecretEndpoint(OrganizationEndpoint):
97100
owner = ApiOwner.REPLAY
98-
permission_classes = (OrgAuthTokenPermission,)
101+
permission_classes = (OrganizationFlagWebHookSigningSecretPermission,)
99102
publish_status = {"DELETE": ApiPublishStatus.PRIVATE}
100103

101104
def delete(

0 commit comments

Comments
 (0)