Update OwnerActorField usage, refactor RuleSerializer, OpenAPI serializers #106984
Conversation
github-actions
bot
added
the
Scope: Backend
geoffg-sentry
changed the title
ceorourke
left a comment
ceorourke
left a comment
There was a problem hiding this comment.
"Stamping" for the alert rules stuff, will tag an issue-ier person for the group details stuff.
|
|
||
| def test_assign_team_not_member_of_when_open_membership_disabled(self) -> None: | ||
| """ | ||
| Test that a user cannot assign an issue to a team they are not a member of |
There was a problem hiding this comment.
Is this a change to the current behavior? As a user I'd expect to be able to reassign an issue to a more relevant team if it was mis-assigned. Arbitrarily tapping @roggenkemper to verify
There was a problem hiding this comment.
i think open membership being disabled is the important thing to not here - it seems correct that if it is disabled, you can't assign tickets to people from other teams (though if this is true, we should think of a workaround)
There was a problem hiding this comment.
Hmm, that's a good point. I could revert some of this and we could call out in docs that team re-assignment is very intentional. Then gate that no-membership-reassignment so that only when you're on a team that has been assigned it now, that you can reassign it elsewhere.
There was a problem hiding this comment.
@roggenkemper The fix here was to prevent user1 in team1 from reassigning issues to team2 if they are not a member, which is currently possible. Not about assigning to individual members. The cause of some of the current test failures too I'll have to fix.
So what behavior do we want here? Generally speaking, if you're not a member of team2, you shouldn't be able to assign issues to them without team:admin. But if we want to explicitly allow for a not-a-member team assignment of an issue, I can revert and we can better document this
There was a problem hiding this comment.
@roggenkemper H'okay, made some changes. A user can now reassign to a team they are not a member of, if its currently assigned to a team they are a member of. They cannot assign an issue to a team they are not a member of if it that object isn't assigned to one of their teams.
There was a problem hiding this comment.
might be good to check with someone else but i was under the impression open membership being off meant a user shouldn't be able to see the other teams in their organization, unless they are in it (this assumption could be wrong).
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
Issue Assignments GroupValidator.validate_assignedTo was still using ActorField, updated it to use the auth-check'd OwnerActorField to prevent the IDOR.
For the RuleSerializer, refactored its validate_owner for the duplicate auth check that OwnerActorField provides.
Updated the OpenAPI serializer too for docs: