fix(preprod): Allow org auth tokens to access build install-details

runningcode · claude · runningcode · commit 10a4a7fcf787 · 2026-03-25T12:18:57.000+01:00
The public install-details endpoint inherited OrganizationPermission which only accepts org:read scope. Org auth tokens used in CI have org:ci scope, so sentry-cli build download failed while build upload worked. Switch to OrganizationReleasePermission which accepts org:ci, matching the permission class used by the upload endpoints. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/sentry/preprod/api/endpoints/public/organization_preprod_artifact_install_details.py b/src/sentry/preprod/api/endpoints/public/organization_preprod_artifact_install_details.py
@@ -8,7 +8,7 @@
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import cell_silo_endpoint
-from sentry.api.bases.organization import OrganizationEndpoint
+from sentry.api.bases.organization import OrganizationEndpoint, OrganizationReleasePermission
 from sentry.apidocs.constants import RESPONSE_FORBIDDEN, RESPONSE_NOT_FOUND
 from sentry.apidocs.examples.preprod_examples import PreprodExamples
 from sentry.apidocs.parameters import GlobalParams
@@ -30,6 +30,7 @@ class OrganizationPreprodArtifactPublicInstallDetailsEndpoint(OrganizationEndpoi
     publish_status = {
         "GET": ApiPublishStatus.PUBLIC,
     }
+    permission_classes = (OrganizationReleasePermission,)
     rate_limits = RateLimitConfig(
         limit_overrides={
             "GET": {
diff --git a/tests/sentry/preprod/api/endpoints/public/test_organization_preprod_artifact_install_details.py b/tests/sentry/preprod/api/endpoints/public/test_organization_preprod_artifact_install_details.py
@@ -1,7 +1,11 @@
 from django.urls import reverse
 
+from sentry.models.orgauthtoken import OrgAuthToken
 from sentry.preprod.models import PreprodArtifact
+from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
+from sentry.testutils.silo import assume_test_silo_mode
+from sentry.utils.security.orgauthtoken_token import generate_token, hash_token
 
 
 class OrganizationPreprodArtifactPublicInstallDetailsEndpointTest(APITestCase):
@@ -162,3 +166,19 @@ def test_ios_artifact_invalid_signature(self):
         assert data["isInstallable"] is False
         assert data["installUrl"] is None
         assert data["isCodeSignatureValid"] is False
+
+    def test_org_auth_token_with_org_ci_scope(self):
+        """Org auth tokens with org:ci scope can access install details (used by sentry-cli build download)."""
+        token_str = generate_token(self.organization.slug, "")
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            OrgAuthToken.objects.create(
+                organization_id=self.organization.id,
+                name="CI Token",
+                token_hashed=hash_token(token_str),
+                scope_list=["org:ci"],
+            )
+
+        response = self.client.get(self._get_url(), HTTP_AUTHORIZATION=f"Bearer {token_str}")
+        assert response.status_code == 200
+        data = response.json()
+        assert data["buildId"] == str(self.preprod_artifact.id)
