test(api): Add regression coverage for tightened scopes

Add endpoint-level regression tests for the scope changes on this branch so each permission update is covered directly.

Cover the write-scope transitions for data export, alert rule creation, project user issues, replay delete, detector updates, and the alert helper endpoints. This keeps the branch from relying on indirect role coverage alone and makes the replay summary readonly exception explicit next to direct token tests.

Refs getsentry/getsentry#19897
Co-Authored-By: OpenAI Codex <noreply@openai.com>

Author: dcramer

tests/sentry/data_export/endpoints/test_data_export.py

@@ -2,6 +2,8 @@
 
 from typing import Any
 
+from django.urls import reverse
+
 from sentry.data_export.base import ExportQueryType, ExportStatus
 from sentry.data_export.models import ExportedData
 from sentry.search.utils import parse_datetime_string
@@ -23,6 +25,7 @@ def setUp(self) -> None:
         )
         self.create_member(user=self.user, organization=self.org, teams=[self.team])
         self.login_as(user=self.user)
+        self.url = reverse(self.endpoint, args=[self.org.slug])
 
     def make_payload(
         self, payload_type: str, extras: dict[str, Any] | None = None, overwrite: bool = False
@@ -77,6 +80,34 @@ def test_authorization(self) -> None:
         with self.feature("organizations:discover-query"):
             self.get_error_response(self.org.slug, status_code=403, **modified_payload)
 
+    def test_post_requires_event_write_scope_for_api_keys(self) -> None:
+        payload = self.make_payload("issue")
+        api_key = self.create_api_key(organization=self.org, scope_list=["event:read"])
+
+        with self.feature("organizations:discover-query"):
+            response = self.client.post(
+                self.url,
+                data=payload,
+                format="json",
+                HTTP_AUTHORIZATION=self.create_basic_auth_header(api_key.key),
+            )
+
+        assert response.status_code == 403
+
+    def test_post_allows_event_write_scope_for_api_keys(self) -> None:
+        payload = self.make_payload("issue")
+        api_key = self.create_api_key(organization=self.org, scope_list=["event:write"])
+
+        with self.feature("organizations:discover-query"):
+            response = self.client.post(
+                self.url,
+                data=payload,
+                format="json",
+                HTTP_AUTHORIZATION=self.create_basic_auth_header(api_key.key),
+            )
+
+        assert response.status_code == 201
+
     def test_new_export(self) -> None:
         """
         Ensures that a request to this endpoint returns a 201 status code

tests/sentry/incidents/endpoints/test_organization_alert_rule_index.py

@@ -40,6 +40,7 @@
     find_channel_id_for_alert_rule,
 )
 from sentry.integrations.slack.utils.channel import SlackChannelIdData
+from sentry.models.apitoken import ApiToken
 from sentry.models.auditlogentry import AuditLogEntry
 from sentry.models.organizationmember import OrganizationMember
 from sentry.models.projectteam import ProjectTeam
@@ -425,6 +426,10 @@ def setUp(self) -> None:
         )
         self.login_as(self.user)
 
+    def _create_token(self, scope: str) -> ApiToken:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            return ApiToken.objects.create(user=self.user, scope_list=[scope])
+
     def test_simple(self) -> None:
         with (
             outbox_runner(),
@@ -449,6 +454,35 @@ def test_simple(self) -> None:
             == list(audit_log_entry)[0].ip_address
         )
 
+    def test_create_requires_alerts_write_scope_for_tokens(self) -> None:
+        token = self._create_token("org:read")
+
+        with self.feature(["organizations:incidents", "organizations:performance-view"]):
+            response = self.client.post(
+                f"/api/0/organizations/{self.organization.slug}/alert-rules/",
+                data=self.alert_rule_dict,
+                format="json",
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+
+        assert response.status_code == 403
+
+    def test_create_allows_alerts_write_scope_for_tokens(self) -> None:
+        token = self._create_token("alerts:write")
+
+        with (
+            outbox_runner(),
+            self.feature(["organizations:incidents", "organizations:performance-view"]),
+        ):
+            response = self.client.post(
+                f"/api/0/organizations/{self.organization.slug}/alert-rules/",
+                data=self.alert_rule_dict,
+                format="json",
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+
+        assert response.status_code == 201
+
     @patch("sentry.incidents.serializers.alert_rule.are_any_projects_error_upsampled")
     def test_count_automatically_converted_to_upsampled_count_for_upsampled_projects(
         self, mock_are_any_projects_error_upsampled

tests/sentry/issues/endpoints/test_project_user_issue.py

@@ -6,9 +6,11 @@
 
 from sentry.issues.grouptype import WebVitalsGroup
 from sentry.issues.producer import PayloadType
+from sentry.models.apitoken import ApiToken
+from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.helpers.features import with_feature
-from sentry.testutils.silo import cell_silo_test
+from sentry.testutils.silo import assume_test_silo_mode, cell_silo_test
 
 
 @cell_silo_test
@@ -31,6 +33,10 @@ def setUp(self) -> None:
             },
         )
 
+    def _create_token(self, scope: str) -> ApiToken:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            return ApiToken.objects.create(user=self.user, scope_list=[scope])
+
     @with_feature("organizations:performance-web-vitals-seer-suggestions")
     def test_create_web_vitals_issue_success(self) -> None:
         data = {
@@ -110,6 +116,48 @@ def test_no_access(self) -> None:
 
         assert response.status_code == 404
 
+    @with_feature("organizations:performance-web-vitals-seer-suggestions")
+    def test_create_web_vitals_issue_requires_event_write_scope(self) -> None:
+        token = self._create_token("event:read")
+
+        response = self.client.post(
+            self.url,
+            data={
+                "transaction": "/test-transaction",
+                "issueType": WebVitalsGroup.slug,
+                "score": 75,
+                "value": 1000,
+                "vital": "lcp",
+            },
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {token.token}",
+        )
+
+        assert response.status_code == 403
+
+    @with_feature("organizations:performance-web-vitals-seer-suggestions")
+    def test_create_web_vitals_issue_allows_event_write_scope(self) -> None:
+        token = self._create_token("event:write")
+
+        with patch(
+            "sentry.issues.endpoints.project_user_issue.produce_occurrence_to_kafka"
+        ) as mock_produce:
+            response = self.client.post(
+                self.url,
+                data={
+                    "transaction": "/test-transaction",
+                    "issueType": WebVitalsGroup.slug,
+                    "score": 75,
+                    "value": 1000,
+                    "vital": "lcp",
+                },
+                format="json",
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+
+        assert response.status_code == 200
+        assert response.data == {"event_id": mock_produce.call_args[1]["occurrence"].event_id}
+
     @with_feature("organizations:performance-web-vitals-seer-suggestions")
     def test_missing_required_fields(self) -> None:
         data = {

tests/sentry/replays/endpoints/test_project_replay_details.py

@@ -206,6 +206,17 @@ def test_delete_requires_event_write_scope_for_api_tokens(self) -> None:
 
         assert response.status_code == 403
 
+    def test_delete_denies_project_write_scope_for_api_tokens(self) -> None:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            token = ApiToken.objects.create(user=self.user, scope_list=["project:write"])
+
+        with self.feature(REPLAYS_FEATURES):
+            response = self.client.delete(
+                self.url, HTTP_AUTHORIZATION=f"Bearer {token.token}", format="json"
+            )
+
+        assert response.status_code == 403
+
     def test_delete_allows_event_write_scope_for_api_tokens(self) -> None:
         with assume_test_silo_mode(SiloMode.CONTROL):
             token = ApiToken.objects.create(user=self.user, scope_list=["event:write"])

tests/sentry/seer/endpoints/test_organization_events_anomalies.py

@@ -2,6 +2,7 @@
 from unittest.mock import MagicMock, patch
 
 import orjson
+from django.urls import reverse
 from urllib3 import HTTPResponse
 from urllib3.exceptions import TimeoutError
 
@@ -10,6 +11,7 @@
     AlertRuleSensitivity,
     AlertRuleThresholdType,
 )
+from sentry.models.apitoken import ApiToken
 from sentry.seer.anomaly_detection.types import (
     Anomaly,
     AnomalyDetectionConfig,
@@ -18,10 +20,12 @@
     TimeSeriesPoint,
 )
 from sentry.seer.anomaly_detection.utils import translate_direction
+from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.helpers.datetime import before_now, freeze_time
 from sentry.testutils.helpers.features import with_feature
 from sentry.testutils.outbox import outbox_runner
+from sentry.testutils.silo import assume_test_silo_mode
 
 
 @freeze_time()
@@ -44,6 +48,10 @@ class OrganizationEventsAnomaliesEndpointTest(APITestCase):
     current_timestamp_1 = one_week_ago.timestamp()
     current_timestamp_2 = (one_week_ago + timedelta(minutes=10)).timestamp()
 
+    def _create_token(self, scope: str) -> ApiToken:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            return ApiToken.objects.create(user=self.user, scope_list=[scope])
+
     def get_test_data(self, project_id: int) -> dict:
         return {
             "project_id": str(project_id),  # UI provides project_id as str
@@ -157,6 +165,47 @@ def test_member_permission(self, mock_seer_request: MagicMock) -> None:
         assert mock_seer_request.call_count == 1
         assert resp.data == seer_return_value["timeseries"]
 
+    @with_feature("organizations:anomaly-detection-alerts")
+    @with_feature("organizations:incidents")
+    @patch(
+        "sentry.seer.anomaly_detection.get_historical_anomalies.seer_anomaly_detection_connection_pool.urlopen"
+    )
+    def test_alerts_write_scope_allows_post(self, mock_seer_request: MagicMock) -> None:
+        mock_seer_request.return_value = HTTPResponse(
+            orjson.dumps(DetectAnomaliesResponse(success=True, message="", timeseries=[])),
+            status=200,
+        )
+        token = self._create_token("alerts:write")
+        data = self.get_test_data(self.project.id)
+        url = reverse(self.endpoint, args=[self.organization.slug])
+
+        with outbox_runner():
+            response = self.client.post(
+                url,
+                data=orjson.dumps(data),
+                content_type="application/json",
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+
+        assert response.status_code == 200
+
+    @with_feature("organizations:anomaly-detection-alerts")
+    @with_feature("organizations:incidents")
+    def test_org_read_scope_cannot_post(self) -> None:
+        token = self._create_token("org:read")
+        data = self.get_test_data(self.project.id)
+        url = reverse(self.endpoint, args=[self.organization.slug])
+
+        with outbox_runner():
+            response = self.client.post(
+                url,
+                data=orjson.dumps(data),
+                content_type="application/json",
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+
+        assert response.status_code == 403
+
     @with_feature("organizations:anomaly-detection-alerts")
     @with_feature("organizations:incidents")
     @patch(

tests/sentry/uptime/endpoints/test_organization_uptime_alert_preview.py

@@ -134,3 +134,27 @@ def test_alerts_write_permission(self) -> None:
         )
 
         assert response.status_code == 200, response.content
+
+    def test_org_read_scope_cannot_run_preview_check(self) -> None:
+        api_key = self.create_api_key(organization=self.organization, scope_list=["org:read"])
+
+        url = reverse(
+            "sentry-api-0-organization-uptime-alert-preview-check",
+            kwargs={"organization_id_or_slug": self.organization.slug},
+        )
+        response = self.client.post(
+            url,
+            data={
+                "name": "test",
+                "environment": "uptime-prod",
+                "owner": f"user:{self.user.id}",
+                "url": "http://sentry.io",
+                "timeoutMs": 1500,
+                "body": None,
+                "region": "default",
+            },
+            format="json",
+            HTTP_AUTHORIZATION=self.create_basic_auth_header(api_key.key),
+        )
+
+        assert response.status_code == 403

tests/sentry/uptime/endpoints/test_organization_uptime_assertion_suggestions.py

@@ -0,0 +1,85 @@
+from unittest import mock
+
+from django.test import override_settings
+from django.urls import reverse
+
+from sentry.conf.types.uptime import UptimeRegionConfig
+from tests.sentry.uptime.endpoints import UptimeAlertBaseEndpointTest
+
+
+@override_settings(
+    UPTIME_REGIONS=[
+        UptimeRegionConfig(
+            slug="default",
+            name="Default Region",
+            config_redis_key_prefix="default",
+            api_endpoint="pop-st-1.uptime-checker.s4s.sentry.internal:80",
+        )
+    ]
+)
+class OrganizationUptimeAssertionSuggestionsTest(UptimeAlertBaseEndpointTest):
+    endpoint = "sentry-api-0-organization-uptime-assertion-suggestions"
+    method = "post"
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.url = reverse(self.endpoint, args=[self.organization.slug])
+        self.payload = {
+            "name": "test",
+            "environment": "uptime-prod",
+            "owner": f"user:{self.user.id}",
+            "url": "http://sentry.io",
+            "timeoutMs": 1500,
+            "body": None,
+            "region": "default",
+        }
+
+    @mock.patch(
+        "sentry.uptime.endpoints.organization_uptime_assertion_suggestions.generate_assertion_suggestions"
+    )
+    @mock.patch(
+        "sentry.uptime.endpoints.organization_uptime_assertion_suggestions.checker_api.invoke_checker_preview"
+    )
+    @mock.patch(
+        "sentry.uptime.endpoints.organization_uptime_assertion_suggestions.UptimeCheckPreviewValidator"
+    )
+    @mock.patch("sentry.uptime.endpoints.organization_uptime_assertion_suggestions.has_seer_access")
+    def test_alerts_write_scope_can_generate_suggestions(
+        self,
+        mock_has_seer_access: mock.MagicMock,
+        mock_validator_cls: mock.MagicMock,
+        mock_preview: mock.MagicMock,
+        mock_generate: mock.MagicMock,
+    ) -> None:
+        api_key = self.create_api_key(organization=self.organization, scope_list=["alerts:write"])
+        mock_has_seer_access.return_value = True
+        mock_validator = mock_validator_cls.return_value
+        mock_validator.is_valid.return_value = True
+        mock_validator.save.return_value = {"active_regions": ["default"]}
+        mock_preview.return_value = mock.Mock(
+            status_code=200,
+            json=mock.Mock(return_value={"status": 200}),
+            raise_for_status=mock.Mock(),
+        )
+        mock_generate.return_value = (None, None)
+
+        response = self.client.post(
+            self.url,
+            data=self.payload,
+            format="json",
+            HTTP_AUTHORIZATION=self.create_basic_auth_header(api_key.key),
+        )
+
+        assert response.status_code == 200
+
+    def test_org_read_scope_cannot_generate_suggestions(self) -> None:
+        api_key = self.create_api_key(organization=self.organization, scope_list=["org:read"])
+
+        response = self.client.post(
+            self.url,
+            data=self.payload,
+            format="json",
+            HTTP_AUTHORIZATION=self.create_basic_auth_header(api_key.key),
+        )
+
+        assert response.status_code == 403