Merge branch 'master' into nm/nav/issue-detail-actions

Author: natemoo-re

src/sentry/sentry_apps/api/endpoints/installation_external_issue_actions.py

@@ -1,4 +1,3 @@
-from django.utils.functional import empty
 from rest_framework import serializers
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -12,22 +11,7 @@
     PlatformExternalIssueSerializer,
 )
 from sentry.sentry_apps.services.cell import sentry_app_cell_service
-from sentry.users.models.user import User
-from sentry.users.services.user.serial import serialize_rpc_user
-
-
-def _extract_lazy_object(lo):
-    """
-    Unwrap a LazyObject and return the inner object. Whatever that may be.
-
-    ProTip: This is relying on `django.utils.functional.empty`, which may
-    or may not be removed in the future. It's 100% undocumented.
-    """
-    if not hasattr(lo, "_wrapped"):
-        return lo
-    if lo._wrapped is empty:
-        lo._setup()
-    return lo._wrapped
+from sentry.users.services.user.serial import serialize_generic_user
 
 
 class SentryAppInstallationExternalIssueActionsSerializer(serializers.Serializer):
@@ -57,9 +41,9 @@ def post(self, request: Request, installation) -> Response:
         action = data.pop("action")
         uri = data.pop("uri")
 
-        user = _extract_lazy_object(request.user)
-        if isinstance(user, User):
-            user = serialize_rpc_user(user)
+        rpc_user = serialize_generic_user(request.user)
+        if rpc_user is None:
+            return Response({"detail": "Authentication credentials were not provided."}, status=401)
 
         result = sentry_app_cell_service.create_issue_link(
             organization_id=installation.organization_id,
@@ -68,7 +52,7 @@ def post(self, request: Request, installation) -> Response:
             action=action,
             fields=data,
             uri=uri,
-            user=user,
+            user=rpc_user,
         )
 
         if result.error:

src/sentry/sentry_apps/api/endpoints/installation_external_issue_details.py

@@ -25,6 +25,10 @@ def delete(self, request: Request, installation, external_issue_id) -> Response:
                 status_code=400,
             )
 
+        if not request.user.is_authenticated:
+            return Response({"detail": "Authentication credentials were not provided."}, status=401)
+
+        # Do not pass `user` until cells accept the new RPC arg everywhere (deploy phase 2).
         result = sentry_app_cell_service.delete_external_issue(
             organization_id=installation.organization_id,
             installation=installation,

src/sentry/sentry_apps/api/endpoints/installation_external_issues.py

@@ -41,6 +41,10 @@ def post(self, request: Request, installation) -> Response:
         except Exception:
             return Response({"detail": "issueId is required, and must be an integer"}, status=400)
 
+        if not request.user.is_authenticated:
+            return Response({"detail": "Authentication credentials were not provided."}, status=401)
+
+        # Do not pass `user` until cells accept the new RPC arg everywhere (deploy phase 2).
         result = sentry_app_cell_service.create_external_issue(
             organization_id=installation.organization_id,
             installation=installation,

src/sentry/sentry_apps/api/endpoints/installation_external_requests.py

@@ -26,11 +26,23 @@ def get(self, request: Request, installation: RpcSentryAppInstallation) -> Respo
         if not uri:
             return Response({"detail": "uri query parameter is required"}, status=400)
 
+        if not request.user.is_authenticated:
+            return Response({"detail": "Authentication credentials were not provided."}, status=401)
+
+        project_id: int | None = None
+        project_id_raw = request.GET.get("projectId")
+        if project_id_raw:
+            try:
+                project_id = int(project_id_raw)
+            except (TypeError, ValueError):
+                return Response({"detail": "projectId must be an integer"}, status=400)
+
+        # Do not pass `user` until cells accept the new RPC arg everywhere (deploy phase 2).
         result = sentry_app_cell_service.get_select_options(
             organization_id=installation.organization_id,
             installation=installation,
             uri=request.GET.get("uri"),
-            project_id=int(request.GET["projectId"]) if request.GET.get("projectId") else None,
+            project_id=project_id,
             query=request.GET.get("query"),
             dependent_data=request.GET.get("dependentData"),
         )

src/sentry/sentry_apps/services/cell/impl.py

@@ -44,6 +44,7 @@ def get_select_options(
         organization_id: int,
         installation: RpcSentryAppInstallation,
         uri: str,
+        user: RpcUser | None = None,
         project_id: int | None = None,
         query: str | None = None,
         dependent_data: str | None = None,
@@ -54,9 +55,32 @@ def get_select_options(
 
         project_slug: str | None = None
         if project_id is not None:
-            project = Project.objects.filter(id=project_id, organization_id=organization_id).first()
-            if project:
-                project_slug = project.slug
+            project = (
+                Project.objects.select_related("organization")
+                .filter(id=project_id, organization_id=organization_id)
+                .first()
+            )
+            if not project:
+                return RpcSelectRequesterResult(
+                    error=RpcSentryAppError(
+                        message="Could not find the given project for this organization.",
+                        status_code=404,
+                    )
+                )
+            if user is not None:
+                access = self._access_for_installation_user(
+                    organization=project.organization,
+                    installation=installation,
+                    user=user,
+                )
+                if not access.has_project_access(project):
+                    return RpcSelectRequesterResult(
+                        error=RpcSentryAppError(
+                            message="You do not have permission to access this project.",
+                            status_code=403,
+                        )
+                    )
+            project_slug = project.slug
 
         try:
             result = SelectRequester(
@@ -149,12 +173,13 @@ def create_external_issue(
         web_url: str,
         project: str,
         identifier: str,
+        user: RpcUser | None = None,
     ) -> RpcPlatformExternalIssueResult:
         """
         Matches: src/sentry/sentry_apps/api/endpoints/installation_external_issues.py @ POST
         """
         try:
-            group = Group.objects.get(
+            group = Group.objects.select_related("project", "project__organization").get(
                 id=group_id,
                 project_id__in=Project.objects.filter(organization_id=organization_id),
             )
@@ -166,6 +191,28 @@ def create_external_issue(
                 )
             )
 
+        if group.project.organization_id != organization_id:
+            return RpcPlatformExternalIssueResult(
+                error=RpcSentryAppError(
+                    message="Could not find the corresponding issue for the given issueId",
+                    status_code=404,
+                )
+            )
+
+        if user is not None:
+            access = self._access_for_installation_user(
+                organization=group.project.organization,
+                installation=installation,
+                user=user,
+            )
+            if not access.has_project_access(group.project):
+                return RpcPlatformExternalIssueResult(
+                    error=RpcSentryAppError(
+                        message="You do not have permission to create an external issue for this issue.",
+                        status_code=403,
+                    )
+                )
+
         try:
             external_issue = ExternalIssueCreator(
                 install=installation,
@@ -187,14 +234,21 @@ def delete_external_issue(
         organization_id: int,
         installation: RpcSentryAppInstallation,
         external_issue_id: int,
+        user: RpcUser | None = None,
     ) -> RpcEmptyResult:
         """
         Matches: src/sentry/sentry_apps/api/endpoints/installation_external_issue_details.py @ DELETE
         """
         try:
-            platform_external_issue = PlatformExternalIssue.objects.get(
+            platform_external_issue = PlatformExternalIssue.objects.select_related(
+                "group",
+                "group__project",
+                "group__project__organization",
+                "project",
+                "project__organization",
+            ).get(
                 id=external_issue_id,
-                project__organization_id=organization_id,
+                group__project__organization_id=organization_id,
                 service_type=installation.sentry_app.slug,
             )
         except PlatformExternalIssue.DoesNotExist:
@@ -206,6 +260,32 @@ def delete_external_issue(
                 ),
             )
 
+        issue_project = platform_external_issue.project or platform_external_issue.group.project
+        if issue_project.organization_id != organization_id:
+            return RpcEmptyResult(
+                success=False,
+                error=RpcSentryAppError(
+                    message="Could not find the corresponding external issue from given external_issue_id",
+                    status_code=404,
+                ),
+            )
+        organization = issue_project.organization
+
+        if user is not None:
+            access = self._access_for_installation_user(
+                organization=organization,
+                installation=installation,
+                user=user,
+            )
+            if not access.has_project_access(issue_project):
+                return RpcEmptyResult(
+                    success=False,
+                    error=RpcSentryAppError(
+                        message="You do not have permission to delete this external issue.",
+                        status_code=403,
+                    ),
+                )
+
         deletions.exec_sync(platform_external_issue)
 
         return RpcEmptyResult()

src/sentry/sentry_apps/services/cell/service.py

@@ -51,6 +51,7 @@ def get_select_options(
         organization_id: int,
         installation: RpcSentryAppInstallation,
         uri: str,
+        user: RpcUser | None = None,
         project_id: int | None = None,
         query: str | None = None,
         dependent_data: str | None = None,
@@ -85,6 +86,7 @@ def create_external_issue(
         web_url: str,
         project: str,
         identifier: str,
+        user: RpcUser | None = None,
     ) -> RpcPlatformExternalIssueResult:
         """Invokes ExternalIssueCreator to create an external issue."""
         pass
@@ -97,6 +99,7 @@ def delete_external_issue(
         organization_id: int,
         installation: RpcSentryAppInstallation,
         external_issue_id: int,
+        user: RpcUser | None = None,
     ) -> RpcEmptyResult:
         """Deletes a PlatformExternalIssue."""
         pass

src/sentry/users/services/user/serial.py

@@ -3,7 +3,7 @@
 from collections.abc import Iterable
 from typing import Any
 
-from django.utils.functional import LazyObject
+from django.utils.functional import LazyObject, empty
 
 from sentry.db.models.manager.base_query_set import BaseQuerySet
 from sentry.users.models.user import User
@@ -23,7 +23,10 @@ def serialize_generic_user(user: Any) -> RpcUser | None:
     Return None if the user is anonymous (not logged in).
     """
     if isinstance(user, LazyObject):  # from auth middleware
-        user = getattr(user, "_wrapped")
+        lazy: Any = user
+        if lazy._wrapped is empty:
+            lazy._setup()
+        user = lazy._wrapped
     if user is None or user.id is None:
         return None
     if isinstance(user, RpcUser):

static/app/components/workflowEngine/layout/list.tsx

@@ -12,7 +12,7 @@ interface WorkflowEngineListLayoutProps {
   actions: React.ReactNode;
   /** The main content for this page */
   children: React.ReactNode;
-  description: string;
+  description: React.ReactNode;
   docsUrl: string;
   title: string;
 }