fix(replays): require event write for replay deletes

dcramer · codex · dcramer · commit 6144c109d40c · 2026-04-15T15:13:35.000-07:00
Replay delete is a public mutation, so it should not depend on a project read-style contract. Move the DELETE permission to event write/admin so member sessions keep working while token auth requires a real write scope.

Add direct endpoint tests covering the token contract: event:read is denied and event:write is allowed for replay delete.

Co-Authored-By: OpenAI Codex &lt;noreply@openai.com&gt;
diff --git a/src/sentry/replays/endpoints/project_replay_details.py b/src/sentry/replays/endpoints/project_replay_details.py
@@ -23,7 +23,7 @@ class ReplayDetailsPermission(ProjectPermission):
         "GET": ["project:read", "project:write", "project:admin"],
         "POST": ["project:write", "project:admin"],
         "PUT": ["project:write", "project:admin"],
-        "DELETE": ["project:write", "project:admin"],
+        "DELETE": ["event:write", "event:admin"],
     }
 
 
diff --git a/tests/sentry/replays/endpoints/test_project_replay_details.py b/tests/sentry/replays/endpoints/test_project_replay_details.py
@@ -5,13 +5,16 @@
 
 from django.urls import reverse
 
+from sentry.models.apitoken import ApiToken
 from sentry.models.files.file import File
 from sentry.replays.lib import kafka
 from sentry.replays.lib.storage import RecordingSegmentStorageMeta, storage
 from sentry.replays.models import ReplayRecordingSegment
 from sentry.replays.testutils import assert_expected_response, mock_expected_response, mock_replay
+from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase, ReplaysSnubaTestCase
 from sentry.testutils.helpers import TaskRunner
+from sentry.testutils.silo import assume_test_silo_mode
 from sentry.utils import kafka_config
 
 REPLAYS_FEATURES = {"organizations:session-replay": True}
@@ -192,6 +195,29 @@ def test_delete_replay_from_filestore(self) -> None:
         except File.DoesNotExist:
             pass
 
+    def test_delete_requires_event_write_scope_for_api_tokens(self) -> None:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            token = ApiToken.objects.create(user=self.user, scope_list=["event:read"])
+
+        with self.feature(REPLAYS_FEATURES):
+            response = self.client.delete(
+                self.url, HTTP_AUTHORIZATION=f"Bearer {token.token}", format="json"
+            )
+
+        assert response.status_code == 403
+
+    def test_delete_allows_event_write_scope_for_api_tokens(self) -> None:
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            token = ApiToken.objects.create(user=self.user, scope_list=["event:write"])
+
+        with self.feature(REPLAYS_FEATURES):
+            with patch("sentry.replays.endpoints.project_replay_details.delete_replay.delay"):
+                response = self.client.delete(
+                    self.url, HTTP_AUTHORIZATION=f"Bearer {token.token}", format="json"
+                )
+
+        assert response.status_code == 204
+
     def test_delete_replay_from_clickhouse_data(self) -> None:
         """Test deleting files uploaded through the direct storage interface."""
         kept_replay_id = uuid4().hex

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class ReplayDetailsPermission(ProjectPermission):`
`23`	`23`	`"GET": ["project:read", "project:write", "project:admin"],`
`24`	`24`	`"POST": ["project:write", "project:admin"],`
`25`	`25`	`"PUT": ["project:write", "project:admin"],`
`26`		`- "DELETE": ["project:write", "project:admin"],`
	`26`	`+ "DELETE": ["event:write", "event:admin"],`
`27`	`27`	`}`
`28`	`28`
`29`	`29`