def has_object_permission(self, request, view, organization):
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request,
organization,
scopes=request.auth.get_scopes(),
)
elif request.auth:
if request.auth.organization_id == organization.id:
request.access = access.from_auth(request.auth)
else:
request.access = access.DEFAULT
else:
request.access = access.from_request(request, organization)
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info(
'access.signed-sso-passthrough',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
elif request.user.is_authenticated():
# session auth needs to confirm various permissions
if self.needs_sso(request, organization):
logger.info(
'access.must-sso',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise SsoRequired(organization)
if self.is_not_2fa_compliant(
request.user, organization):
logger.info(
'access.not-2fa-compliant',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise TwoFactorRequired()
allowed_scopes = set(self.scope_map.get(request.method, []))
return any(request.access.has_scope(s) for s in allowed_scopes)
def has_object_permission(self, request, view, organization):
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request,
organization,
scopes=request.auth.get_scopes(),
)
elif request.auth:
if request.auth.organization_id == organization.id:
request.access = access.from_auth(request.auth)
else:
request.access = access.DEFAULT
else:
request.access = access.from_request(request, organization)
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info(
'access.signed-sso-passthrough',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
elif request.user.is_authenticated():
# session auth needs to confirm various permissions
if self.needs_sso(request, organization):
logger.info(
'access.must-sso',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise NotAuthenticated(detail='Must login via SSO')
if self.is_not_2fa_compliant(
request.user, organization):
logger.info(
'access.not-2fa-compliant',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise NotAuthenticated(
detail='Organization requires two-factor authentication to be enabled')
allowed_scopes = set(self.scope_map.get(request.method, []))
return any(request.access.has_scope(s) for s in allowed_scopes)
def determine_access(self, request: Request, organization):
from sentry.api.base import logger
if request.user and request.user.is_authenticated and request.auth:
request.access = access.from_request(
request, organization, scopes=request.auth.get_scopes())
elif request.auth:
request.access = access.from_auth(request.auth, organization)
else:
request.access = access.from_request(request, organization)
extra = {
"organization_id": organization.id,
"user_id": request.user.id
}
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info(
"access.signed-sso-passthrough",
extra=extra,
)
elif request.user.is_authenticated:
# session auth needs to confirm various permissions
if self.needs_sso(request, organization):
logger.info(
"access.must-sso",
extra=extra,
)
raise SsoRequired(organization)
if self.is_not_2fa_compliant(request, organization):
logger.info(
"access.not-2fa-compliant",
extra=extra,
)
if request.user.is_superuser and organization.id != Superuser.org_id:
raise SuperuserRequired()
raise TwoFactorRequired()
if self.is_member_disabled_from_limit(request, organization):
logger.info(
"access.member-disabled-from-limit",
extra=extra,
)
raise MemberDisabledOverLimit(organization)
def determine_access(self, request, organization):
from sentry.api.base import logger
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request,
organization,
scopes=request.auth.get_scopes(),
)
elif request.auth:
request.access = access.from_auth(request.auth, organization)
else:
request.access = access.from_request(request, organization)
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info(
'access.signed-sso-passthrough',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
elif request.user.is_authenticated():
# session auth needs to confirm various permissions
if self.needs_sso(request, organization):
logger.info(
'access.must-sso',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise SsoRequired(organization)
if self.is_not_2fa_compliant(
request, organization):
logger.info(
'access.not-2fa-compliant',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise TwoFactorRequired()
def determine_access(self, request, organization):
from sentry.api.base import logger
from sentry.auth import access # Django 1.9 setup issue
from sentry.utils import auth
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request,
organization,
scopes=request.auth.get_scopes(),
)
elif request.auth:
if request.auth.organization_id == organization.id:
request.access = access.from_auth(request.auth)
else:
request.access = access.DEFAULT
else:
request.access = access.from_request(request, organization)
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info('access.signed-sso-passthrough',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
})
elif request.user.is_authenticated():
# session auth needs to confirm various permissions
if self.needs_sso(request, organization):
logger.info('access.must-sso',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
})
raise SsoRequired(organization)
if self.is_not_2fa_compliant(request.user, organization):
logger.info('access.not-2fa-compliant',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
})
raise TwoFactorRequired()