def has_object_permission(self, request, view, project):
result = super(ProjectPermission,
self).has_object_permission(request, view,
project.organization)
if not result:
return result
if project.teams.exists():
return any(
has_team_permission(request, team, self.scope_map)
for team in project.teams.all())
elif is_system_auth(request.auth):
return True
elif request.user.is_authenticated():
# this is only for team-less projects
if is_active_superuser(request):
return True
try:
role = OrganizationMember.objects.filter(
organization=project.organization,
user=request.user,
).values_list('role', flat=True).get()
except OrganizationMember.DoesNotExist:
# this should probably never happen?
return False
return roles.get(role).is_global
elif hasattr(request.auth,
'project_id') and project.id == request.auth.project_id:
return True
return False
def from_auth(auth, organization):
if is_system_auth(auth):
return SystemAccess()
if auth.organization_id == organization.id:
return OrganizationGlobalAccess(auth.organization)
else:
return DEFAULT
def has_download_permission(request, project):
if is_system_auth(request.auth) or is_active_superuser(request):
return True
if not request.user.is_authenticated():
return False
organization = project.organization
required_role = organization.get_option(
"sentry:debug_files_role") or DEBUG_FILES_ROLE_DEFAULT
if request.user.is_sentry_app:
if roles.get(required_role).priority > roles.get("member").priority:
return request.access.has_scope("project:write")
else:
return request.access.has_scope("project:read")
try:
current_role = (OrganizationMember.objects.filter(
organization=organization,
user=request.user).values_list("role", flat=True).get())
except OrganizationMember.DoesNotExist:
return False
return roles.get(current_role).priority >= roles.get(
required_role).priority
def has_object_permission(self, request, view, project):
result = super(EventAttachmentDetailsPermission, self).has_object_permission(
request, view, project
)
if not result:
return result
if is_system_auth(request.auth) or is_active_superuser(request):
return True
if not request.user.is_authenticated():
return False
organization = project.organization
required_role = (
organization.get_option("sentry:attachments_role") or ATTACHMENTS_ROLE_DEFAULT
)
try:
current_role = (
OrganizationMember.objects.filter(organization=organization, user=request.user)
.values_list("role", flat=True)
.get()
)
except OrganizationMember.DoesNotExist:
return False
required_role = roles.get(required_role)
current_role = roles.get(current_role)
return current_role.priority >= required_role.priority
def from_auth(auth, organization):
if is_system_auth(auth):
return SystemAccess()
if auth.organization_id == organization.id:
return OrganizationGlobalAccess(auth.organization)
else:
return DEFAULT
def has_object_permission(self, request, view, project):
result = super(ProjectPermission,
self).has_object_permission(request, view, project.organization)
if not result:
return result
if project.teams.exists():
return any(
has_team_permission(request, team, self.scope_map) for team in project.teams.all()
)
elif is_system_auth(request.auth):
return True
elif request.user.is_authenticated():
# this is only for team-less projects
if is_active_superuser(request):
return True
try:
role = OrganizationMember.objects.filter(
organization=project.organization,
user=request.user,
).values_list('role', flat=True).get()
except OrganizationMember.DoesNotExist:
# this should probably never happen?
return False
return roles.get(role).is_global
elif hasattr(request.auth, 'project_id') and project.id == request.auth.project_id:
return True
return False
def from_auth(auth, organization: Organization) -> Access:
if is_system_auth(auth):
return SystemAccess()
if auth.organization_id == organization.id:
return OrganizationGlobalAccess(auth.organization,
settings.SENTRY_SCOPES,
sso_is_valid=True)
else:
return DEFAULT
def has_object_permission(self, request, view, user=None):
if user is None:
user = request.user
if request.user == user:
return True
if is_system_auth(request.auth):
return True
if request.auth:
return False
if is_active_superuser(request):
return True
return False
def has_object_permission(self, request, view, user=None):
if user is None:
user = request.user
if request.user == user:
return True
if is_system_auth(request.auth):
return True
if request.auth:
return False
if is_active_superuser(request):
return True
return False
def has_permission(self, request, view):
return is_system_auth(request.auth)
def is_active_superuser(request):
if is_system_auth(getattr(request, "auth", None)):
return True
su = getattr(request, "superuser", None) or Superuser(request)
return su.is_active
def test_is_system_auth(self):
token = SystemToken()
assert is_system_auth(token)
assert not is_system_auth({})
def has_permission(self, request, view):
return is_system_auth(request.auth)
def is_active_superuser(request):
if is_system_auth(getattr(request, 'auth', None)):
return True
su = getattr(request, 'superuser', None) or Superuser(request)
return su.is_active
