feat: Personal API key scopes

.vscode/launch.json

@@ -71,7 +71,6 @@
                 "SKIP_SERVICE_VERSION_REQUIREMENTS": "1",
                 "PRINT_SQL": "1",
                 "REPLAY_EVENTS_NEW_CONSUMER_RATIO": "1.0",
-                "AUTO_LOGIN": "True",
                 "BILLING_SERVICE_URL": "https://billing.dev.posthog.dev"
             },
             "console": "integratedTerminal",

ee/api/billing.py

@@ -37,6 +37,8 @@ class BillingViewset(TeamAndOrgViewSetMixin, viewsets.GenericViewSet):
     serializer_class = BillingSerializer
     derive_current_team_from_user_only = True
 
+    scope_object = "INTERNAL"
+
     def list(self, request: Request, *args: Any, **kwargs: Any) -> Response:
         license = get_cached_instance_license()
         if license and not license.is_v2_license:

ee/api/dashboard_collaborator.py

@@ -88,13 +88,13 @@ class DashboardCollaboratorViewSet(
     mixins.DestroyModelMixin,
     viewsets.GenericViewSet,
 ):
+    scope_object = "INTERNAL"
     permission_classes = [CanEditDashboardCollaborator]
     pagination_class = None
     queryset = DashboardPrivilege.objects.select_related("dashboard").filter(user__is_active=True)
     lookup_field = "user__uuid"
     serializer_class = DashboardCollaboratorSerializer
     filter_rewrite_rules = {"team_id": "dashboard__team_id"}
-    include_in_docs = False
 
     def get_serializer_context(self) -> Dict[str, Any]:
         context = super().get_serializer_context()

ee/api/explicit_team_member.py

@@ -102,14 +102,14 @@ def validate(self, attrs):
 
 
 class ExplicitTeamMemberViewSet(TeamAndOrgViewSetMixin, viewsets.ModelViewSet):
+    scope_object = "project"
     pagination_class = None
     queryset = ExplicitTeamMembership.objects.filter(parent_membership__user__is_active=True).select_related(
         "team", "parent_membership", "parent_membership__user"
     )
     lookup_field = "parent_membership__user__uuid"
     ordering = ["level", "-joined_at"]
     serializer_class = ExplicitTeamMemberSerializer
-    include_in_docs = True
 
     permission_classes = [IsAuthenticated, TeamMemberStrictManagementPermission]
 

ee/api/feature_flag_role_access.py

@@ -73,6 +73,7 @@ class FeatureFlagRoleAccessViewSet(
     mixins.RetrieveModelMixin,
     viewsets.GenericViewSet,
 ):
+    scope_object = "feature_flag"
     permission_classes = [FeatureFlagRoleAccessPermissions]
     serializer_class = FeatureFlagRoleAccessSerializer
     queryset = FeatureFlagRoleAccess.objects.select_related("feature_flag")

ee/api/hooks.py

@@ -31,6 +31,10 @@ class HookViewSet(TeamAndOrgViewSetMixin, viewsets.ModelViewSet):
     Retrieve, create, update or destroy REST hooks.
     """
 
+    scope_object = "webhook"
+    # NOTE: This permissions is needed for Zapier calls but we don't want to expose it in the API docs until
+    # it is able to support more than Zapier
+    hide_api_docs = True
     queryset = Hook.objects.all()
     ordering = "-created_at"
     serializer_class = HookSerializer

ee/api/organization_resource_access.py

@@ -41,6 +41,7 @@ class OrganizationResourceAccessViewSet(
     mixins.DestroyModelMixin,
     viewsets.GenericViewSet,
 ):
+    scope_object = "INTERNAL"
     permission_classes = [RolePermissions]
     serializer_class = OrganizationResourceAccessSerializer
     queryset = OrganizationResourceAccess.objects.all()

ee/api/role.py

@@ -93,6 +93,7 @@ class RoleViewSet(
     mixins.DestroyModelMixin,
     viewsets.GenericViewSet,
 ):
+    scope_object = "organization"
     permission_classes = [RolePermissions]
     serializer_class = RoleSerializer
     queryset = Role.objects.all()
@@ -133,6 +134,7 @@ class RoleMembershipViewSet(
     mixins.DestroyModelMixin,
     viewsets.GenericViewSet,
 ):
+    scope_object = "organization"
     permission_classes = [RolePermissions]
     serializer_class = RoleMembershipSerializer
     queryset = RoleMembership.objects.select_related("role")

ee/api/subscription.py

@@ -90,6 +90,7 @@ def update(self, instance: Subscription, validated_data: dict, *args: Any, **kwa
 
 
 class SubscriptionViewSet(TeamAndOrgViewSetMixin, ForbidDestroyModel, viewsets.ModelViewSet):
+    scope_object = "subscription"
     queryset = Subscription.objects.all()
     serializer_class = SubscriptionSerializer
     permission_classes = [PremiumFeaturePermission]

ee/api/test/test_authentication.py

@@ -281,7 +281,7 @@ def test_can_get_saml_metadata(self):
 
     def test_need_to_be_authenticated_to_get_saml_metadata(self):
         response = self.client.get("/api/saml/metadata/")
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
         self.assertEqual(response.json(), self.unauthenticated_response())
 
     def test_only_admins_can_get_saml_metadata(self):
@@ -498,7 +498,7 @@ def test_cannot_login_with_improperly_signed_payload(self):
 
         # Test logged in request fails
         response = self.client.get("/api/users/@me/")
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     @freeze_time("2021-08-25T22:09:14.252Z")
     def test_cannot_signup_with_saml_if_jit_provisioning_is_disabled(self):
@@ -539,7 +539,7 @@ def test_cannot_signup_with_saml_if_jit_provisioning_is_disabled(self):
 
         # Test logged in request fails
         response = self.client.get("/api/users/@me/")
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     @freeze_time("2021-08-25T23:53:51.000Z")
     def test_cannot_create_account_without_first_name_in_payload(self):
@@ -617,7 +617,7 @@ def test_cannot_login_with_saml_on_unverified_domain(self):
 
         # Assert user is not logged in
         response = self.client.get("/api/users/@me/")
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     def test_saml_can_be_enforced(self):
         User.objects.create_and_join(

ee/api/test/test_team.py

@@ -1,7 +1,6 @@
 from rest_framework.status import (
     HTTP_200_OK,
     HTTP_204_NO_CONTENT,
-    HTTP_400_BAD_REQUEST,
     HTTP_403_FORBIDDEN,
     HTTP_404_NOT_FOUND,
 )
@@ -98,17 +97,44 @@ def test_user_that_does_not_belong_to_an_org_cannot_create_a_project(self):
         self.client.force_login(user)
 
         response = self.client.post("/api/projects/", {"name": "Test"})
-        self.assertEqual(response.status_code, HTTP_400_BAD_REQUEST, response.content)
+        self.assertEqual(response.status_code, HTTP_404_NOT_FOUND, response.content)
         self.assertEqual(
             response.json(),
             {
-                "type": "validation_error",
-                "code": "invalid_input",
+                "type": "invalid_request",
+                "code": "not_found",
                 "detail": "You need to belong to an organization.",
                 "attr": None,
             },
         )
 
+    def test_user_create_project_for_org_via_url(self):
+        # Set both current and new org to high enough membership level
+        self.organization_membership.level = OrganizationMembership.Level.ADMIN
+        self.organization_membership.save()
+
+        current_org, _, _ = Organization.objects.bootstrap(self.user, name="other_org")
+        other_org = self.organization  # Bootstrapping above sets it to the current org
+
+        assert current_org.id == self.user.current_organization_id
+        response = self.client.post(f"/api/organizations/{current_org.id}/projects/", {"name": "Via current org"})
+        self.assertEqual(response.status_code, 201)
+        assert response.json()["organization"] == str(current_org.id)
+
+        assert other_org.id != self.user.current_organization_id
+        response = self.client.post(f"/api/organizations/{other_org.id}/projects/", {"name": "Via path org"})
+        self.assertEqual(response.status_code, 201, msg=response.json())
+        assert response.json()["organization"] == str(other_org.id)
+
+    def test_user_cannot_create_project_in_org_without_access(self):
+        _, _, _ = Organization.objects.bootstrap(self.user, name="other_org")
+        other_org = self.organization  # Bootstrapping above sets it to the current org
+
+        assert other_org.id != self.user.current_organization_id
+        response = self.client.post(f"/api/organizations/{other_org.id}/projects/", {"name": "Via path org"})
+        self.assertEqual(response.status_code, 403, msg=response.json())
+        assert response.json() == self.permission_denied_response("Your organization access level is insufficient.")
+
     # Deleting projects
 
     def test_delete_team_as_org_admin_allowed(self):

ee/clickhouse/views/experiments.py

@@ -282,6 +282,7 @@ def update(self, instance: Experiment, validated_data: dict, *args: Any, **kwarg
 
 
 class ClickhouseExperimentsViewSet(TeamAndOrgViewSetMixin, viewsets.ModelViewSet):
+    scope_object = "experiment"
     serializer_class = ExperimentSerializer
     queryset = Experiment.objects.all()
     permission_classes = [PremiumFeaturePermission]

ee/clickhouse/views/groups.py

@@ -26,6 +26,7 @@ class Meta:
 
 
 class ClickhouseGroupsTypesView(TeamAndOrgViewSetMixin, mixins.ListModelMixin, viewsets.GenericViewSet):
+    scope_object = "group"
     serializer_class = GroupTypeSerializer
     queryset = GroupTypeMapping.objects.all().order_by("group_type_index")
     pagination_class = None
@@ -54,6 +55,7 @@ class Meta:
 
 
 class ClickhouseGroupsView(TeamAndOrgViewSetMixin, mixins.ListModelMixin, viewsets.GenericViewSet):
+    scope_object = "group"
     serializer_class = GroupSerializer
     queryset = Group.objects.all()
     pagination_class = GroupCursorPagination

ee/clickhouse/views/test/__snapshots__/test_clickhouse_experiment_secondary_results.ambr

@@ -1,7 +1,7 @@
 # serializer version: 1
 # name: ClickhouseTestExperimentSecondaryResults.test_basic_secondary_metric_results
   '''
-  /* user_id:124 celery:posthog.tasks.tasks.sync_insight_caching_state */
+  /* user_id:123 celery:posthog.tasks.tasks.sync_insight_caching_state */
   SELECT team_id,
          date_diff('second', max(timestamp), now()) AS age
   FROM events

ee/session_recordings/session_recording_playlist.py

@@ -163,12 +163,12 @@ def _check_can_create_playlist(self, team: Team) -> bool:
 
 
 class SessionRecordingPlaylistViewSet(TeamAndOrgViewSetMixin, ForbidDestroyModel, viewsets.ModelViewSet):
+    scope_object = "session_recording_playlist"
     queryset = SessionRecordingPlaylist.objects.all()
     serializer_class = SessionRecordingPlaylistSerializer
     throttle_classes = [ClickHouseBurstRateThrottle, ClickHouseSustainedRateThrottle]
     filter_backends = [DjangoFilterBackend]
     filterset_fields = ["short_id", "created_by"]
-    include_in_docs = True
     lookup_field = "short_id"
 
     def get_queryset(self) -> QuerySet:

frontend/src/lib/api.ts

@@ -50,6 +50,7 @@ import {
     OrganizationFeatureFlagsCopyBody,
     OrganizationResourcePermissionType,
     OrganizationType,
+    PersonalAPIKeyType,
     PersonListParams,
     PersonType,
     PluginConfigTypeNew,
@@ -717,6 +718,15 @@ class ApiRequest {
         return this.projectsDetail(teamId).addPathComponent('activity_log')
     }
 
+    // Personal API keys
+    public personalApiKeys(): ApiRequest {
+        return this.addPathComponent('personal_api_keys')
+    }
+
+    public personalApiKey(id: PersonalAPIKeyType['id']): ApiRequest {
+        return this.personalApiKeys().addPathComponent(id)
+    }
+
     // Request finalization
     public async get(options?: ApiMethodOptions): Promise<any> {
         return await api.get(this.assembleFullUrl(), options)
@@ -1966,6 +1976,21 @@ const api = {
         },
     },
 
+    personalApiKeys: {
+        async list(): Promise<PersonalAPIKeyType[]> {
+            return await new ApiRequest().personalApiKeys().get()
+        },
+        async create(data: Partial<PersonalAPIKeyType>): Promise<PersonalAPIKeyType> {
+            return await new ApiRequest().personalApiKeys().create({ data })
+        },
+        async update(id: PersonalAPIKeyType['id'], data: Partial<PersonalAPIKeyType>): Promise<PersonalAPIKeyType> {
+            return await new ApiRequest().personalApiKey(id).update({ data })
+        },
+        async delete(id: PersonalAPIKeyType['id']): Promise<void> {
+            await new ApiRequest().personalApiKey(id).delete()
+        },
+    },
+
     queryURL: (): string => {
         return new ApiRequest().query().assembleFullUrl(true)
     },

frontend/src/lib/components/CommandPalette/commandPaletteLogic.tsx

@@ -63,7 +63,6 @@ import { sidePanelLogic } from '~/layout/navigation-3000/sidepanel/sidePanelLogi
 import { sidePanelStateLogic } from '~/layout/navigation-3000/sidepanel/sidePanelStateLogic'
 import { InsightType } from '~/types'
 
-import { personalAPIKeysLogic } from '../../../scenes/settings/user/personalAPIKeysLogic'
 import { commandBarLogic } from '../CommandBar/commandBarLogic'
 import { BarStatus } from '../CommandBar/types'
 import { hedgehogBuddyLogic } from '../HedgehogBuddy/hedgehogBuddyLogic'
@@ -139,8 +138,6 @@ export const commandPaletteLogic = kea<commandPaletteLogicType>([
     path(['lib', 'components', 'CommandPalette', 'commandPaletteLogic']),
     connect({
         actions: [
-            personalAPIKeysLogic,
-            ['createKey'],
             router,
             ['push'],
             userLogic,
@@ -662,6 +659,13 @@ export const commandPaletteLogic = kea<commandPaletteLogicType>([
                             userLogic.actions.logout()
                         },
                     },
+                    {
+                        icon: IconUnlock,
+                        display: 'Go to Personal API Keys',
+                        executor: () => {
+                            push(urls.settings('user-api-keys'))
+                        },
+                    },
                 ],
             }
 
@@ -757,33 +761,6 @@ export const commandPaletteLogic = kea<commandPaletteLogicType>([
                 },
             }
 
-            const createPersonalApiKey: Command = {
-                key: 'create-personal-api-key',
-                scope: GLOBAL_COMMAND_SCOPE,
-                resolver: {
-                    icon: IconUnlock,
-                    display: 'Create Personal API Key',
-                    executor: () => ({
-                        instruction: 'Give your key a label',
-                        icon: IconKeyboard,
-                        scope: 'Creating Personal API Key',
-                        resolver: (argument) => {
-                            if (argument?.length) {
-                                return {
-                                    icon: IconUnlock,
-                                    display: `Create Key "${argument}"`,
-                                    executor: () => {
-                                        personalAPIKeysLogic.actions.createKey(argument)
-                                        push(urls.settings('user'), {}, 'personal-api-keys')
-                                    },
-                                }
-                            }
-                            return null
-                        },
-                    }),
-                },
-            }
-
             const createDashboard: Command = {
                 key: 'create-dashboard',
                 scope: GLOBAL_COMMAND_SCOPE,
@@ -961,7 +938,6 @@ export const commandPaletteLogic = kea<commandPaletteLogicType>([
             actions.registerCommand(openUrls)
             actions.registerCommand(debugClickhouseQueries)
             actions.registerCommand(calculator)
-            actions.registerCommand(createPersonalApiKey)
             actions.registerCommand(createDashboard)
             actions.registerCommand(shareFeedback)
             actions.registerCommand(debugCopySessionRecordingURL)