fix(oauth): Limit org index response to token's org

getsentry · Nov 27, 2024 · 2975ec0 · 2975ec0
1 parent 32350ea
commit 2975ec0
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 13 deletions.
diff --git a/src/sentry/api/endpoints/organization_index.py b/src/sentry/api/endpoints/organization_index.py
@@ -125,19 +125,8 @@ def get(self, request: Request) -> Response:
                 )
             )
             if request.auth and request.auth.organization_id is not None and queryset.count() > 1:
-                # TODO: @athena Remove the temporary logging
-                # If a token is limitted to one organization, this case should not happen
-                # So ideally here we should limit the query set to that one org
-                # Adding some logging to verify if this is going to be a breaking change
-                logger.info(
-                    "organization_index.unexpected_results",
-                    extra={
-                        "token_org": request.auth.organization_id,
-                        "org_count": queryset.count(),
-                        "user_id": request.auth.user_id,
-                        "app_id": request.auth.application_id,
-                    },
-                )
+                # If a token is limitted to one organization, this endpoint should only return that one organization
+                queryset = queryset.filter(id=request.auth.organization_id)
 
         query = request.GET.get("query")
         if query:

diff --git a/tests/sentry/api/endpoints/test_organization_index.py b/tests/sentry/api/endpoints/test_organization_index.py
@@ -5,8 +5,10 @@
 from unittest.mock import patch
 
 from django.test import override_settings
+from django.urls import reverse
 
 from sentry.auth.authenticators.totp import TotpInterface
+from sentry.models.apitoken import ApiToken
 from sentry.models.options.organization_option import OrganizationOption
 from sentry.models.organization import Organization, OrganizationStatus
 from sentry.models.organizationmapping import OrganizationMapping
@@ -105,6 +107,27 @@ def test_member_id_query(self):
         response = self.get_success_response(qs_params={"query": f"member_id:{om.id + 10}"})
         assert len(response.data) == 0
 
+    def test_show_only_token_organization(self):
+        org1 = self.create_organization(owner=self.user)
+        self.create_organization(owner=self.user)
+        self.login_as(user=self.user)
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            user_token = ApiToken.objects.create(user=self.user, scope_list=["org:read"])
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {user_token.plaintext_token}")
+        response = self.client.get(reverse(self.endpoint))
+        # if token is not specific to any organization, it should return all the organizations
+        assert len(response.data) == 2
+
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            org_scoped_token = ApiToken.objects.create(
+                user=self.user, scoping_organization_id=org1.id, scope_list=["org:read"]
+            )
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {org_scoped_token.plaintext_token}")
+        response = self.client.get(reverse(self.endpoint))
+        # if token is specific to an organization, it should return only that organization
+        assert len(response.data) == 1
+        assert response.data[0]["id"] == str(org1.id)
+
 
 class OrganizationsCreateTest(OrganizationIndexTest, HybridCloudTestMixin):
     method = "post"