fix(alerts): allow team admins to create alert rules (#79624)

Fix a permission issue where team admins were unable to create alerts. The fix involves granting org:read access to the endpoint and then confirming in the convert_args that the user is a team admin for the project in the request. Also add a test to confirm this behavior. Fixes #75612
getsentry · Oct 28, 2024 · e8159b8 · e8159b8
1 parent 0478fee
commit e8159b8
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 2 deletions.
diff --git a/src/sentry/api/bases/organization.py b/src/sentry/api/bases/organization.py
@@ -204,7 +204,9 @@ class OrganizationDataExportPermission(OrganizationPermission):
 class OrganizationAlertRulePermission(OrganizationPermission):
     scope_map = {
         "GET": ["org:read", "org:write", "org:admin", "alerts:read"],
-        "POST": ["org:write", "org:admin", "alerts:write"],
+        # grant org:read permission, but raise permission denied if the members aren't allowed
+        # to create alerts and the user isn't a team admin
+        "POST": ["org:read", "org:write", "org:admin", "alerts:write"],
         "PUT": ["org:write", "org:admin", "alerts:write"],
         "DELETE": ["org:write", "org:admin", "alerts:write"],
     }

diff --git a/src/sentry/incidents/endpoints/organization_alert_rule_index.py b/src/sentry/incidents/endpoints/organization_alert_rule_index.py
@@ -6,7 +6,7 @@
 from django.db.models.functions import Coalesce
 from drf_spectacular.utils import extend_schema, extend_schema_serializer
 from rest_framework import serializers, status
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 
@@ -436,6 +436,25 @@ class OrganizationAlertRuleIndexEndpoint(OrganizationEndpoint, AlertRuleIndexMix
     }
     permission_classes = (OrganizationAlertRulePermission,)
 
+    def check_can_create_alert(self, request: Request, organization: Organization) -> None:
+        """
+        Determine if the requesting user has access to alert creation. If the request does not have the "alerts:write"
+        permission, then we must verify that the user is a team admin with "alerts:write" access to the project(s)
+        in their request.
+        """
+        #
+        if request.access.has_scope("alerts:write"):
+            return
+        # team admins should be able to crete alerts for the projects they have access to
+        projects = self.get_projects(request, organization)
+        # team admins will have alerts:write scoped to their projects, members will not
+        team_admin_has_access = all(
+            [request.access.has_project_scope(project, "alerts:write") for project in projects]
+        )
+        # all() returns True for empty list, so include a check for it
+        if not team_admin_has_access or not projects:
+            raise PermissionDenied
+
     @extend_schema(
         operation_id="List an Organization's Metric Alert Rules",
         parameters=[GlobalParams.ORG_ID_OR_SLUG],
@@ -625,4 +644,5 @@ def post(self, request: Request, organization: Organization) -> Response:
         }
         ```
         """
+        self.check_can_create_alert(request, organization)
         return self.create_metric_alert(request, organization)
diff --git a/tests/sentry/incidents/endpoints/test_organization_alert_rule_index.py b/tests/sentry/incidents/endpoints/test_organization_alert_rule_index.py
@@ -1016,6 +1016,63 @@ def test_no_perms(self):
         resp = self.get_response(self.organization.slug, **self.alert_rule_dict)
         assert resp.status_code == 403
 
+    def test_team_admin_create(self):
+        team_admin_user = self.create_user()
+        self.create_member(
+            team_roles=[(self.team, "admin")],
+            user=team_admin_user,
+            role="member",
+            organization=self.organization,
+        )
+
+        member_user = self.create_user()
+        self.create_member(
+            user=member_user, organization=self.organization, role="member", teams=[self.team]
+        )
+
+        self.organization.update_option("sentry:alerts_member_write", False)
+        self.login_as(team_admin_user)
+        with self.feature("organizations:incidents"):
+            resp = self.get_success_response(self.organization.slug, **self.alert_rule_dict)
+        assert resp.status_code == 201
+
+        # verify that a team admin cannot create an alert for a project their team doesn't own
+        with self.feature("organizations:incidents"):
+            resp = self.get_error_response(
+                self.organization.slug,
+                status_code=400,
+                projects=[
+                    self.create_project(organization=self.create_organization()).slug,
+                ],
+                name="an alert",
+                owner=team_admin_user.id,
+                thresholdType=1,
+                query="hi",
+                aggregate="count()",
+                timeWindow=10,
+                alertThreshold=1000,
+                resolveThreshold=100,
+                triggers=[
+                    {
+                        "label": "critical",
+                        "alertThreshold": 200,
+                        "actions": [
+                            {
+                                "type": "email",
+                                "targetType": "team",
+                                "targetIdentifier": self.team.id,
+                            }
+                        ],
+                    }
+                ],
+            )
+            assert resp.json() == {"projects": ["Invalid project"]}
+
+        # verify that a regular team member cannot create an alert
+        self.login_as(member_user)
+        resp = self.get_response(self.organization.slug, **self.alert_rule_dict)
+        assert resp.status_code == 403
+
     def test_member_create(self):
         member_user = self.create_user()
         self.create_member(