search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
38.62k stars 4.13k forks source link

Can't update a team member's role with an Internal Integration Token #77696

Open afle1 opened 3 days ago

afle1 commented 3 days ago

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

  1. Add an organization member with Member role
  2. Add the user to a team with Contributor role
  3. Create an internal integration and give it enough permissions to update team member roles according to the API documentation (none of the scopes listed work)
  4. Make a PUT request with the Internal Integration's Bearer token to https://us.sentry.io/api/0/organizations/{organization_id_or_slug}/members/{member_id}/teams/{team_id_or_slug}/ to make the user team Admin

Expected Result

  1. Request succeeds, and the user's team role is updated to Admin

Actual Result

Request fails with a 400 error with the following response body.

{"detail":"You do not have permission to edit that user's membership."}

Looking at the code, it seems the check does not solely rely on the scopes but also the roles of the user in the organization and team (which I guess doesn't make sense for an internal integration).

Product Area

APIs

Link

https://us.sentry.io/api/0/organizations/{organization_id_or_slug}/members/{member_id}/teams/{team_id_or_slug}/

DSN

No response

Version

No response

getsantry[bot] commented 3 days ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 3 days ago

Routing to @getsentry/product-owners-settings-members for triage ⏲️