feat(ecosystem): Open permissions for code mappings to members

[scttcper]

Loosens permissions to anyone with org:read for code owners, code mappings.

fixes https://getsentry.atlassian.net/browse/WOR-2186

[armenzg]

For posterity, the current change of permissions would look like this:

         "GET":     ["org:read", "org:write", "org:admin", "org:integrations"],
-        "POST":    [            "org:write", "org:admin", "org:integrations"],
+        "POST":    ["org:read", "org:write", "org:admin", "org:integrations"],
-        "PUT":     [            "org:write", "org:admin", "org:integrations"],
+        "PUT":     ["org:read", "org:write", "org:admin", "org:integrations"],
-        "DELETE":  [                         "org:admin", "org:integrations"],
+        "DELETE":  ["org:read", "org:write", "org:admin", "org:integrations"],

sentry/src/sentry/api/bases/organization.py

Lines 97 to 103 in c605f45

	class OrganizationIntegrationsPermission(OrganizationPermission):
	scope_map = {
	"GET": ["org:read", "org:write", "org:admin", "org:integrations"],
	"POST": ["org:write", "org:admin", "org:integrations"],
	"PUT": ["org:write", "org:admin", "org:integrations"],
	"DELETE": ["org:admin", "org:integrations"],
	}

[armenzg]

As per @NisanthanNanthakumar the member role doesn't have org:write here

sentry/src/sentry/conf/server.py

Lines 1652 to 1666 in f617782

	"id": "member",
	"name": "Member",
	"desc": "Members can view and act on events, as well as view most other data within the organization.",
	"scopes": {
	"event:read",
	"event:write",
	"event:admin",
	"project:releases",
	"project:read",
	"org:read",
	"member:read",
	"team:read",
	"alerts:read",
	"alerts:write",
	},

[armenzg]

This grants any organization member to read, write, update and delete the details of code mappings. Is this correct?

[scttcper]

that's the goal i believe

[armenzg]

This is updating an existing code mapping:
source_root: "/source/root" -> "newRoot"

This is the code mapping:

sentry/tests/sentry/api/endpoints/test_organization_code_mapping_details.py

Lines 38 to 45 in c605f45

	self.config = RepositoryProjectPathConfig.objects.create(
	repository_id=str(self.repo.id),
	project_id=str(self.project.id),
	organization_integration_id=str(self.org_integration.id),
	stack_root="/stack/root",
	source_root="/source/root",
	default_branch="master",
	)

[armenzg]

This creates a new code mapping by a non-superuser user:

sentry/tests/sentry/api/endpoints/test_organization_code_mappings.py

Line 15 in c605f45

self.user2 = self.create_user("nisanthan@sentry.io", is_superuser=False)

[armenzg]

I would like to know the difference between org:read vs org:write to feel comfortable about giving org:read access to the endpoints.

[armenzg]

The creation of users and members in here are slightly different than the other setUp methods I have looked at:

sentry/tests/sentry/api/endpoints/test_organization_code_mappings.py

Line 15 in c605f45

self.user2 = self.create_user("nisanthan@sentry.io", is_superuser=False)

sentry/tests/sentry/api/endpoints/test_organization_code_mappings.py

Lines 23 to 28 in c605f45

	self.create_member(
	organization=self.organization,
	user=self.user2,
	has_global_access=False,
	teams=[self.team2],
	)

This is just an observation. It probably does not matter.

[NisanthanNanthakumar]

needs a small change

[NisanthanNanthakumar]

@scttcper DELETE should not have org:read or org:write. The permissions to delete does not need to be loosened

[armenzg]

As per @NisanthanNanthakumar the member role doesn't have org:write here

sentry/src/sentry/conf/server.py

Lines 1652 to 1666 in f617782

	"id": "member",
	"name": "Member",
	"desc": "Members can view and act on events, as well as view most other data within the organization.",
	"scopes": {
	"event:read",
	"event:write",
	"event:admin",
	"project:releases",
	"project:read",
	"org:read",
	"member:read",
	"team:read",
	"alerts:read",
	"alerts:write",
	},