feat(org member invite): OrganizationMemberInviteDetails PUT endpoint #88409
Conversation
github-actions
bot
added
the
Scope: Backend
mifu67
force-pushed
the
mifu67/member-invite/omi-details-put
branch
from
b998826 to
1a75bd2
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| try: | ||
| invited_member.validate_invitation(approving_user, allowed_roles) | ||
| except UnableToAcceptMemberInvitationException as err: | ||
| raise serializers.ValidationError(str(err)) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the problem, we should avoid exposing the detailed exception message to the end user. Instead, we should log the detailed error message on the server and return a generic error message to the user. This can be achieved by modifying the exception handling in the validate_approve method to log the exception and raise a generic ValidationError.
| @@ -15,3 +15,5 @@ | ||
| from sentry.users.services.user.service import user_service | ||
| import logging | ||
|
|
||
| logger = logging.getLogger(__name__) | ||
|
|
||
| @@ -166,3 +168,4 @@ | ||
| except UnableToAcceptMemberInvitationException as err: | ||
| raise serializers.ValidationError(str(err)) | ||
| logger.error(f"Unable to accept member invitation: {err}") | ||
| raise serializers.ValidationError("An error occurred while processing the invitation.") | ||
|
|
Codecov ReportAttention: Patch coverage is ✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## master #88409 +/- ##
========================================
Coverage 87.72% 87.73%
========================================
Files 10003 10004 +1
Lines 566676 567124 +448
Branches 22265 22265
========================================
+ Hits 497108 497538 +430
- Misses 69150 69168 +18
Partials 418 418 |
|
|
||
| if result.get("orgRole"): | ||
| invited_member.set_org_role(result["orgRole"]) | ||
| if result.get("teams"): |
There was a problem hiding this comment.
The original OrganizationMemberDetails endpoint allows you to set team roles for invited members. Do we want to continue to allow this behavior? We don't set team roles when inviting members, so users would be required to make an additional PUT request for an invited member.
There was a problem hiding this comment.
probably a good idea to try to replicate existing behavior where possible
| return Response({"detail": ERR_INSUFFICIENT_SCOPE}, status=400) | ||
| if invited_member.token_expired: | ||
| return Response({"detail": ERR_EXPIRED}, status=400) | ||
| invited_member.send_invite_email() |
There was a problem hiding this comment.
what happened to sending SSO linked emails?
|
|
||
| if result.get("orgRole"): | ||
| invited_member.set_org_role(result["orgRole"]) | ||
| if result.get("teams"): |
There was a problem hiding this comment.
probably a good idea to try to replicate existing behavior where possible
| if request.data["approve"] is False: | ||
| return Response({"detail": ERR_WRONG_METHOD}, status=400) |
| if not is_invite_from_user: | ||
| return Response({"detail": ERR_MEMBER_INVITE}, status=403) | ||
|
|
||
| if result.get("reinvite"): |
There was a problem hiding this comment.
it seems like we ignore the other fields if reinvite is true. should this be moved to the top of the method so we don't attempt to validate the other fields? although it also doesn't seem like an implausible situation to use the API to update AND reinvite, even if it's not surfaced in the UI
| is_member = not request.access.has_scope("member:admin") and ( | ||
| request.access.has_scope("member:invite") | ||
| ) | ||
| members_can_invite = not organization.flags.disable_member_invite | ||
| # Members can only resend invites | ||
| is_reinvite_request_only = ( | ||
| set(result.keys()).issubset({"reinvite", "regenerate"}) | ||
| and "approve" not in request.data | ||
| ) | ||
|
|
||
| # Members can only resend invites that they sent | ||
| is_invite_from_user = invited_member.inviter_id == request.user.id | ||
|
|
||
| if is_member: | ||
| if not (members_can_invite and is_reinvite_request_only): | ||
| # this check blocks members from doing anything but reinviting | ||
| raise PermissionDenied | ||
| if not is_invite_from_user: | ||
| return Response({"detail": ERR_MEMBER_INVITE}, status=403) |
There was a problem hiding this comment.
should we be checking member permissions before validating the incoming data? i would also put this into its own function if possible
| "sentry.roles.organization_roles.get", | ||
| wraps=mock_organization_roles_get_factory(organization_roles.get), | ||
| ) | ||
| def test_update_teams_invalid__a(self, mock_get): |
There was a problem hiding this comment.
| def test_update_teams_invalid__a(self, mock_get): | |
| def test_update_teams_invalid__team_assignments_change_orgrole(self, mock_get): |
?
| == "You do not have permission to approve a member invitation with the role owner." | ||
| ) | ||
|
|
||
| @with_feature({"organizations:invite-members": False}) |
There was a problem hiding this comment.
the default is True, should we just remove this FF?
Implement the PUT method on the OrganizationMemberInviteDetails endpoint. The method supports the following functionality: