feat(org member invite): OrganizationMemberInviteDetails PUT endpoint

src/sentry/api/endpoints/organization_member_invite/details.py

@@ -1,18 +1,37 @@
 from typing import Any
 
+from django.db import router, transaction
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from sentry import features
+from sentry import audit_log, features, ratelimits
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import region_silo_endpoint
 from sentry.api.bases.organization import OrganizationEndpoint
+from sentry.api.endpoints.organization_member import get_allowed_org_roles
 from sentry.api.endpoints.organization_member.utils import RelaxedMemberPermission
 from sentry.api.exceptions import ResourceDoesNotExist
 from sentry.api.serializers import serialize
+from sentry.api.serializers.rest_framework.organizationmemberinvite import (
+    ApproveInviteRequestValidator,
+    OrganizationMemberInviteRequestValidator,
+)
 from sentry.models.organization import Organization
 from sentry.models.organizationmemberinvite import OrganizationMemberInvite
+from sentry.utils import metrics
+from sentry.utils.audit import get_api_key_for_audit_log
+
+ERR_INSUFFICIENT_SCOPE = "You are missing the member:admin scope."
+ERR_MEMBER_INVITE = "You cannot modify invitations sent by someone else."
+ERR_EDIT_WHEN_REINVITING = (
+    "You cannot modify member details when resending an invitation. Separate requests are required."
+)
+ERR_EXPIRED = "You cannot resend an expired invitation without regenerating the token."
+ERR_RATE_LIMITED = "You are being rate limited for too many invitations."
+ERR_WRONG_METHOD = "You cannot reject an invite request via this method."
+ERR_INVITE_UNAPPROVED = "You cannot resend an invitation that has not been approved."
 
 MISSING_FEATURE_MESSAGE = "Your organization does not have access to this feature."
 
@@ -45,6 +64,48 @@ def convert_args(
             raise ResourceDoesNotExist
         return args, kwargs
 
+    def _reinvite(
+        self,
+        request: Request,
+        organization: Organization,
+        invited_member: OrganizationMemberInvite,
+        regenerate: bool,
+    ) -> Response:
+        if not invited_member.invite_approved:
+            return Response({"detail": ERR_INVITE_UNAPPROVED}, status=400)
+        if ratelimits.for_organization_member_invite(
+            organization=organization,
+            email=invited_member.email,
+            user=request.user,
+            auth=request.auth,
+        ):
+            metrics.incr(
+                "member-invite.attempt",
+                instance="rate_limited",
+                skip_internal=True,
+                sample_rate=1.0,
+            )
+            return Response({"detail": ERR_RATE_LIMITED}, status=429)
+        if regenerate:
+            if request.access.has_scope("member:admin"):
+                with transaction.atomic(router.db_for_write(OrganizationMemberInvite)):
+                    invited_member.regenerate_token()
+                    invited_member.save()
+            else:
+                return Response({"detail": ERR_INSUFFICIENT_SCOPE}, status=400)
+        if invited_member.token_expired:
+            return Response({"detail": ERR_EXPIRED}, status=400)
+        invited_member.send_invite_email()
+
+        self.create_audit_entry(
+            request=request,
+            organization=organization,
+            target_object=invited_member.id,
+            event=audit_log.get_event_id("MEMBER_REINVITE"),
+            data=invited_member.get_audit_log_data(),
+        )
+        return Response(serialize(invited_member, request.user), status=200)
+
     def get(
         self,
         request: Request,
@@ -61,9 +122,99 @@ def get(
         return Response(serialize(invited_member, request.user))
 
     def put(
-        self, request: Request, organization: Organization, invited_member: OrganizationMemberInvite
+        self,
+        request: Request,
+        organization: Organization,
+        invited_member: OrganizationMemberInvite,
     ) -> Response:
-        raise NotImplementedError
+        """
+        Update an invite request to Organization
+        ````````````````````````````````````````
+
+        Update and/or approve an invite request to an organization.
+
+        :pparam string organization_id_or_slug: the id or slug of the organization the member will belong to
+        :param string member_id: the member ID
+        :param boolean approve: allows the member to be invited
+        :param string orgRole: the suggested org-role of the new member
+        :param array teams: the teams which the member should belong to.
+        :auth: required
+        """
+        if not features.has(
+            "organizations:new-organization-member-invite", organization, actor=request.user
+        ):
+            return Response({"detail": MISSING_FEATURE_MESSAGE}, status=403)
+        # if the requesting user doesn't have >= member:admin perms, then they cannot approve invite
+        # members can reinvite users they invited, but they cannot edit invite requests
+        allowed_roles = get_allowed_org_roles(request, organization)
+        validator = OrganizationMemberInviteRequestValidator(
+            data=request.data,
+            partial=True,
+            context={
+                "organization": organization,
+                "allowed_roles": allowed_roles,
+                "org_role": invited_member.role,
+                "teams": invited_member.organization_member_team_data,
+            },
+        )
+        if not validator.is_valid():
+            return Response(validator.errors, status=400)
+
+        result = validator.validated_data
+
+        is_member = not request.access.has_scope("member:admin") and (
+            request.access.has_scope("member:invite")
+        )
+        members_can_invite = not organization.flags.disable_member_invite
+        # Members can only resend invites
+        is_reinvite_request_only = (
+            set(result.keys()).issubset({"reinvite", "regenerate"})
+            and "approve" not in request.data
+        )
+
+        # Members can only resend invites that they sent
+        is_invite_from_user = invited_member.inviter_id == request.user.id
+
+        if is_member:
+            if not (members_can_invite and is_reinvite_request_only):
+                # this check blocks members from doing anything but reinviting
+                raise PermissionDenied
+            if not is_invite_from_user:
+                return Response({"detail": ERR_MEMBER_INVITE}, status=403)
+
+        if result.get("reinvite"):
+            if not is_reinvite_request_only:
+                return Response({"detail": ERR_EDIT_WHEN_REINVITING}, status=403)
+            return self._reinvite(request, organization, invited_member, result.get("regenerate"))
+
+        if result.get("orgRole"):
+            invited_member.set_org_role(result["orgRole"])
+        if result.get("teams"):
+            invited_member.set_teams(result["teams"])
+
+        if "approve" in request.data:
+            # you can't reject an invite request via a PUT request
+            if request.data["approve"] is False:
+                return Response({"detail": ERR_WRONG_METHOD}, status=400)
+
+            approval_validator = ApproveInviteRequestValidator(
+                data=request.data,
+                context={
+                    "organization": organization,
+                    "invited_member": invited_member,
+                    "allowed_roles": allowed_roles,
+                },
+            )
+
+            if not approval_validator.is_valid():
+                return Response(approval_validator.errors, status=400)
+            if not invited_member.invite_approved:
+                api_key = get_api_key_for_audit_log(request)
+                invited_member.approve_invite_request(
+                    request.user, api_key, request.META["REMOTE_ADDR"], request.data.get("referrer")
+                )
+
+        return Response(serialize(invited_member, request.user), status=200)
 
     def delete(
         self, request: Request, organization: Organization, invited_member: OrganizationMemberInvite

src/sentry/api/endpoints/organization_member_invite/index.py

@@ -155,7 +155,10 @@ def _invite_member(self, request, organization) -> Response:
         referrer = request.query_params.get("referrer")
         omi.send_invite_email(referrer)
         member_invited.send_robust(
-            member=omi, user=request.user, sender=self, referrer=request.data.get("referrer")
+            invited_member=omi,
+            user=request.user,
+            sender=self,
+            referrer=request.data.get("referrer"),
         )
 
         return Response(serialize(omi), status=201)

src/sentry/api/serializers/rest_framework/organizationmemberinvite.py

@@ -6,6 +6,7 @@
     ROLE_CHOICES,
     MemberConflictValidationError,
 )
+from sentry.exceptions import UnableToAcceptMemberInvitationException
 from sentry.models.organizationmember import OrganizationMember
 from sentry.models.organizationmemberinvite import InviteStatus, OrganizationMemberInvite
 from sentry.models.team import Team, TeamStatus
@@ -26,6 +27,13 @@
     )
     teams = serializers.ListField(required=False, allow_null=False, default=[])
 
+    reinvite = serializers.BooleanField(
+        required=False,
+        help_text="Whether or not to re-invite a user who has already been invited to the organization. Defaults to True.",
+    )
+
+    regenerate = serializers.BooleanField(required=False)
+
     def validate_email(self, email):
         users = user_service.get_many_by_email(
             emails=[email],
@@ -60,6 +68,13 @@
         return email
 
     def validate_orgRole(self, role):
+        # if the user is making a PUT request and updating the org role to one that can't have teams
+        # assignments, but the existing invite has team assignments, raise an error
+        if self.context.get("teams", []) and not organization_roles.get(role).is_team_roles_allowed:
+            raise serializers.ValidationError(
+                f"The '{role}' role cannot be set on an invited user with team assignments."
+            )
+
         if role == "billing" and features.has(
             "organizations:invite-billing", self.context["organization"]
         ):
@@ -125,12 +140,30 @@
                     "You cannot assign members to teams you are not a member of."
                 )
 
-        if (
-            has_teams
-            and not organization_roles.get(self.initial_data.get("orgRole")).is_team_roles_allowed
-        ):
+        # if we're making a PUT request and not changing the org role, then orgRole will be None in the initial data
+        org_role = (
+            self.initial_data.get("orgRole")
+            if self.initial_data.get("orgRole") is not None
+            else self.context["org_role"]
+        )
+        if has_teams and not organization_roles.get(org_role).is_team_roles_allowed:
             raise serializers.ValidationError(
-                f"The user with a '{self.initial_data.get("orgRole")}' role cannot have team-level permissions."
+                f"The user with a '{org_role}' role cannot have team-level permissions."
             )
 
         return valid_teams
+
+
+class ApproveInviteRequestValidator(serializers.Serializer):
+    approve = serializers.BooleanField(required=True, write_only=True)
+
+    def validate_approve(self, approve):
+        invited_member = self.context["invited_member"]
+        allowed_roles = self.context["allowed_roles"]
+
+        try:
+            invited_member.validate_invitation(allowed_roles)
+        except UnableToAcceptMemberInvitationException as err:
+            raise serializers.ValidationError(str(err))
+
+        return approve

src/sentry/models/organizationmemberinvite.py

@@ -4,17 +4,21 @@
 from typing import TypedDict
 
 from django.conf import settings
-from django.db import models
+from django.db import models, router, transaction
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
+from sentry import features
 from sentry.backup.dependencies import ImportKind
 from sentry.backup.helpers import ImportFlags
 from sentry.backup.scopes import ImportScope, RelocationScope
 from sentry.db.models import FlexibleForeignKey, region_silo_model, sane_repr
 from sentry.db.models.base import DefaultFieldsModel
 from sentry.db.models.fields.hybrid_cloud_foreign_key import HybridCloudForeignKey
+from sentry.exceptions import UnableToAcceptMemberInvitationException
+from sentry.models.team import Team
 from sentry.roles import organization_roles
+from sentry.signals import member_invited
 
 INVITE_DAYS_VALID = 30
 
@@ -42,6 +46,9 @@ def as_choices(cls):
     InviteStatus.REQUESTED_TO_JOIN.value: "requested_to_join",
 }
 
+ERR_CANNOT_INVITE = "Your organization is not allowed to invite members."
+ERR_JOIN_REQUESTS_DISABLED = "Your organization does not allow requests to join."
+
 
 def default_expiration():
     return timezone.now() + timedelta(days=INVITE_DAYS_VALID)
@@ -132,6 +139,64 @@ def approve_invite(self):
     def get_invite_status_name(self):
         return invite_status_names[self.invite_status]
 
+    def set_org_role(self, orgRole: str):
+        self.role = orgRole
+        self.save()
+
+    def set_teams(self, teams: list[Team]):
+        team_data = []
+        for team in teams:
+            team_data.append({"id": team.id, "slug": team.slug, "role": None})
+        self.organization_member_team_data = team_data
+        self.save()
+
+    def validate_invitation(self, allowed_roles):
+        """
+        Validates whether an org has the options to invite members, handle join requests,
+        and that the member role doesn't exceed the allowed roles to invite.
+        """
+        organization = self.organization
+        if not features.has("organizations:invite-members", organization):
+            raise UnableToAcceptMemberInvitationException(ERR_CANNOT_INVITE)
+
+        if (
+            organization.get_option("sentry:join_requests") is False
+            and self.invite_status == InviteStatus.REQUESTED_TO_JOIN.value
+        ):
+            raise UnableToAcceptMemberInvitationException(ERR_JOIN_REQUESTS_DISABLED)
+
+        # members cannot invite roles higher than their own
+        if not {self.role} & {r.id for r in allowed_roles}:
+            raise UnableToAcceptMemberInvitationException(
+                f"You do not have permission to approve a member invitation with the role {self.role}."
+            )
+        return True
+
+    def approve_invite_request(self, approving_user, api_key=None, ip_address=None, referrer=None):
+        """
+        Approve a member invite/join request and send an audit log entry
+        """
+        from sentry import audit_log
+        from sentry.utils.audit import create_audit_entry_from_user
+
+        with transaction.atomic(using=router.db_for_write(OrganizationMemberInvite)):
+            self.approve_invite()
+            self.save()
+
+        self.send_invite_email(referrer)
+        member_invited.send_robust(
+            invited_member=self, user=approving_user, sender=self, referrer=referrer
+        )
+        create_audit_entry_from_user(
+            approving_user,
+            api_key,
+            ip_address,
+            organization_id=self.organization_id,
+            target_object=self.id,
+            data=self.get_audit_log_data(),
+            event=(audit_log.get_event_id("MEMBER_INVITE")),
+        )
+
     @property
     def invite_approved(self):
         return self.invite_status == InviteStatus.APPROVED.value

src/sentry/receivers/onboarding.py

@@ -405,6 +405,7 @@ def record_first_insight_span(project, module, **kwargs):
 first_insight_span_received.connect(record_first_insight_span, weak=False)
 
 
+# TODO (mifu67): update this to use the new org member invite model
 @member_invited.connect(weak=False, dispatch_uid="onboarding.record_member_invited")
 def record_member_invited(member, user, **kwargs):
     OrganizationOnboardingTask.objects.record(