Skip to content
This repository was archived by the owner on Jun 13, 2025. It is now read-only.

Commit 8a1cd23

Browse files
suejung-sentrysuejung-sentry
committed
fix: Restrict deactiveated enterprise user access
1 parent f8ac094 commit 8a1cd23

File tree

2 files changed

+33
-3
lines changed

2 files changed

+33
-3
lines changed

graphql_api/tests/test_owner.py

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -762,6 +762,30 @@ def test_fetch_owner_on_unauthenticated_enteprise_guest_access(self):
762762
assert e.message == UnauthorizedGuestAccess.message
763763
assert e.extensions["code"] == UnauthorizedGuestAccess.code
764764

765+
@override_settings(IS_ENTERPRISE=True, GUEST_ACCESS=False)
766+
def test_fetch_owner_on_unauthenticated_enteprise_guest_access_not_activated(self):
767+
user = OwnerFactory(username="sample-user")
768+
owner = OwnerFactory(username="sample-owner", plan_activated_users=[123, 456])
769+
user.organizations = [owner.ownerid]
770+
user.save()
771+
owner.save()
772+
query = (
773+
"""{
774+
owner(username: "%s") {
775+
isCurrentUserActivated
776+
}
777+
}
778+
"""
779+
% owner.username
780+
)
781+
782+
try:
783+
self.gql_request(query, owner=user)
784+
785+
except GraphQLError as e:
786+
assert e.message == UnauthorizedGuestAccess.message
787+
assert e.extensions["code"] == UnauthorizedGuestAccess.code
788+
765789
def test_fetch_current_user_is_okta_authenticated(self):
766790
account = AccountFactory()
767791
owner = OwnerFactory(username="sample-owner", service="github", account=account)
@@ -820,7 +844,7 @@ def test_fetch_current_user_is_not_okta_authenticated_no_account(self):
820844

821845
@patch("shared.rate_limits.determine_entity_redis_key")
822846
@patch("shared.rate_limits.determine_if_entity_is_rate_limited")
823-
@override_settings(IS_ENTERPRISE=True, GUEST_ACCESS=False)
847+
@override_settings(IS_ENTERPRISE=True, GUEST_ACCESS=True)
824848
def test_fetch_is_github_rate_limited(
825849
self, mock_determine_rate_limit, mock_determine_redis_key
826850
):

graphql_api/types/query/query.py

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ def resolve_me(_, info) -> Optional[Owner]:
4040

4141

4242
@query_bindable.field("owner")
43-
def resolve_owner(_, info, username):
43+
async def resolve_owner(_, info, username):
4444
configure_sentry_scope(query_name(info))
4545

4646
service = info.context["service"]
@@ -50,7 +50,13 @@ def resolve_owner(_, info, username):
5050
if not user or not user.is_authenticated:
5151
raise UnauthorizedGuestAccess()
5252

53-
return get_owner(service, username)
53+
# per product spec, if guestAccess is off for the environment, the current enterpriseUser
54+
# must be "activated" in the given target owner (e.g., "codecov" org) in order to see things
55+
target = await get_owner(service, username)
56+
if user.ownerid not in target.plan_activated_users:
57+
raise UnauthorizedGuestAccess()
58+
59+
return await get_owner(service, username)
5460

5561

5662
@query_bindable.field("config")

0 commit comments

Comments
 (0)