ref(dashboards): Modify how permissions are handled for editing/deleting dashboards (#80684)

Modify how permissions are handled for editing/deleting dashboards:

Previously, users without access to some projects were restricted from
editing/deleting dashboards. (Change made here #78615). This PR removes
that restriction, and enables restricting edit perms to specific teams.

---------

Co-authored-by: harshithadurai <[email protected]>

Author: harshithadurai

src/sentry/api/endpoints/organization_dashboard_details.py

@@ -3,7 +3,6 @@
 from django.db.models import F
 from django.utils import timezone
 from drf_spectacular.utils import extend_schema
-from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 
@@ -31,32 +30,9 @@
 READ_FEATURE = "organizations:dashboards-basic"
 
 
-class DashboardPermissions(BasePermission):
-    """
-    Django Permissions Class for managing Dashboard Edit
-    permissions defined in the DashboardPermissions Model
-    """
-
-    scope_map = {
-        "GET": ["org:read", "org:write", "org:admin"],
-        "POST": ["org:read", "org:write", "org:admin"],
-        "PUT": ["org:read", "org:write", "org:admin"],
-        "DELETE": ["org:read", "org:write", "org:admin"],
-    }
-
-    def has_object_permission(self, request: Request, view, obj):
-        if isinstance(obj, Dashboard) and features.has(
-            "organizations:dashboards-edit-access", obj.organization, actor=request.user
-        ):
-            # Check if user has permissions to edit dashboard
-            if hasattr(obj, "permissions"):
-                return obj.permissions.has_edit_permissions(request.user.id)
-        return True
-
-
 class OrganizationDashboardBase(OrganizationEndpoint):
     owner = ApiOwner.PERFORMANCE
-    permission_classes = (OrganizationDashboardsPermission, DashboardPermissions)
+    permission_classes = (OrganizationDashboardsPermission,)
 
     def convert_args(
         self, request: Request, organization_id_or_slug, dashboard_id, *args, **kwargs

src/sentry/api/endpoints/organization_dashboards.py

@@ -48,25 +48,40 @@ def has_object_permission(self, request: Request, view, obj):
             return super().has_object_permission(request, view, obj)
 
         if isinstance(obj, Dashboard):
-            # 1. Dashboard contains certain projects
-            if obj.projects.exists():
-                return request.access.has_projects_access(obj.projects.all())
+            if features.has(
+                "organizations:dashboards-edit-access", obj.organization, actor=request.user
+            ):
+                # allow for Managers and Owners
+                if request.access.has_scope("org:write"):
+                    return True
+
+                # check if user is restricted from editing dashboard
+                if hasattr(obj, "permissions"):
+                    return obj.permissions.has_edit_permissions(request.user.id)
+
+                # if no permissions are assigned, it is considered accessible to all users
+                return True
 
-            # 2. Dashboard covers all projects or all my projects
+            else:
+                # 1. Dashboard contains certain projects
+                if obj.projects.exists():
+                    return request.access.has_projects_access(obj.projects.all())
 
-            # allow when Open Membership
-            if obj.organization.flags.allow_joinleave:
-                return True
+                # 2. Dashboard covers all projects or all my projects
 
-            # allow for Managers and Owners
-            if request.access.has_scope("org:write"):
-                return True
+                # allow when Open Membership
+                if obj.organization.flags.allow_joinleave:
+                    return True
 
-            # allow for creator
-            if request.user.id == obj.created_by_id:
-                return True
+                # allow for Managers and Owners
+                if request.access.has_scope("org:write"):
+                    return True
+
+                # allow for creator
+                if request.user.id == obj.created_by_id:
+                    return True
 
-            return False
+                return False
 
         return True
 

src/sentry/api/serializers/rest_framework/dashboard.py

@@ -567,7 +567,9 @@ def validate(self, data):
             permissions = data.get("permissions")
             if permissions and self.instance:
                 currentUser = self.context["request"].user
-                if self.instance.created_by_id != currentUser.id:
+                # managers and owners
+                has_write_access = self.context["request"].access.has_scope("org:write")
+                if self.instance.created_by_id != currentUser.id and not has_write_access:
                     raise serializers.ValidationError(
                         "Only the Dashboard Creator may modify Dashboard Edit Access"
                     )

tests/sentry/api/endpoints/test_organization_dashboard_details.py

@@ -513,6 +513,108 @@ def test_disallow_delete_my_projects_dashboard_when_no_open_membership(self):
         response = self.do_request("delete", self.url(dashboard.id))
         assert response.status_code == 204
 
+    def test_allow_delete_when_no_project_access(self):
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        # assign a project to a dashboard
+        self.dashboard.projects.set([self.project])
+
+        # user has no access to the above project
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request("delete", self.url(self.dashboard.id))
+        assert response.status_code == 204
+
+    def test_allow_delete_all_projects_dashboard_when_no_open_membership(self):
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        dashboard = Dashboard.objects.create(
+            title="Dashboard For All Projects",
+            created_by_id=self.user.id,
+            organization=self.organization,
+            filters={"all_projects": True},
+        )
+
+        # user has no access to all the projects
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request("delete", self.url(dashboard.id))
+        assert response.status_code == 204
+
+    def test_allow_delete_my_projects_dashboard_when_no_open_membership(self):
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        dashboard = Dashboard.objects.create(
+            title="Dashboard For My Projects",
+            created_by_id=self.user.id,
+            organization=self.organization,
+            # no 'filter' field means the dashboard covers all available projects
+        )
+
+        # user has no access to all the projects
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request("delete", self.url(dashboard.id))
+        assert response.status_code == 204
+
+    def test_disallow_delete_when_no_project_access_and_no_edit_perms(self):
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        # assign a project to a dashboard
+        self.dashboard.projects.set([self.project])
+
+        # user has no access to the above project
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request("delete", self.url(self.dashboard.id))
+        assert response.status_code == 204
+
+    def test_allow_delete_as_superuser_but_no_edit_perms(self):
+        self.create_user(id=12333)
+        dashboard = Dashboard.objects.create(
+            id=67,
+            title="Dashboard With Dataset Source",
+            created_by_id=12333,
+            organization=self.organization,
+        )
+        DashboardPermissions.objects.create(is_editable_by_everyone=False, dashboard=dashboard)
+
+        # Create and login as superuser
+        superuser = self.create_user(is_superuser=True)
+        self.login_as(user=superuser, superuser=True)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request("delete", self.url(dashboard.id))
+        assert response.status_code == 204, response.content
+
     def test_dashboard_does_not_exist(self):
         response = self.do_request("delete", self.url(1234567890))
         assert response.status_code == 404
@@ -731,6 +833,102 @@ def test_disallow_put_when_no_project_access(self):
         assert response.status_code == 403, response.data
         assert response.data == {"detail": "You do not have permission to perform this action."}
 
+    def test_allow_put_when_no_project_access(self):
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        # assign a project to a dashboard
+        self.dashboard.projects.set([self.project])
+
+        # user has no access to the above project
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request(
+                "put", self.url(self.dashboard.id), data={"title": "Dashboard Hello"}
+            )
+        assert response.status_code == 200, response.data
+
+    def test_disallow_put_when_no_project_access_and_no_edit_perms(self):
+        # set dashboard edit perms to be editable only by creator
+        self.dashboard.permissions = DashboardPermissions.objects.create(
+            is_editable_by_everyone=False, dashboard=self.dashboard
+        )
+
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        # assign a project to a dashboard
+        self.dashboard.projects.set([self.project])
+
+        # user has no access to the above project
+        user_no_team = self.create_user(is_superuser=False)
+        self.create_member(
+            user=user_no_team, organization=self.organization, role="member", teams=[]
+        )
+        self.login_as(user_no_team)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request(
+                "put", self.url(self.dashboard.id), data={"title": "Dashboard Hello"}
+            )
+        assert response.status_code == 403, response.data
+        assert response.data == {"detail": "You do not have permission to perform this action."}
+
+    def test_disallow_put_when_has_project_access_and_no_edit_perms(self):
+        # set dashboard edit perms to be editable only by creator
+        self.dashboard.permissions = DashboardPermissions.objects.create(
+            is_editable_by_everyone=False, dashboard=self.dashboard
+        )
+
+        # disable Open Membership
+        self.organization.flags.allow_joinleave = False
+        self.organization.save()
+
+        # assign a project to a dashboard
+        self.dashboard.projects.set([self.project])
+
+        # user has access to the above project
+        user = self.create_user(id=3456)
+        team = self.create_team(organization=self.organization)
+        self.create_member(user=user, organization=self.organization, teams=[team])
+        self.project.add_team(team)
+        self.login_as(user)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request(
+                "put", self.url(self.dashboard.id), data={"title": "Dashboard Hello"}
+            )
+        assert response.status_code == 403, response.data
+        assert response.data == {"detail": "You do not have permission to perform this action."}
+
+    def test_allow_put_as_superuser_but_no_edit_perms(self):
+        self.create_user(id=12333)
+        dashboard = Dashboard.objects.create(
+            id=67,
+            title="Dashboard With Dataset Source",
+            created_by_id=12333,
+            organization=self.organization,
+        )
+        DashboardPermissions.objects.create(is_editable_by_everyone=False, dashboard=dashboard)
+
+        # Create and login as superuser
+        superuser = self.create_user(is_superuser=True)
+        self.login_as(user=superuser, superuser=True)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request(
+                "put", self.url(dashboard.id), data={"title": "New Dashboard 9"}
+            )
+        assert response.status_code == 200, response.content
+        assert response.data["title"] == "New Dashboard 9"
+
     def test_add_widget(self):
         data: dict[str, Any] = {
             "title": "First dashboard",
@@ -2136,6 +2334,21 @@ def test_user_tries_to_update_dashboard_edit_perms(self):
             in response.content.decode()
         )
 
+    def test_manager_or_owner_can_update_dashboard_edit_perms(self):
+        DashboardPermissions.objects.create(is_editable_by_everyone=False, dashboard=self.dashboard)
+
+        user = self.create_user(id=28193)
+        self.create_member(user=user, organization=self.organization, role="manager")
+        self.login_as(user)
+
+        with self.feature({"organizations:dashboards-edit-access": True}):
+            response = self.do_request(
+                "put",
+                self.url(self.dashboard.id),
+                data={"permissions": {"is_editable_by_everyone": False}},
+            )
+        assert response.status_code == 200
+
     def test_update_dashboard_permissions_with_new_teams(self):
         mock_project = self.create_project()
         permission = DashboardPermissions.objects.create(