Merge pull request #3877 from getsentry/fix/api-key-security

Correct scope of API key settings

Author: dcramer

src/sentry/web/frontend/organization_api_key_settings.py

@@ -21,7 +21,7 @@ class Meta:
 
 
 class OrganizationApiKeySettingsView(OrganizationView):
-    required_scope = 'org:write'
+    required_scope = 'org:delete'
 
     def handle(self, request, organization, key_id):
         key = get_object_or_404(ApiKey, organization=organization, id=key_id)

tests/sentry/web/frontend/test_organization_api_key_settings.py

@@ -20,6 +20,9 @@ def test_teamless_admin_cannot_load(self):
     def test_member_cannot_load(self):
         self.assert_member_cannot_access(self.path)
 
+    def test_manager_cannot_load(self):
+        self.assert_manager_cannot_access(self.path)
+
     def test_owner_can_load(self):
         self.assert_owner_can_access(self.path)