fix(deploys): Fix permissions for deploy endpoint projects (#78026)

Currently, in order to link specific projects to a deploy, e.g. via the
`sentry-cli deploys new` command, users must provide a token with the
`project:read` scope. This is inconsistent with the `sentry-cli releases
new` command, which allows users to create a new release associated with
only some projects by using the `org:read` and `project:release` scopes.

This PR proposes allowing specifying projects for a deploy using a token
with `project:releases` scope.

Fixes #78025

Author: szokeasaurusrex

src/sentry/api/endpoints/release_deploys.py

@@ -72,7 +72,7 @@ class DeploySerializer(serializers.Serializer):
         help_text="An optional date that indicates when the deploy ended. If not provided, the current time is used.",
     )
     projects = serializers.ListField(
-        child=ProjectField(scope="project:read", id_allowed=True),
+        child=ProjectField(scope=("project:read", "project:releases"), id_allowed=True),
         required=False,
         allow_empty=False,
         help_text="The optional list of project slugs to create a deploy within. If not provided, deploys are created for all of the release's projects.",

src/sentry/api/serializers/rest_framework/project.py

@@ -1,3 +1,5 @@
+from collections.abc import Collection
+
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 from rest_framework import serializers
@@ -9,7 +11,14 @@
 
 @extend_schema_field(field=OpenApiTypes.STR)
 class ProjectField(serializers.Field):
-    def __init__(self, scope="project:write", id_allowed=False, **kwags):
+    def __init__(
+        self, scope: str | Collection[str] = "project:write", id_allowed: bool = False, **kwags
+    ):
+        """
+        The scope parameter specifies which permissions are required to access the project field.
+        If multiple scopes are provided, the project can be accessed when the user is authenticated with
+        any of the scopes.
+        """
         self.scope = scope
         self.id_allowed = id_allowed
         super().__init__(**kwags)
@@ -27,6 +36,8 @@ def to_internal_value(self, data):
                 project = Project.objects.get(organization=self.context["organization"], slug=data)
         except Project.DoesNotExist:
             raise ValidationError("Invalid project")
-        if not self.context["access"].has_project_scope(project, self.scope):
+
+        scopes = (self.scope,) if isinstance(self.scope, str) else self.scope
+        if not self.context["access"].has_any_project_scope(project, scopes):
             raise ValidationError("Insufficient access to project")
         return project

tests/sentry/api/endpoints/test_release_deploys.py

@@ -2,11 +2,14 @@
 
 from django.urls import reverse
 
+from sentry.models.apitoken import ApiToken
 from sentry.models.deploy import Deploy
 from sentry.models.environment import Environment
 from sentry.models.release import Release
 from sentry.models.releaseprojectenvironment import ReleaseProjectEnvironment
+from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
+from sentry.testutils.silo import assume_test_silo_mode
 
 
 class ReleaseDeploysListTest(APITestCase):
@@ -389,3 +392,61 @@ def test_environment_validation_failure(self) -> None:
         )
         assert response.status_code == 400, response.content
         assert 0 == Deploy.objects.count()
+
+    def test_api_token_with_project_releases_scope(self):
+        """
+        Test that tokens with `project:releases` scope can create deploys for only one project
+        when the release is associated with multiple projects.
+        """
+        # Create a second project
+        project_bar = self.create_project(organization=self.org, name="bar")
+
+        # Create a release for both projects
+        release = Release.objects.create(organization_id=self.org.id, version="1", total_deploys=0)
+        release.add_project(self.project)
+        release.add_project(project_bar)
+
+        # Create API token with project:releases scope
+        user = self.create_user(is_staff=False, is_superuser=False)
+
+        # Add user to the organization - they need to be a member to use the API
+        self.create_member(user=user, organization=self.org)
+
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            api_token = ApiToken.objects.create(user=user, scope_list=["project:releases"])
+
+        url = reverse(
+            "sentry-api-0-organization-release-deploys",
+            kwargs={
+                "organization_id_or_slug": self.org.slug,
+                "version": release.version,
+            },
+        )
+
+        # Create deploy for only one project (project_bar)
+        response = self.client.post(
+            url,
+            data={
+                "name": "single_project_deploy",
+                "environment": "production",
+                "url": "https://www.example.com",
+                "projects": [project_bar.slug],  # Only one project specified
+            },
+            HTTP_AUTHORIZATION=f"Bearer {api_token.token}",
+        )
+
+        assert response.status_code == 201, response.content
+        assert response.data["name"] == "single_project_deploy"
+        assert response.data["environment"] == "production"
+
+        environment = Environment.objects.get(name="production", organization_id=self.org.id)
+
+        # Verify ReleaseProjectEnvironment was created only for project_bar
+        assert ReleaseProjectEnvironment.objects.filter(
+            project=project_bar, release=release, environment=environment
+        ).exists()
+
+        # Verify ReleaseProjectEnvironment was NOT created for self.project
+        assert not ReleaseProjectEnvironment.objects.filter(
+            project=self.project, release=release, environment=environment
+        ).exists()