Check default org membership before changing superuser privilege #106877
Conversation
This checks that the user is part of the default Sentry Org before we upgrade their superuser privileges.
github-actions
bot
added
the
Scope: Backend
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "detail": "User must be a member to the default organization to enable SuperUser mode." | ||
| }, | ||
| status=status.HTTP_403_FORBIDDEN, | ||
| ) |
There was a problem hiding this comment.
Org membership check blocks all privileged operations, not just superuser
Medium Severity
The organization membership check runs for all privileged operations when can_elevate_user is True in SAAS mode, regardless of what's actually being updated. Based on the PR title ("Check default org membership before changing superuser privilege") and the error message ("to enable SuperUser mode"), the check should only apply when granting superuser privileges via request.data.get("isSuperuser"). Currently, this blocks staff additions and isActive changes for users not in org 1, which contradicts the intent. The test test_staff_with_permission_can_add_staff would fail if SAAS mode were enabled.
This checks that the user is part of the default Sentry Org before we upgrade their superuser privileges.
Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.