Skip to content

fix: Correct missing organization constraint in PromptsActivityEndpoint #104920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dcramer merged 9 commits into from
Dec 15, 2025
+26 −3
Merged

fix: Correct missing organization constraint in PromptsActivityEndpoint #104920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
645f166
Fix: Scope project lookups to organization in prompts activity
cursoragent Dec 13, 2025
ddf9169
:hammer_and_wrench: apply pre-commit fixes
getsantry[bot] Dec 13, 2025
c66410c
Fix: Scope project query by organization to prevent IDOR
cursoragent Dec 13, 2025
b0c099b
:hammer_and_wrench: apply pre-commit fixes
getsantry[bot] Dec 13, 2025
9bd3230
Fix: Scope project queries by organization ID
cursoragent Dec 13, 2025
934f996
Fix: Scope project queries to organization to prevent IDOR
cursoragent Dec 15, 2025
ab99cee
Merge branch 'master' into cursor/mark-s-skepticism-resolution-cd91
dcramer Dec 15, 2025
bc98237
Fix: Use project ID after project deletion in test
cursoragent Dec 15, 2025
27f1492
Merge branch 'master' into cursor/mark-s-skepticism-resolution-cd91
dcramer Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions src/sentry/api/endpoints/prompts_activity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,12 @@ def put(self, request: Request, **kwargs):
# if project_id or organization_id in required fields make sure they exist
# if NOT in required fields, insert dummy value so dups aren't recorded
if "project_id" in required_fields:
if not Project.objects.filter(id=fields["project_id"]).exists():
return Response({"detail": "Project no longer exists"}, status=400)
if not Project.objects.filter(
Copy link
Member Author

@dcramer dcramer Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aside this isnt actually a high severity concern afaict, but no idea what the consequence is

id=fields["project_id"], organization_id=request.organization.id
).exists():
return Response(
{"detail": "Project does not belong to this organization"}, status=400
)
else:
fields["project_id"] = 0

Expand Down
21 changes: 20 additions & 1 deletion tests/sentry/api/endpoints/test_prompts_activity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,18 +81,20 @@ def test_invalid_project(self) -> None:
}
resp = self.client.get(self.path, data)
assert resp.status_code == 200
project_id = self.project.id
self.project.delete()
# project doesn't exist
resp = self.client.put(
self.path,
{
"organization_id": self.org.id,
"project_id": self.project.id,
"project_id": project_id,
"feature": "releases",
"status": "dismissed",
},
)
assert resp.status_code == 400
assert resp.data["detail"] == "Project does not belong to this organization"

def test_dismiss(self) -> None:
data = {
Expand Down Expand Up @@ -271,3 +273,20 @@ def test_batched(self) -> None:
assert resp.status_code == 200
assert "dismissed_ts" in resp.data["features"]["releases"]
assert "snoozed_ts" in resp.data["features"]["alert_stream"]

def test_project_from_different_organization(self) -> None:
other_org = self.create_organization()
other_project = self.create_project(organization=other_org)

resp = self.client.put(
self.path,
{
"organization_id": self.org.id,
"project_id": other_project.id,
"feature": "releases",
"status": "dismissed",
},
)

assert resp.status_code == 400
assert resp.data["detail"] == "Project does not belong to this organization"
Loading