Why Sentry requires project:write on downloading release's artifacts

watiko · March 3, 2018, 6:09pm

getsentry/sentry/blob/8.22.0/src/sentry/static/sentry/app/views/releaseArtifacts.jsx#L152-L172


{access.has('project:write') ? (
  <a
    href={
      this.api.baseUrl +
      this.getFilesEndpoint() +
      `${file.id}/?download=1`
    }
    className="btn btn-sm btn-default"
  >
    <span className="icon icon-open" />
  </a>
) : (
  <div
    className="btn btn-sm btn-default disabled tip"
    title={t(
      'You do not have the required permission to download this artifact.'
    )}
  >
    <span className="icon icon-open" />
  </div>
)}

github.com

getsentry/sentry/blob/8.22.0/src/sentry/api/endpoints/organization_release_file_details.py#L74-L75


if download_requested and (request.access.has_scope('project:write')):
    return self.download(releasefile)

I don’t know why Sentry requires project:write permission on downloading release artifacts.
It doesn’t seem to be so much writing operation as reading operation.

HazAT · March 5, 2018, 7:35am

At the time where we implemented this, the whole releases feature required project:write (not sure how it is today).
So without project:write you would have not even seen the page.
In general though, you are right

harryi3t · March 4, 2022, 8:18pm

Is this expected behavior? If not, will this be fixed anytime soon? It’s been 4 years!

HazAT · March 7, 2022, 6:20pm

github.com/getsentry/sentry

feat(ui): Re-word debug files download tooltip

getsentry:master ← getsentry:feat/reword-dif-download-tooltips

opened 02:29PM - 07 Mar 22 UTC

matejminar

+48 -7

Downloading debug files (source maps, proguard mappings, difs) was historically …controlled by `project:write` access right. Some organizations want their members to be able to upload/delete debug files, but they do not want them to download/access all debug files. A while back, the `project:write` check was changed to organization setting so that the admin can set which roles can download debug files. This PR changes the tooltip on a disabled download button to better reflect this reality. ## Before <img width="1432" alt="image" src="https://user-images.githubusercontent.com/9060071/157062936-808fcb1b-2d9b-41a8-8978-94625d3bfdf7.png"> ## After https://user-images.githubusercontent.com/9060071/157062961-e4498492-119f-4a7f-9e02-42322fcddfaf.mp4

So we can’t fix the underlying permissions because it has other reasons it has to be like this, but we made it a bit clearer what it means.

Topic		Replies	Views
Github Education pack claim asks for a lot of Github permissions	4	1421	October 6, 2017
403 error adding commits to release Integrations	2	7237	August 28, 2019
No commits associated with a release On-Premise	12	8666	October 5, 2017
Release Plan for Github versions On-Premise	2	1625	February 20, 2019
Can't add Send an E-Mail Action for some projects On-Premise	2	649	September 15, 2020

Why Sentry requires project:write on downloading release's artifacts

Related Topics