posthog/ee/api/explicit_team_member.py

from typing import Optional, cast

from django.db.utils import IntegrityError
from django.shortcuts import get_object_or_404
from rest_framework import exceptions, serializers, viewsets
from rest_framework.permissions import IsAuthenticated

from ee.models.explicit_team_membership import ExplicitTeamMembership
from posthog.api.routing import StructuredViewSetMixin
from posthog.api.shared import UserBasicSerializer
from posthog.models.organization import OrganizationMembership
from posthog.models.team import Team
from posthog.models.user import User
from posthog.permissions import TeamMemberStrictManagementPermission
from posthog.user_permissions import UserPermissionsSerializerMixin


class ExplicitTeamMemberSerializer(serializers.ModelSerializer, UserPermissionsSerializerMixin):
    user = UserBasicSerializer(source="parent_membership.user", read_only=True)
    parent_level = serializers.IntegerField(source="parent_membership.level", read_only=True)

    user_uuid = serializers.UUIDField(required=True, write_only=True)

    class Meta:
        model = ExplicitTeamMembership
        fields = [
            "id",
            "level",
            "parent_level",
            "parent_membership_id",
            "joined_at",
            "updated_at",
            "user",
            "user_uuid",  # write_only (see above)
            "effective_level",  # read_only (calculated)
        ]
        read_only_fields = ["id", "parent_membership_id", "joined_at", "updated_at", "user", "effective_level"]

    def create(self, validated_data):
        team: Team = self.context["get_team"]()
        user_uuid = validated_data.pop("user_uuid")
        validated_data["team"] = team
        try:
            requesting_parent_membership: OrganizationMembership = OrganizationMembership.objects.get(
                organization_id=team.organization_id, user__uuid=user_uuid, user__is_active=True
            )
        except OrganizationMembership.DoesNotExist:
            raise exceptions.PermissionDenied("You both need to belong to the same organization.")
        validated_data["parent_membership"] = requesting_parent_membership
        try:
            return super().create(validated_data)
        except IntegrityError:
            raise exceptions.ValidationError("This user likely already is an explicit member of the project.")

    def validate(self, attrs):
        team: Team = self.context["get_team"]()
        if not team.access_control:
            raise exceptions.ValidationError(
                "Explicit members can only be accessed for projects with project-based permissioning enabled."
            )
        requesting_user: User = self.context["request"].user
        membership_being_accessed = cast(Optional[ExplicitTeamMembership], self.instance)
        try:
            requesting_level = self.user_permissions.team(team).effective_membership_level
        except OrganizationMembership.DoesNotExist:
            # Requesting user does not belong to the project's organization, so we spoof a 404 for enhanced security
            raise exceptions.NotFound("Project not found.")

        new_level = attrs.get("level")

        if requesting_level is None:
            raise exceptions.PermissionDenied("You do not have the required access to this project.")

        if attrs.get("user_uuid") == requesting_user.uuid:
            # Create-only check
            raise exceptions.PermissionDenied("You can't explicitly add yourself to projects.")

        if new_level is not None and new_level > requesting_level:
            raise exceptions.PermissionDenied("You can only set access level to lower or equal to your current one.")

        if membership_being_accessed is not None:
            # Update-only checks
            if membership_being_accessed.parent_membership.user_id != requesting_user.id:
                # Requesting user updating someone else
                if membership_being_accessed.level > requesting_level:
                    raise exceptions.PermissionDenied("You can only edit others with level lower or equal to you.")
            else:
                # Requesting user updating themselves
                if new_level is not None:
                    raise exceptions.PermissionDenied("You can't set your own access level.")

        return attrs


class ExplicitTeamMemberViewSet(StructuredViewSetMixin, viewsets.ModelViewSet):
    permission_classes = [IsAuthenticated, TeamMemberStrictManagementPermission]
    pagination_class = None
    queryset = ExplicitTeamMembership.objects.filter(parent_membership__user__is_active=True).select_related(
        "team", "parent_membership", "parent_membership__user"
    )
    lookup_field = "parent_membership__user__uuid"
    ordering = ["level", "-joined_at"]
    serializer_class = ExplicitTeamMemberSerializer
    include_in_docs = False

    def get_permissions(self):
        if (
            self.action == "destroy"
            and self.request.user.is_authenticated
            and self.kwargs.get("parent_membership__user__uuid") == str(self.request.user.uuid)
        ):
            # Special case: allow already authenticated users to leave projects
            return []
        return super().get_permissions()

    def get_object(self) -> ExplicitTeamMembership:
        queryset = self.filter_queryset(self.get_queryset())
        lookup_value = self.kwargs[self.lookup_field]
        if lookup_value == "@me":
            return queryset.get(user=self.request.user)
        filter_kwargs = {self.lookup_field: lookup_value}
        obj = get_object_or_404(queryset, **filter_kwargs)
        self.check_object_permissions(self.request, obj)
        return obj