Fixes VULN-50 by enforcing option (#79384)

Ensures that organization level fix suggestion settings are respected in addition to other consent options.
getsentry · Oct 18, 2024 · 2204fde · 2204fde
1 parent d8ff0cb
commit 2204fde
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 18 deletions.
diff --git a/src/sentry/api/endpoints/event_ai_suggested_fix.py b/src/sentry/api/endpoints/event_ai_suggested_fix.py
@@ -322,26 +322,30 @@ def get(self, request: Request, project, event_id) -> HttpResponse | StreamingHt
         if event is None:
             raise ResourceDoesNotExist
 
-        # Check the OpenAI access policy
-        policy = get_openai_policy(
-            request.organization,
-            request.user,
-            pii_certified=request.GET.get("pii_certified") == "yes",
-        )
         policy_failure = None
-        stream = request.GET.get("stream") == "yes"
-
-        if policy == "subprocessor":
-            policy_failure = "subprocessor"
-        elif policy == "individual_consent":
-            if request.GET.get("consent") != "yes":
-                policy_failure = "individual_consent"
-        elif policy == "pii_certification_required":
-            policy_failure = "pii_certification_required"
-        elif policy == "allowed":
-            pass
+        # If the option has specifically been set to False,
+        if not bool(request.organization.get_option("sentry:ai_suggested_solution", default=False)):
+            policy_failure = "organization_consent_required"
         else:
-            logger.warning("Unknown OpenAI policy state")
+            # Check the OpenAI access policy
+            policy = get_openai_policy(
+                request.organization,
+                request.user,
+                pii_certified=request.GET.get("pii_certified") == "yes",
+            )
+            stream = request.GET.get("stream") == "yes"
+
+            if policy == "subprocessor":
+                policy_failure = "subprocessor"
+            elif policy == "individual_consent":
+                if request.GET.get("consent") != "yes":
+                    policy_failure = "individual_consent"
+            elif policy == "pii_certification_required":
+                policy_failure = "pii_certification_required"
+            elif policy == "allowed":
+                pass
+            else:
+                logger.warning("Unknown OpenAI policy state")
 
         if policy_failure is not None:
             return HttpResponse(

diff --git a/tests/sentry/api/endpoints/test_event_ai_suggested_fix.py b/tests/sentry/api/endpoints/test_event_ai_suggested_fix.py
@@ -77,13 +77,25 @@ def test_consent(self):
             "sentry.api.endpoints.event_ai_suggested_fix.get_openai_policy",
             return_value="individual_consent",
         ):
+            response = self.client.get(self.path)
+            assert response.status_code == 403
+            assert response.json() == {"restriction": "organization_consent_required"}
+
+            self.organization.update_option("sentry:ai_suggested_solution", True)
             response = self.client.get(self.path)
             assert response.status_code == 403
             assert response.json() == {"restriction": "individual_consent"}
+
             response = self.client.get(self.path + "?consent=yes")
             assert response.status_code == 200
             assert response.json() == {"suggestion": "AI generated response"}
 
+            self.organization.update_option("sentry:ai_suggested_solution", False)
+            response = self.client.get(self.path + "?consent=yes")
+            assert response.status_code == 403
+            assert response.json() == {"restriction": "organization_consent_required"}
+
+        self.organization.update_option("sentry:ai_suggested_solution", True)
         with patch(
             "sentry.api.endpoints.event_ai_suggested_fix.get_openai_policy",
             return_value="subprocessor",