fix(api): check org membership in updateBundleCacheConfig mutation (#919)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: drazisil-codecov

apps/codecov-api/core/commands/repository/interactors/tests/test_update_bundle_cache_config.py

@@ -2,7 +2,7 @@
 from asgiref.sync import async_to_sync
 from django.test import TestCase
 
-from codecov.commands.exceptions import ValidationError
+from codecov.commands.exceptions import Unauthorized, ValidationError
 from shared.django_apps.bundle_analysis.models import CacheConfig
 from shared.django_apps.core.tests.factories import (
     OwnerFactory,
@@ -17,8 +17,12 @@ class UpdateBundleCacheConfigInteractorTest(TestCase):
 
     def setUp(self):
         self.org = OwnerFactory(username="test-org")
-        self.repo = RepositoryFactory(author=self.org, name="test-repo", active=True)
-        self.user = OwnerFactory(permission=[self.repo.pk])
+        self.repo = RepositoryFactory(
+            author=self.org, name="test-repo", active=True, private=False
+        )
+        self.user = OwnerFactory(
+            organizations=[self.org.ownerid], permission=[self.repo.pk]
+        )
 
     @async_to_sync
     def execute(self, owner, repo_name=None, cache_config=[]):
@@ -28,6 +32,15 @@ def execute(self, owner, repo_name=None, cache_config=[]):
             cache_config=cache_config,
         )
 
+    def test_unauthorized_user_not_part_of_org(self):
+        random_user = OwnerFactory()
+        with pytest.raises(Unauthorized):
+            self.execute(
+                owner=random_user,
+                repo_name="test-repo",
+                cache_config=[{"bundle_name": "any", "toggle_caching": False}],
+            )
+
     def test_repo_not_found(self):
         with pytest.raises(ValidationError):
             self.execute(owner=self.user, repo_name="wrong")

apps/codecov-api/core/commands/repository/interactors/update_bundle_cache_config.py

@@ -1,7 +1,8 @@
 from asgiref.sync import sync_to_async
 
 from codecov.commands.base import BaseInteractor
-from codecov.commands.exceptions import ValidationError
+from codecov.commands.exceptions import Unauthorized, ValidationError
+from codecov_auth.helpers import current_user_part_of_org
 from core.models import Repository
 from shared.django_apps.bundle_analysis.models import CacheConfig
 from shared.django_apps.bundle_analysis.service.bundle_analysis import (
@@ -38,10 +39,13 @@ def execute(
         repo_name: str,
         cache_config: list[dict[str, str | bool]],
     ) -> list[dict[str, str | bool]]:
-        _owner, repo = self.resolve_owner_and_repo(
+        owner, repo = self.resolve_owner_and_repo(
             owner_username, repo_name, only_viewable=True
         )
 
+        if not current_user_part_of_org(self.current_owner, owner):
+            raise Unauthorized()
+
         self.validate(repo, cache_config)
 
         results = []

apps/codecov-api/graphql_api/tests/mutation/test_update_bundle_cache_config.py

@@ -3,7 +3,7 @@
 from django.test import TestCase
 
 from graphql_api.tests.helper import GraphQLTestHelper
-from shared.django_apps.core.tests.factories import OwnerFactory
+from shared.django_apps.core.tests.factories import OwnerFactory, RepositoryFactory
 
 query = """
 mutation($input: ActivateMeasurementsInput!) {
@@ -37,6 +37,9 @@
             ... on UnauthenticatedError {
                 message
             }
+            ... on UnauthorizedError {
+                message
+            }
             ... on ValidationError {
                 message
             }
@@ -48,7 +51,9 @@
 
 class UpdateBundleCacheConfigTestCase(GraphQLTestHelper, TestCase):
     def setUp(self):
-        self.owner = OwnerFactory()
+        self.org = OwnerFactory(username="codecov")
+        self.repo = RepositoryFactory(author=self.org, name="test-repo", private=False)
+        self.owner = OwnerFactory(organizations=[self.org.ownerid])
 
     def test_when_unauthenticated(self):
         data = self.gql_request(
@@ -64,6 +69,22 @@ def test_when_unauthenticated(self):
             == "UnauthenticatedError"
         )
 
+    def test_when_unauthorized_user_not_part_of_org(self):
+        random_user = OwnerFactory()
+        data = self.gql_request(
+            query,
+            owner=random_user,
+            variables={
+                "owner": "codecov",
+                "repoName": "test-repo",
+                "bundles": [{"bundleName": "pr_bundle1", "toggleCaching": False}],
+            },
+        )
+        assert (
+            data["updateBundleCacheConfig"]["error"]["__typename"]
+            == "UnauthorizedError"
+        )
+
     @patch(
         "core.commands.repository.interactors.update_bundle_cache_config.UpdateBundleCacheConfigInteractor.execute"
     )

apps/codecov-api/graphql_api/types/mutation/update_bundle_cache_config/update_bundle_cache_config.graphql

@@ -1,4 +1,4 @@
-union UpdateBundleCacheConfigError = UnauthenticatedError | ValidationError
+union UpdateBundleCacheConfigError = UnauthenticatedError | UnauthorizedError | ValidationError
 
 type UpdateBundleCacheConfigResult {
   bundleName: String