fix(demo-mode): Restrict GroupAi endpoints to demo orgs only (#111509)

Author: obostjancic

src/sentry/issues/endpoints/bases/group.py

@@ -13,7 +13,7 @@
 from sentry.api.base import Endpoint
 from sentry.api.bases.project import ProjectPermission
 from sentry.api.exceptions import ResourceDoesNotExist
-from sentry.demo_mode.utils import is_demo_mode_enabled, is_demo_user
+from sentry.demo_mode.utils import is_demo_mode_enabled, is_demo_org, is_demo_user
 from sentry.integrations.tasks import create_comment, update_comment
 from sentry.models.activity import Activity
 from sentry.models.group import Group, GroupStatus, get_group_with_redirect
@@ -157,6 +157,9 @@ def has_object_permission(self, request: Request, view: APIView, group: Any) ->
             if not is_demo_mode_enabled() or request.method not in self.ALLOWED_METHODS:
                 return False
 
+            if not is_demo_org(group.project.organization):
+                return False
+
             return True
         return super().has_object_permission(request, view, group)
 

tests/sentry/issues/endpoints/test_group.py

@@ -15,12 +15,34 @@ class GroupAiPermissionTest(TestCase):
     def setUp(self) -> None:
         super().setUp()
         self.permission = GroupAiPermission()
-        self.project = self.create_project()
-        self.group = self.create_group(project=self.project)
+        self.demo_org = self.create_organization(name="demo-org")
+        self.demo_project = self.create_project(organization=self.demo_org)
+        self.demo_group = self.create_group(project=self.demo_project)
         self.demo_user = self.create_user()
+        self.create_member(
+            user=self.demo_user,
+            organization=self.demo_org,
+            role="member",
+            teams=[self.demo_project.teams.first()],
+        )
+
+        # Keep legacy aliases so existing tests still work
+        self.project = self.demo_project
+        self.group = self.demo_group
+
+        # A separate org the demo user has no membership in
+        self.other_org = self.create_organization(name="other-org")
+        self.other_project = self.create_project(organization=self.other_org)
+        self.other_group = self.create_group(project=self.other_project)
 
     def _demo_mode_enabled(self) -> ContextManager[None]:
-        return override_options({"demo-mode.enabled": True, "demo-mode.users": [self.demo_user.id]})
+        return override_options(
+            {
+                "demo-mode.enabled": True,
+                "demo-mode.users": [self.demo_user.id],
+                "demo-mode.orgs": [self.demo_org.id],
+            }
+        )
 
     def has_object_perm(
         self,
@@ -51,8 +73,27 @@ def test_demo_user_unsafe_methods_blocked(self) -> None:
                 assert not self.has_object_perm(method, self.group, user=self.demo_user)
 
     def test_demo_user_demo_mode_disabled(self) -> None:
-        for method in ("GET", "POST", "PUT", "DELETE"):
-            assert not self.has_object_perm(method, self.group, user=self.demo_user)
+        """When demo mode is off, listed demo users are denied entirely."""
+        with override_options({"demo-mode.users": [self.demo_user.id]}):
+            # is_demo_user() is True but is_demo_mode_enabled() is False → blocked
+            assert not self.has_object_perm("GET", self.demo_group, user=self.demo_user)
+            assert not self.has_object_perm("GET", self.other_group, user=self.demo_user)
+
+    def test_demo_user_blocked_from_non_demo_org_group(self) -> None:
+        """Demo user must not access groups belonging to a non-demo org."""
+        with self._demo_mode_enabled():
+            for method in ("GET", "POST"):
+                assert not self.has_object_perm(method, self.other_group, user=self.demo_user), (
+                    f"Demo user got access to non-demo org group via {method}"
+                )
+
+    def test_demo_user_allowed_on_demo_org_group(self) -> None:
+        """Demo user can access groups in the demo org."""
+        with self._demo_mode_enabled():
+            for method in ("GET", "POST"):
+                assert self.has_object_perm(method, self.demo_group, user=self.demo_user), (
+                    f"Demo user denied access to demo org group via {method}"
+                )
 
     def test_regular_user_with_access(self) -> None:
         user = self.create_user()