feat(project-creation): Backend for disableMemberProjectCreation flag (#62294)

Author: leedongwei

src/sentry/api/endpoints/organization_details.py

@@ -232,6 +232,7 @@ class OrganizationSerializer(BaseOrganizationSerializer):
 
     openMembership = serializers.BooleanField(required=False)
     allowSharedIssues = serializers.BooleanField(required=False)
+    allowMemberProjectCreation = serializers.BooleanField(required=False)
     enhancedPrivacy = serializers.BooleanField(required=False)
     dataScrubber = serializers.BooleanField(required=False)
     dataScrubberDefaults = serializers.BooleanField(required=False)
@@ -476,6 +477,8 @@ def save(self):
             and "requireEmailVerification" in data
         ):
             org.flags.require_email_verification = data["requireEmailVerification"]
+        if "allowMemberProjectCreation" in data:
+            org.flags.disable_member_project_creation = not data["allowMemberProjectCreation"]
         if "name" in data:
             org.name = data["name"]
         if "slug" in data:
@@ -492,6 +495,7 @@ def save(self):
                 "early_adopter": org.flags.early_adopter.is_set,
                 "require_2fa": org.flags.require_2fa.is_set,
                 "codecov_access": org.flags.codecov_access.is_set,
+                "disable_member_project_creation": org.flags.disable_member_project_creation.is_set,
             },
         }
 

src/sentry/api/endpoints/organization_projects_experiment.py

@@ -28,6 +28,7 @@
 
 CONFLICTING_TEAM_SLUG_ERROR = "A team with this slug already exists."
 MISSING_PERMISSION_ERROR_STRING = "You do not have permission to join a new team as a Team Admin."
+DISABLED_FEATURE_ERROR_STRING = "Your organization has disabled this feature for members."
 
 
 def _generate_suffix() -> str:
@@ -89,6 +90,10 @@ def post(self, request: Request, organization: Organization) -> Response:
 
         if not features.has("organizations:team-roles", organization):
             raise ResourceDoesNotExist(detail=MISSING_PERMISSION_ERROR_STRING)
+        if organization.flags.disable_member_project_creation and not request.access.has_scope(
+            "org:write"
+        ):
+            raise PermissionDenied(detail=DISABLED_FEATURE_ERROR_STRING)
 
         # parse the email to retrieve the username before the "@"
         parsed_email = fetch_slugifed_email_username(request.user.email)

src/sentry/api/endpoints/team_projects.py

@@ -159,10 +159,19 @@ def post(self, request: Request, team) -> Response:
         """
         Create a new project bound to a team.
         """
+        from sentry.api.endpoints.organization_projects_experiment import (
+            DISABLED_FEATURE_ERROR_STRING,
+        )
+
         serializer = ProjectPostSerializer(data=request.data)
 
         if not serializer.is_valid():
             return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        if (
+            team.organization.flags.disable_member_project_creation
+            and not request.access.has_scope("org:write")
+        ):
+            return Response({"detail": DISABLED_FEATURE_ERROR_STRING}, status=403)
 
         result = serializer.validated_data
         with transaction.atomic(router.db_for_write(Project)):

src/sentry/api/serializers/models/organization.py

@@ -341,6 +341,7 @@ def serialize(
                 and obj.flags.require_email_verification
             ),
             "avatar": avatar,
+            "allowMemberProjectCreation": not obj.flags.disable_member_project_creation,
             "links": {
                 "organizationUrl": generate_organization_url(obj.slug),
                 "regionUrl": generate_region_url(),

tests/sentry/api/endpoints/test_organization_projects_experiment.py

@@ -6,6 +6,7 @@
 from django.utils.text import slugify
 
 from sentry.api.endpoints.organization_projects_experiment import (
+    DISABLED_FEATURE_ERROR_STRING,
     OrganizationProjectsExperimentEndpoint,
     fetch_slugifed_email_username,
 )
@@ -265,3 +266,25 @@ def get_callthrough(*args, **kwargs):
                 "detail": "You must be a member of the organization to join a new team as a Team Admin",
             }
         assert Team.objects.count() == prior_team_count
+
+    @with_feature(["organizations:team-roles"])
+    def test_disable_member_project_creation(self):
+        test_org = self.create_organization(flags=256)
+
+        test_member = self.create_user(is_superuser=False)
+        self.create_member(user=test_member, organization=test_org, role="member", teams=[])
+        self.login_as(user=test_member)
+        response = self.get_error_response(
+            test_org.slug,
+            name="foo",
+            status_code=403,
+        )
+        assert response.data["detail"] == DISABLED_FEATURE_ERROR_STRING
+        test_manager = self.create_user(is_superuser=False)
+        self.create_member(user=test_manager, organization=test_org, role="manager", teams=[])
+        self.login_as(user=test_manager)
+        self.get_success_response(
+            test_org.slug,
+            name="foo",
+            status_code=201,
+        )

tests/sentry/api/endpoints/test_team_projects.py

@@ -1,5 +1,6 @@
 from unittest.mock import Mock
 
+from sentry.api.endpoints.organization_projects_experiment import DISABLED_FEATURE_ERROR_STRING
 from sentry.ingest import inbound_filters
 from sentry.models.project import Project
 from sentry.models.rule import Rule
@@ -129,7 +130,7 @@ def test_default_rules(self):
         assert signal_handler.call_count == 0
         alert_rule_created.disconnect(signal_handler)
 
-    def test_without_default_rules(self):
+    def test_without_default_rules_disable_member_project_creation(self):
         response = self.get_success_response(
             self.organization.slug,
             self.team.slug,
@@ -140,6 +141,31 @@ def test_without_default_rules(self):
         project = Project.objects.get(id=response.data["id"])
         assert not Rule.objects.filter(project=project).exists()
 
+    def test_disable_member_project_creation(self):
+        test_org = self.create_organization(flags=256)
+        test_team = self.create_team(organization=test_org)
+
+        test_member = self.create_user(is_superuser=False)
+        self.create_member(user=test_member, organization=test_org, role="admin", teams=[test_team])
+        self.login_as(user=test_member)
+        response = self.get_error_response(
+            test_org.slug,
+            test_team.slug,
+            **self.data,
+            status_code=403,
+        )
+        assert response.data["detail"] == DISABLED_FEATURE_ERROR_STRING
+
+        test_manager = self.create_user(is_superuser=False)
+        self.create_member(user=test_manager, organization=test_org, role="manager", teams=[])
+        self.login_as(user=test_manager)
+        self.get_success_response(
+            test_org.slug,
+            test_team.slug,
+            **self.data,
+            status_code=201,
+        )
+
     def test_default_inbound_filters(self):
         filters = ["browser-extensions", "legacy-browsers", "web-crawlers", "filtered-transaction"]
         python_response = self.get_success_response(