fix(auth): add alerts:read and alerts:write to default OAuth scopes#1137
Merged
Conversation
sentry alert metrics create was blocked with 403 even after sentry auth login because the metric alert POST endpoint has a secondary permission check (check_can_create_alert) that requires alerts:write, org:write, or org:admin — none of which were in the CLI's default OAuth scope set. Dashboard creation works fine because its POST only gates on org:read, which is already in scope. The inconsistency was the missing alerts:write. Add alerts:read and alerts:write to OAUTH_SCOPES. Users with existing tokens will need to re-authenticate to pick up the new scopes: sentry auth logout && sentry auth login Update generated doc sections in DEVELOPMENT.md and self-hosted.md (script/generate-docs-sections.ts regenerates these from OAUTH_SCOPES). Co-Authored-By: sentry-junior[bot] <264270552+sentry-junior[bot]@users.noreply.github.com>
Contributor
|
Contributor
Codecov Results 📊✅ Patch coverage is 100.00%. Project has 5050 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 81.34% 81.34% —%
==========================================
Files 392 392 —
Lines 27070 27070 —
Branches 17566 17566 —
==========================================
+ Hits 22019 22020 +1
- Misses 5051 5050 -1
- Partials 1832 1832 —Generated by Codecov Action |
MathurAditya724
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add
alerts:readandalerts:writeto the default OAuth scope set requested duringsentry auth login.Why
sentry alert metrics createwas returning "You may not have access to this resource" (403) even after a successfulsentry auth login. Dashboard creation worked fine, so something was inconsistent.Root cause: the metric alert
POST /organizations/{org}/alert-rules/endpoint has two permission layers:org:read, which the CLI already requests. This passes. ✓check_can_create_alert()insrc/sentry/incidents/endpoints/bases.py— requires one ofalerts:write,org:write, ororg:admin(or team-admin project access). This fails. ✗Dashboard creation only has the scope map check (accepts
org:read), so it worked. Alert creation silently had a harder gate that the CLI's scope set never satisfied.The fix is adding
alerts:write(and its paired read scope) toOAUTH_SCOPESinsrc/lib/oauth.ts.Impact
Existing users will need to re-authenticate to pick up the new scopes:
sentry auth logout sentry auth loginThe generated doc sections in
DEVELOPMENT.mdanddocs/src/content/docs/self-hosted.mdare updated to match (these are normally regenerated bypnpm run generate:docs-sections).View Session in Sentry