fix(init): recover from member project-creation restriction#960
Merged
Conversation
New Sentry orgs have `disable_member_project_creation = true` by default. When `sentry init` hit this 403, it bailed with "Re-authenticate with: sentry auth login" — which is wrong advice and confuses users (CLI-SERVER-E, 21 events). Three changes: 1. `create-sentry-project.ts` — after a 403 "disabled this feature" on the auto-resolved team, check whether the user holds `team:admin` on any team (that role bypasses the org restriction per `team_projects.py:228–233`). If found, retry with that team transparently. If not, surface a clear actionable error instead of the misleading re-auth prompt. Explicit `--team` skips the retry so the user's intent isn't overridden. 2. `infrastructure.ts` — `enrich403Detail` now short-circuits on "disabled this feature" before the scope/re-auth enrichment, so the wrong advice never reaches the user from any command. 3. `sentry.ts` — types `allowMemberProjectCreation` and `orgRole` on `SentryOrganization` for future preemptive checks. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Contributor
Codecov Results 📊✅ 6945 passed | Total: 6945 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
All tests are passing successfully. ❌ Patch coverage is 75.00%. Project has 14136 uncovered lines. Files with missing lines (1)
Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 76.97% 77.00% +0.03%
==========================================
Files 320 320 —
Lines 61442 61458 +16
Branches 0 0 —
==========================================
+ Hits 47294 47322 +28
- Misses 14148 14136 -12
- Partials 0 0 —Generated by Codecov Action |
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
The team-swap retry was wrong: silently creating a project under a different team changes org structure the user didn't ask for. Bot review also correctly flagged that listTeams only returns one page, so the retry would miss admin teams on large orgs — but the right fix is to remove it, not fix the pagination. When the org has member project creation disabled, tell the user: 1. What happened (org policy, not an auth issue) 2. How to unblock: ask an admin to enable the setting OR create the project for them — then `sentry init <org>/<slug>` resolves to the existing project via preflight and skips creation entirely. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Add four targeted tests to cover previously uncovered branches: - Invalid slug: name that slugifies to empty string returns early - 403 org-policy: clear error with sentry-init escape hatch, no re-auth text - Tool describe with payload.detail: short-circuits to the provided string - Tool describe fallback: uses project name and platform Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
betegon
force-pushed
the
fix/init-project-creation-member-permission
branch
from
16937d0 to
57ad6f6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the wizard tries to create a Sentry project, it fails with a 403 if the org has `disable_member_project_creation` set — which is the default for every new org (`organization.py:256`). The error message then appended "Re-authenticate with: `sentry auth login`", which is completely wrong advice for an org policy issue.
Tracked in CLI-SERVER-E (21 events, 11 users including internal).
What changes
Clear error with an escape hatch (`create-sentry-project.ts`) — when the org rejects project creation for members, surface the actual problem and tell the user what to do:
```
Project creation is disabled for members in "acme".
Ask an org owner to either enable project creation for members
or create the project for you. Once the project exists, run:
sentry init acme/
```
The `sentry init /` escape hatch is real — preflight resolves the positional arg to an existing project and `createSentryProject` short-circuits before touching the create API.
A previous iteration retried with a `team:admin` team, but that was wrong: the user chose that org and we shouldn't alter its structure silently. It also only paginated the first page of teams, missing admin memberships on large orgs. The right answer is a clear error, not a silent workaround.
Fix misleading 403 enrichment (`infrastructure.ts`) — `enrich403Detail` now short-circuits on `"disabled this feature"` before the scope/re-auth branches, so the wrong advice never reaches the user from any command.
Type the org fields (`sentry.ts`) — adds `allowMemberProjectCreation?` and `orgRole?` to `SentryOrganization` for future use.
Testing
Fixes CLI-SERVER-E.