update logic for invalid ids and add tests

Author: shellmayr

src/sentry/core/endpoints/organization_details.py

@@ -91,6 +91,7 @@
 from sentry.models.options.organization_option import OrganizationOption
 from sentry.models.options.project_option import ProjectOption
 from sentry.models.organization import Organization, OrganizationStatus
+from sentry.models.organizationmember import OrganizationMember
 from sentry.models.organizationmemberreplayaccess import OrganizationMemberReplayAccess
 from sentry.models.project import Project
 from sentry.organizations.services.organization import organization_service
@@ -608,6 +609,19 @@ def save(self, **kwargs):
                 to_remove = current_member_ids - new_member_ids
 
                 if to_add:
+                    valid_member_ids = set(
+                        OrganizationMember.objects.filter(
+                            organization=org, id__in=to_add
+                        ).values_list("id", flat=True)
+                    )
+                    invalid_member_ids = to_add - valid_member_ids
+                    if invalid_member_ids:
+                        raise serializers.ValidationError(
+                            {
+                                "replayAccessMembers": f"Invalid organization member IDs: {sorted(invalid_member_ids)}"
+                            }
+                        )
+
                     OrganizationMemberReplayAccess.objects.bulk_create(
                         [
                             OrganizationMemberReplayAccess(

tests/sentry/core/endpoints/test_organization_details.py

@@ -1673,6 +1673,42 @@ def test_replay_access_members_requires_admin_scope(self) -> None:
         data = {"replayAccessMembers": [other_member.id]}
         self.get_error_response(self.organization.slug, **data, status_code=403)
 
+    @with_feature("organizations:granular-replay-permissions")
+    def test_replay_access_members_invalid_member_ids(self) -> None:
+        nonexistent_id = 999999999
+        data = {"replayAccessMembers": [nonexistent_id]}
+        response = self.get_error_response(self.organization.slug, **data, status_code=400)
+        assert "replayAccessMembers" in response.data
+        assert str(nonexistent_id) in response.data["replayAccessMembers"]
+
+    @with_feature("organizations:granular-replay-permissions")
+    def test_replay_access_members_from_other_organization(self) -> None:
+        other_org = self.create_organization(owner=self.create_user())
+        other_org_member = self.create_member(
+            organization=other_org, user=self.create_user(), role="member"
+        )
+        data = {"replayAccessMembers": [other_org_member.id]}
+        response = self.get_error_response(self.organization.slug, **data, status_code=400)
+        assert "replayAccessMembers" in response.data
+        assert str(other_org_member.id) in response.data["replayAccessMembers"]
+
+    @with_feature("organizations:granular-replay-permissions")
+    def test_replay_access_members_mixed_valid_and_invalid(self) -> None:
+        valid_member = self.create_member(
+            organization=self.organization, user=self.create_user(), role="member"
+        )
+        nonexistent_id = 999999999
+        data = {"replayAccessMembers": [valid_member.id, nonexistent_id]}
+        response = self.get_error_response(self.organization.slug, **data, status_code=400)
+        assert "replayAccessMembers" in response.data
+        assert str(nonexistent_id) in response.data["replayAccessMembers"]
+        assert str(valid_member.id) not in response.data["replayAccessMembers"]
+
+        access_count = OrganizationMemberReplayAccess.objects.filter(
+            organization=self.organization
+        ).count()
+        assert access_count == 0
+
 
 class OrganizationDeleteTest(OrganizationDetailsTestBase):
     method = "delete"