getsentry · mifu67 · Apr 7, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 7, 2025
diff --git a/src/sentry/api/bases/organizationmember.py b/src/sentry/api/bases/organizationmember.py
@@ -12,6 +12,7 @@
 from sentry.db.models.fields.bounded import BoundedAutoField
 from sentry.models.organization import Organization
 from sentry.models.organizationmember import InviteStatus, OrganizationMember
+from sentry.models.organizationmemberinvite import OrganizationMemberInvite
 from sentry.organizations.services.organization.model import (
     RpcOrganization,
     RpcUserOrganizationContext,
@@ -124,4 +125,10 @@ def _get_member(
         if invite_status:
             kwargs["invite_status"] = invite_status.value
 
+        om_id = kwargs.get("id")
+        if isinstance(om_id, int):
+            invite = OrganizationMemberInvite.objects.filter(organization_member_id=om_id).first()
+            if invite is not None:
+                raise ResourceDoesNotExist
+
         return OrganizationMember.objects.filter(**kwargs).get()
diff --git a/src/sentry/api/endpoints/organization_member/details.py b/src/sentry/api/endpoints/organization_member/details.py
@@ -448,7 +448,6 @@ def delete(
         """
         Remove an organization member.
         """
-
         # with superuser read write separation, superuser read cannot hit this endpoint
         # so we can keep this as is_active_superuser
         if request.user.is_authenticated and not is_active_superuser(request):

diff --git a/src/sentry/api/endpoints/organization_member/index.py b/src/sentry/api/endpoints/organization_member/index.py
@@ -1,6 +1,6 @@
 from django.conf import settings
 from django.db import router, transaction
-from django.db.models import F, Q
+from django.db.models import Exists, F, OuterRef, Q
 from drf_spectacular.utils import extend_schema, extend_schema_serializer
 from rest_framework import serializers
 from rest_framework.request import Request
@@ -28,6 +28,7 @@
 from sentry.auth.authenticators import available_authenticators
 from sentry.integrations.models.external_actor import ExternalActor
 from sentry.models.organizationmember import InviteStatus, OrganizationMember
+from sentry.models.organizationmemberinvite import OrganizationMemberInvite
 from sentry.models.team import Team, TeamStatus
 from sentry.roles import organization_roles, team_roles
 from sentry.search.utils import tokenize_query
@@ -183,11 +184,19 @@ def get(self, request: Request, organization) -> Response:
 
         Response includes pending invites that are approved by organization owners or managers but waiting to be accepted by the invitee.
         """
-        queryset = OrganizationMember.objects.filter(
-            Q(user_is_active=True, user_id__isnull=False) | Q(user_id__isnull=True),
-            organization=organization,
-            invite_status=InviteStatus.APPROVED.value,
-        ).order_by("id")
+        queryset = (
+            OrganizationMember.objects.filter(
+                Q(user_is_active=True, user_id__isnull=False) | Q(user_id__isnull=True),
+                organization=organization,
+                invite_status=InviteStatus.APPROVED.value,
+            )
+            .filter(
+                ~Exists(
+                    OrganizationMemberInvite.objects.filter(organization_member_id=OuterRef("id"))
+                )
+            )
+            .order_by("id")
+        )
 
         query = request.GET.get("query")
         if query:

@@ -43,6 +43,7 @@
     RpcOrganizationMemberMappingUpdate,
     organizationmember_mapping_service,
 )
+from sentry.models.organizationmemberinvite import OrganizationMemberInvite
 from sentry.models.team import TeamStatus
 from sentry.roles import organization_roles
 from sentry.roles.manager import OrganizationRole
@@ -249,6 +250,10 @@ class Meta:
     __repr__ = sane_repr("organization_id", "user_id", "email", "role")
 
     def save(self, *args, **kwargs):
+        if self.id is not None:
+            invite = OrganizationMemberInvite.objects.filter(organization_member_id=self.id).first()
+            assert invite is None, "Cannot save placeholder organization member for an invited user"
+
         with outbox_context(transaction.atomic(using=router.db_for_write(OrganizationMember))):
             if self.token and not self.token_expires_at:
                 self.refresh_expires_at()

diff --git a/tests/sentry/api/endpoints/test_organization_member_details.py b/tests/sentry/api/endpoints/test_organization_member_details.py
@@ -158,6 +158,13 @@ def test_does_not_include_secondary_emails(self):
         assert "emails" not in response.data["user"]
         assert "emails" not in response.data.get("serializedUser", {})
 
+    def test_does_not_serialize_placeholder_member(self):
+        invite = self.create_member_invite(organization=self.organization)
+        placeholder_om = invite.organization_member
+
+        response = self.get_error_response(self.organization.slug, placeholder_om.id)
+        assert response.data["detail"] == "The requested resource does not exist"
+
 
 class UpdateOrganizationMemberTest(OrganizationMemberTestBase, HybridCloudTestMixin):
     method = "put"
@@ -895,6 +902,13 @@ def test_on_role_change_not_called_when_reinviting(self, mock_on_role_change):
 
         mock_on_role_change.assert_not_called()
 
+    def test_cannot_edit_placeholder_member(self):
+        invite = self.create_member_invite(organization=self.organization)
+        placeholder_om = invite.organization_member
+
+        response = self.get_error_response(self.organization.slug, placeholder_om.id, role="member")
+        assert response.data["detail"] == "The requested resource does not exist"
+
 
 class DeleteOrganizationMemberTest(OrganizationMemberTestBase):
     method = "delete"
@@ -1201,6 +1215,13 @@ def test_invitations_dont_get_deleted_on_invite_detetion(self):
         assert members_and_invites_count_after == members_and_invites_count_before - 1
         assert not OrganizationMember.objects.filter(inviter_id=manager_user.id).exists()
 
+    def test_cannot_delete_placeholder_member(self):
+        invite = self.create_member_invite(organization=self.organization)
+        placeholder_om = invite.organization_member
+
+        response = self.get_error_response(self.organization.slug, placeholder_om.id)
+        assert response.data["detail"] == "The requested resource does not exist"
+
 
 class ResetOrganizationMember2faTest(APITestCase):
     def setUp(self):

diff --git a/tests/sentry/api/endpoints/test_organization_member_index.py b/tests/sentry/api/endpoints/test_organization_member_index.py
@@ -537,6 +537,19 @@ def test_does_not_include_secondary_emails(self):
         assert all("email" not in team for team in member_data.get("teams", []))
         assert all("email" not in role for role in member_data.get("teamRoles", []))
 
+    def test_does_not_include_placeholder_org_members(self):
+        # do not list the placeholder org members created for OrganizationMemberInvite objects
+        user = self.create_user("real@member.com")
+        self.create_member(organization=self.organization, user=user)
+        invite = self.create_member_invite(organization=self.organization)
+        placeholder_member = invite.organization_member
+
+        response = self.get_success_response(self.organization.slug)
+
+        # check that the placeholder org member is not serialized
+        member_ids = [m["id"] for m in response.data]
+        assert str(placeholder_member.id) not in member_ids
+
 
 class OrganizationMemberPermissionRoleTest(OrganizationMemberListTestBase, HybridCloudTestMixin):
     method = "post"

@@ -2241,12 +2241,15 @@ def test_organization_member_inviter_id(self, expected_models: list[type[Model]]
         # they will not be imported if we only filter down to `test-org`. The desired outcome is
         # that the inviter is nulled out.
         for org_member in OrganizationMember.objects.filter(organization=org):
+            if OrganizationMemberInvite.objects.filter(organization_member=org_member).exists():
+                # placeholder organization member for invited member, skip
+                continue
             if not org_member.inviter_id:
                 org_member.inviter_id = admin.id
                 org_member.save()
         assert (
             OrganizationMember.objects.filter(organization=org.id, inviter_id__isnull=False).count()
-            == 6
+            == 4
         )
 
         with tempfile.TemporaryDirectory() as tmp_dir:

diff --git a/tests/sentry/models/test_organizationmember.py b/tests/sentry/models/test_organizationmember.py
@@ -553,3 +553,13 @@ def test_cannot_demote_last_owner(self):
 
             member.role = "manager"
             member.save()
+
+    def test_cannot_edit_placeholder_org_member(self):
+        omi = self.create_member_invite()
+        placeholder_om = omi.organization_member
+
+        placeholder_om.role = "manager"
+        with pytest.raises(
+            AssertionError, match="Cannot save placeholder organization member for an invited user"
+        ):
+            placeholder_om.save()