update function description & default with empty list

shellmayr · shellmayr · commit f8575a52af34 · 2025-12-05T16:17:39.000+01:00
diff --git a/src/sentry/replays/permissions.py b/src/sentry/replays/permissions.py
@@ -16,17 +16,15 @@
 
 def has_replay_permission(organization: Organization, user: User | AnonymousUser | None) -> bool:
     """
-    Check if a user has permission to access replay data for an organization. This
-    change is backwards compatible with the existing behavior and introduces the
-    ability to granularly control replay access for organization members, irrespective
-    of their role.
-
-    Logic:
-    - If feature flag is disabled, return True (existing behavior, everyone has access)
-    - User must be authenticated and a member of the org
-    - If no allowlist records exist for org, return True for all members
-    - If allowlist records exist, check if user's org membership is in the allowlist
-    - Return True if user is in allowlist, False otherwise
+    Determine whether a user has permission to access replay data for a given organization.
+
+    Rules:
+    - User must be authenticated and an active org member.
+    - If the 'organizations:granular-replay-permissions' feature flag is OFF, all users have access.
+    - If the 'sentry:granular-replay-permissions' org option is not set or falsy, all org members have access.
+    - If no allowlist records exist for the organization but the feature flag is on, no one has access.
+    - If allowlist records exist, only users explicitly present in the OrganizationMemberReplayAccess allowlist have access.
+    - Returns True if allowed, False otherwise.
     """
     if not features.has("organizations:granular-replay-permissions", organization):
         return True
@@ -51,7 +49,7 @@ def has_replay_permission(organization: Organization, user: User | AnonymousUser
     ).exists()
 
     if not allowlist_exists:
-        return True
+        return False
 
     has_access = OrganizationMemberReplayAccess.objects.filter(
         organization=organization, organizationmember=member
diff --git a/tests/sentry/replays/test_permissions.py b/tests/sentry/replays/test_permissions.py
@@ -38,12 +38,12 @@ def test_org_option_disabled_returns_true(self) -> None:
             )
             assert has_replay_permission(self.organization, self.user2) is True
 
-    def test_empty_allowlist_returns_true(self) -> None:
-        """When allowlist is empty, all members should have access"""
+    def test_empty_allowlist_returns_false(self) -> None:
+        """When allowlist is empty access control is active, no one should have access"""
         with self.feature("organizations:granular-replay-permissions"):
             self._enable_granular_permissions()
-            assert has_replay_permission(self.organization, self.user1) is True
-            assert has_replay_permission(self.organization, self.user2) is True
+            assert has_replay_permission(self.organization, self.user1) is False
+            assert has_replay_permission(self.organization, self.user2) is False
 
     def test_member_in_allowlist_returns_true(self) -> None:
         """When member is in allowlist, they should have access"""
