Move sync endpoint to Service API and add IncidentPermission

Author: spalmurray

src/firetower/incidents/permissions.py

@@ -28,7 +28,7 @@ class IncidentPermission(permissions.BasePermission):
 
     - READ: User must have visibility to the incident (respects is_visible_to_user)
     - CREATE: Any authenticated user can create
-    - UPDATE: Same as read permissions (anyone who can see can update)
+    - UPDATE/POST: Same as read permissions (anyone who can see can update/interact)
     """
 
     def has_permission(self, request: Request, view: "APIView") -> bool:
@@ -46,8 +46,8 @@ def has_object_permission(
         if request.method in permissions.SAFE_METHODS:
             return obj.is_visible_to_user(user)
 
-        # UPDATE: Same as read permissions
-        if request.method == "PATCH":
+        # UPDATE/POST: Same as read permissions (for PATCH updates and POST actions)
+        if request.method in ["PATCH", "POST"]:
             return obj.is_visible_to_user(user)
 
         return False

src/firetower/incidents/tests/test_views.py

@@ -316,7 +316,7 @@ def test_retrieve_incident_does_not_fail_on_sync_error(self):
             assert response.data["id"] == incident.incident_number
 
     def test_sync_participants_endpoint(self):
-        """Test POST /api/ui/incidents/{id}/sync-participants/ forces sync"""
+        """Test POST /api/incidents/{id}/sync-participants/ forces sync"""
         incident = Incident.objects.create(
             title="Test Incident",
             status=IncidentStatus.ACTIVE,
@@ -333,7 +333,7 @@ def test_sync_participants_endpoint(self):
 
             self.client.force_authenticate(user=self.user)
             response = self.client.post(
-                f"/api/ui/incidents/{incident.incident_number}/sync-participants/"
+                f"/api/incidents/{incident.incident_number}/sync-participants/"
             )
 
             assert response.status_code == 200
@@ -357,7 +357,7 @@ def test_sync_participants_endpoint_handles_errors(self):
 
             self.client.force_authenticate(user=self.user)
             response = self.client.post(
-                f"/api/ui/incidents/{incident.incident_number}/sync-participants/"
+                f"/api/incidents/{incident.incident_number}/sync-participants/"
             )
 
             assert response.status_code == 500
@@ -385,15 +385,15 @@ def test_sync_participants_endpoint_respects_privacy(self):
 
         self.client.force_authenticate(user=self.user)
         response = self.client.post(
-            f"/api/ui/incidents/{incident.incident_number}/sync-participants/"
+            f"/api/incidents/{incident.incident_number}/sync-participants/"
         )
 
         assert response.status_code == 404
 
     def test_sync_participants_endpoint_invalid_format(self):
         """Test sync endpoint returns 400 for invalid incident ID"""
         self.client.force_authenticate(user=self.user)
-        response = self.client.post("/api/ui/incidents/INVALID-123/sync-participants/")
+        response = self.client.post("/api/incidents/INVALID-123/sync-participants/")
 
         assert response.status_code == 400
 

src/firetower/incidents/urls.py

@@ -16,11 +16,6 @@
         incident_detail_ui,
         name="incident-detail-ui",
     ),
-    path(
-        "ui/incidents/<str:incident_id>/sync-participants/",
-        sync_incident_participants,
-        name="sync-incident-participants",
-    ),
     # Service API endpoints
     path(
         "incidents/",
@@ -32,4 +27,9 @@
         IncidentRetrieveUpdateAPIView.as_view(),
         name="incident-retrieve-update",
     ),
+    path(
+        "incidents/<str:incident_id>/sync-participants/",
+        sync_incident_participants,
+        name="sync-incident-participants",
+    ),
 ]

src/firetower/incidents/views.py

@@ -113,68 +113,9 @@ def get_object(self) -> Incident:
         return incident
 
 
-class SyncIncidentParticipantsView(generics.GenericAPIView):
-    """
-    Force sync incident participants from Slack channel.
-
-    POST /api/ui/incidents/{incident_id}/sync-participants/
-
-    Accepts incident_id in format: INC-2000
-    Returns sync statistics.
-    Bypasses throttle (force=True).
-
-    Authentication enforced via DEFAULT_PERMISSION_CLASSES in settings.
-    """
-
-    def get_queryset(self) -> QuerySet[Incident]:
-        return Incident.objects.all()
-
-    def get_incident(self) -> Incident:
-        incident_id = self.kwargs["incident_id"]
-        project_key = settings.PROJECT_KEY
-
-        incident_pattern = rf"^{re.escape(project_key)}-(\d+)$"
-        match = re.match(incident_pattern, incident_id)
-
-        if not match:
-            raise ValidationError(
-                f"Invalid incident ID format. Expected format: {project_key}-<number> (e.g., {project_key}-123)"
-            )
-
-        numeric_id = int(match.group(1))
-        queryset = self.get_queryset()
-        queryset = filter_visible_to_user(queryset, self.request.user)
-
-        return get_object_or_404(queryset, id=numeric_id)
-
-    def post(self, request: Request, incident_id: str) -> Response:
-        incident = self.get_incident()
-
-        try:
-            stats = sync_incident_participants_from_slack(incident, force=True)
-            return Response({"success": True, "stats": asdict(stats)})
-        except Exception as e:
-            logger.error(
-                f"Failed to force sync participants for incident {incident.id}: {e}",
-                exc_info=True,
-            )
-            error_stats = ParticipantsSyncStats(
-                errors=["Failed to sync participants from Slack"]
-            )
-            return Response(
-                {
-                    "success": False,
-                    "error": "Failed to sync participants from Slack",
-                    "stats": asdict(error_stats),
-                },
-                status=500,
-            )
-
-
 # View aliases for cleaner URL imports
 incident_list_ui = IncidentListUIView.as_view()
 incident_detail_ui = IncidentDetailUIView.as_view()
-sync_incident_participants = SyncIncidentParticipantsView.as_view()
 
 
 class IncidentListCreateAPIView(generics.ListCreateAPIView):
@@ -275,3 +216,77 @@ def get_object(self) -> Incident:
             )
 
         return obj
+
+
+class SyncIncidentParticipantsView(generics.GenericAPIView):
+    """
+    Force sync incident participants from Slack channel.
+
+    POST /api/incidents/{incident_id}/sync-participants/
+
+    Accepts incident_id in format: INC-2000
+    Returns sync statistics.
+    Bypasses throttle (force=True).
+
+    Uses IncidentPermission for access control.
+    """
+
+    permission_classes = [IncidentPermission]
+
+    def get_queryset(self) -> QuerySet[Incident]:
+        return Incident.objects.all()
+
+    def get_object(self) -> Incident:
+        """
+        Parse INC-2000 format and check permissions.
+
+        Returns incident if found and user has access, otherwise 404.
+        """
+        incident_id = self.kwargs["incident_id"]
+        project_key = settings.PROJECT_KEY
+
+        incident_pattern = rf"^{re.escape(project_key)}-(\d+)$"
+        match = re.match(incident_pattern, incident_id)
+
+        if not match:
+            raise ValidationError(
+                f"Invalid incident ID format. Expected format: {project_key}-<number> (e.g., {project_key}-123)"
+            )
+
+        numeric_id = int(match.group(1))
+        queryset = self.get_queryset()
+        queryset = filter_visible_to_user(queryset, self.request.user)
+
+        obj = get_object_or_404(queryset, id=numeric_id)
+
+        # Check object permissions
+        self.check_object_permissions(self.request, obj)
+
+        return obj
+
+    def post(self, request: Request, incident_id: str) -> Response:
+        incident = self.get_object()
+
+        try:
+            stats = sync_incident_participants_from_slack(incident, force=True)
+            return Response({"success": True, "stats": asdict(stats)})
+        except Exception as e:
+            logger.error(
+                f"Failed to force sync participants for incident {incident.id}: {e}",
+                exc_info=True,
+            )
+            error_stats = ParticipantsSyncStats(
+                errors=["Failed to sync participants from Slack"]
+            )
+            return Response(
+                {
+                    "success": False,
+                    "error": "Failed to sync participants from Slack",
+                    "stats": asdict(error_stats),
+                },
+                status=500,
+            )
+
+
+# View alias for sync endpoint
+sync_incident_participants = SyncIncidentParticipantsView.as_view()