update graphql endpoint

codecov_auth/commands/owner/interactors/get_org_upload_token.py

@@ -1,17 +1,21 @@
 from codecov.commands.base import BaseInteractor
-from codecov.commands.exceptions import Unauthenticated
+from codecov.commands.exceptions import Unauthenticated, Unauthorized
 from codecov.db import sync_to_async
+from codecov_auth.helpers import current_user_part_of_org
 from codecov_auth.models import OrganizationLevelToken
 
 
 class GetOrgUploadToken(BaseInteractor):
-    def validate(self):
+    def validate(self, owner):
         if not self.current_user.is_authenticated:
             raise Unauthenticated()
 
+        if not current_user_part_of_org(self.current_owner, owner):
+            raise Unauthorized()
+
     @sync_to_async
     def execute(self, owner):
-        self.validate()
+        self.validate(owner)
 
         org_token = OrganizationLevelToken.objects.filter(owner=owner).first()
         if org_token:

codecov_auth/commands/owner/interactors/tests/test_get_org_upload_token.py

@@ -1,7 +1,7 @@
 import pytest
 from django.test import TransactionTestCase
 
-from codecov.commands.exceptions import Unauthenticated
+from codecov.commands.exceptions import Unauthenticated, Unauthorized
 from codecov_auth.tests.factories import OrganizationLevelTokenFactory, OwnerFactory
 
 from ..get_org_upload_token import GetOrgUploadToken
@@ -33,3 +33,11 @@ async def test_owner_with_org_upload_token_and_anonymous_user(self):
             )
 
             assert token == None
+
+    async def test_owner_with_org_upload_token_and_unauthorized_user(self):
+        with pytest.raises(Unauthorized):
+            token = await GetOrgUploadToken(
+                self.owner_with_upload_token, "github"
+            ).execute(self.owner_with_no_upload_token)
+
+            assert token == None