fix(preprod): Fix permission check to respect org-level roles

The permission check was using has_project_membership which only checks
team membership, rejecting users with org-level roles (owner, manager)
who lack direct team membership.

Fixed by:
- Using get_projects() with explicit project_ids to leverage
  has_project_access (respects org-level permissions)
- Overriding check_object_permissions to skip org scope checks
- Converting PermissionDenied (403) to 404 for security
- Checking feature flags early to return 404 when disabled

Author: runningcode

src/sentry/preprod/api/bases/preprod_artifact_endpoint.py

@@ -4,11 +4,16 @@
 
 import sentry_sdk
 from rest_framework import status
-from rest_framework.exceptions import APIException
+from rest_framework.exceptions import APIException, PermissionDenied
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 
-from sentry.api.bases.organization import OrganizationEndpoint, OrganizationEventPermission
+from sentry import features
+from sentry.api.bases.organization import (
+    OrganizationEndpoint,
+    OrganizationEventPermission,
+    OrganizationPermission,
+)
 from sentry.constants import ObjectStatus
 from sentry.models.project import Project
 from sentry.preprod.authentication import LaunchpadRpcSignatureAuthentication
@@ -42,7 +47,15 @@ class ProjectPreprodArtifactPermission(OrganizationEventPermission):
 
 
 class PreprodArtifactEndpoint(OrganizationEndpoint):
-    permission_classes: tuple[type[BasePermission], ...] = (OrganizationEventPermission,)
+    # Override permission_classes to skip org-level scope checks in the parent class.
+    # We do project-level permission checks in convert_args and return 404 (not 403)
+    # for security when users lack project access
+    permission_classes: tuple[type[BasePermission], ...] = ()
+
+    def check_object_permissions(self, request: Request, obj: Any) -> None:
+        # Set up request.access but skip org-level scope checks.
+        # Project-level permissions are checked in convert_args with 404 (not 403) on denial.
+        OrganizationPermission().determine_access(request, obj)
 
     def convert_args(
         self,
@@ -79,12 +92,28 @@ def convert_args(
         if project.status != ObjectStatus.ACTIVE:
             raise HeadPreprodArtifactResourceDoesNotExist
 
-        # Skip project access check for service-to-service RPC authenticated requests
+        # Return 404 (not 403) when feature is disabled to avoid information leakage
+        if not features.has(
+            "organizations:preprod-frontend-routes", project.organization, actor=request.user
+        ):
+            raise HeadPreprodArtifactResourceDoesNotExist
+
+        # Skip project access check for RPC-authenticated requests
         is_rpc_authenticated = hasattr(request, "successful_authenticator") and isinstance(
             request.successful_authenticator, LaunchpadRpcSignatureAuthentication
         )
-        if not is_rpc_authenticated and project not in self.get_projects(request, organization):
-            raise HeadPreprodArtifactResourceDoesNotExist
+
+        if not is_rpc_authenticated:
+            # Check project access using has_project_access (respects org roles) not
+            # has_project_membership (team-only). Convert PermissionDenied to 404 for security.
+            try:
+                accessible_projects = self.get_projects(
+                    request, organization, project_ids={project.id}
+                )
+                if project not in accessible_projects:
+                    raise HeadPreprodArtifactResourceDoesNotExist
+            except PermissionDenied:
+                raise HeadPreprodArtifactResourceDoesNotExist
 
         # If project_id_or_slug is provided, validate it matches the artifact's project
         if project_id_or_slug is not None: