From 3d56dd6c5d802d7d4f43cc69a1244dab9bfc723c Mon Sep 17 00:00:00 2001
From: Zach Waterfield <zlwaterfield@gmail.com>
Date: Thu, 2 Jan 2025 15:07:46 -0500
Subject: [PATCH] fix: add check for plugin resource type (#26558)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
---
 posthog/rbac/user_access_control.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/posthog/rbac/user_access_control.py b/posthog/rbac/user_access_control.py
index 4cff394bc9c40..f3b5f5b2b0d9c 100644
--- a/posthog/rbac/user_access_control.py
+++ b/posthog/rbac/user_access_control.py
@@ -180,6 +180,14 @@ def _access_controls_filters_for_object(self, resource: APIScopeObject, resource
         """
         Used when checking an individual object - gets all access controls for the object and its type
         """
+        # Plugins are a special case because they don't belong to a team, instead they belong to an organization
+        if resource == "plugin":
+            return {
+                "team__organization_id": str(self._organization_id),
+                "resource": resource,
+                "resource_id": resource_id,
+            }
+
         return {"team_id": self._team.id, "resource": resource, "resource_id": resource_id}  # type: ignore
 
     def _access_controls_filters_for_resource(self, resource: APIScopeObject) -> dict: