GitLab API: Editing a project only works with an administrator's access token
Summary
Using the GitLab API, a project can be created (POST) or read (GET) with a valid access token belonging to a user having necessary access rights (master) to the group namespace. However, trying to edit the recently created project (PUT) returns HTTP 403 Forbidden. Editing the project (PUT) with an GitLab administrator's access token works.
Steps to reproduce
Using the GitLab API,
- Generate two different access tokens, 1st one for a non-admin user having necessary access rights for creating a project, and a 2nd one for an admin user.
- Find out the ID of a group where the non-admin user has master access rights.
- Create a project, e.g. POST /projects?name=myname&namespace_id=<group-ID-from-step-2> --header "PRIVATE-TOKEN: <non-admin-token>" -> OK, project is created.
- Copy the project ID from the response you got.
- Edit the project, e.g. PUT /projects/<project-ID>?name=myname&description=something --header "PRIVATE-TOKEN: <non-admin-token>" -> 403 Forbidden
- Edit the project with the admin access token, e.g. PUT /projects/<project-ID>?name=myname&description=something --header "PRIVATE-TOKEN: <admin-token>" -> OK, the project got modified
What is the current bug behavior?
Editing the project you just created with a non-admin access token is only possible with an admin access token. This behaviour is also not in line with the Web UI where you are allowed to edit the project with as the non-admin user with master access.
What is the expected correct behavior?
You should be able to edit the project with the same access token it was created with.
Output of checks
Results of GitLab environment info
GitLab CE 9.1.3
Tested with both API versions v3 and v4.