Skip to content

Allow an admin user to access any user's private token using the `sudo` parameter

Summary

  • In #20911 / !6047 (merged), the private_token field was removed from the /user API.
  • This was done to prevent API consumers which were given access using a personal access token from "upgrading" their access to a private token, thereby continuing to have access even if the personal access token was revoked.
  • This caused a breaking change for a customer - the client application expects to receive a user's private token when accessing the /user endpoint with the sudo parameter set.
  • We can enable the private_token field only when the sudo parameter is set (and the current user is an admin), which should resolve the breaking change, while preventing the original vulnerability.

Steps to reproduce

  • Make an API call to the /user endpoint as an admin user, and with the sudo parameter set

Expected behavior

  • The private_token of the user referenced in the sudo parameter must be present in the API response

Actual behavior

  • The private_token of the user referenced in the sudo parameter is absent

/cc @dblessing @davidd2k @stanhu