Investigate how can make pages auth work with only `read_api` scope
From https://gitlab.com/gitlab-org/security/gitlab-pages/-/merge_requests/6#note_464150499:
Taking a step back here and I wanted to ask why do we need
apiscope for the token?
That's a good question, we should be fine with the read_api scope at least.
-
Test if read_apiis enough for pages auth -
If it's not enough, discuss with the security team if we can expose https://gitlab.com/gitlab-org/gitlab/-/blob/903ee8c0832f8fea8bb141601e71770c05d5b675/lib/api/projects.rb#L344 endpoint for the read_apiscope -
Check if artifacts proxying also works with the read_apiscope -
Fix the default in omnibus -
Fix the default in charts(if there's one) -
Ask product manager to write the post describing how to "harden" security by finding the pages app in admin panel and changing the scope.
Edited by Vasilii Iakliushin