Investigate `:build_read_project` permission.
Problem
Originating in this comment. It is not clear what the :build_read_project
permission is for, and how/why it limits admin privileges. The comment in the code reads:
CI job token authentication: this method grants limited privileged for admin users admin users can only access project if they are direct member
We should find out why admin users are meant to get limited privileges through job tokens.
Additional notes
It's unfortunate the way we need to switch between 2 separate policies and especially that
build_read_project
is a reimplementation ofread_project
. This means that if we changeread_project
in the future (e.g. to be more restrictive) it may not apply automatically tobuild_read_project
.
I wish
build_read_project
was inheriting fromread_project
and explicitlyprevent
the case whencurrent_user
is admin but not member. It would have probably been easier to spot the differences. On the same topic, I recently was drafting a PoC to better control CI_JOB_TOKEN permissions and I had noticed this same line. Ideally we should just useread_project
everywhere and have the Policy object knowing the context of how the user was authenticated. Based on that we could allow/prevent certain actions if the user is authenticated via CI_JOB_TOKEN.