REST API v4: Session cookie does not grant all permissions

Summary

When trying to update a file via REST API (https://docs.gitlab.com/14.7/ee/api/repository_files.html#update-existing-file-in-repository), the API returns 403 if authenticating with session cookie. Documentation states that session cookie should be sufficient for all API calls (https://docs.gitlab.com/14.7/ee/api/#session-cookie).

Steps to reproduce

Create a new empty project and add a data.txt file to it (or ask me to add you to my test case: https://gitlab.com/nrueckmann/api-testing).

Run the following script in console on your gitlab window:

var PROJECT_ID = 33611489; // Replace with your project ID
var FILE_PATH = "data.txt";
fetch("/api/v4/projects/"+PROJECT_ID+"/repository/files/"+encodeURIComponent(FILE_PATH), {method: "PUT", headers: {"Content-Type": "application/json"}, body: '{"branch": "main", "commit_message": "Update via API", "content": "updated via api"}'});

The same API call will succeed when adding the PRIVATE-TOKEN header:

var PROJECT_ID = 33611489; // Replace with your project ID
var FILE_PATH = "data.txt";
var PRIVATE_TOKEN = "XXXXXXXX"; // Replace with personal access token
fetch("/api/v4/projects/"+PROJECT_ID+"/repository/files/"+encodeURIComponent(FILE_PATH), {method: "PUT", headers: {"Content-Type": "application/json", "PRIVATE-TOKEN": PRIVATE_TOKEN}, body: '{"branch": "main", "commit_message": "Update via API (with token)", "content": "updated via api with token"}'});

Example Project

https://gitlab.com/nrueckmann/api-testing

What is the current bug behavior?

API returns 403 HTTP status code (body: {message: "403 Forbidden"})

What is the expected correct behavior?

A new commit is created which updated the data.txt file.

Relevant logs and/or screenshots

N/A

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A

Results of GitLab application Check

N/A

Possible fixes

N/A

Edited Feb 11, 2022 by Nils Rückmann