Markdown API unnecessarily requires write access from 15.3

Summary

Gitlab 15.3 introduced a breaking change to the Gitlab API in that the /markdown endpoint now requires an authentication token (#369369 (closed)). Prior to this, no authentication was required to use it. Following the implementation of this change, the required scope for the token is api read_api (both). This unnecessarily requires that to use the /markdown API endpoint, a token be generated that has write access to the API. The /markdown API call does not make any changes and so is a read-only operation.

The /markdown endpoint should be reconfigured to require the read_api scope only.

Aside:

• It would be helpful if the documentation of the API at https://docs.gitlab.com/ee/api/ were to specify what authentication scopes a given endpoint requires. That doesn't appear to be the case at present.
• Going from not requiring authentication to requiring authentication at 15.3 is a breaking change to the API (so perhaps should have waited for an API version change?) However, as far as we could tell, this was not recorded in the release notes. (To be fair, it could be in there somewhere, but there were a LOT of changes. We did scan for API references and did not find it.)

Steps to reproduce

1. Create a personal or project access token with the read_api scope only (<read-only-access-token>)
2. Following the example at https://docs.gitlab.com/ee/api/markdown.html#required-authentication, execute:

curl --request POST --header "PRIVATE-TOKEN: <read-only-access-token>" --header "Content-Type:application/json" --data '{"text":"Hello world! :tada:", "gfm":true}' https://gitlab.example.com/api/v4/markdown

3. Receive the message:

{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}

Example Project

Sorry, there is no accessible example project. The change made at 15.3 has broken a system that uses Gitlab CI on a self-hosted gitlab instance.

What is the current bug behavior?

Having provided our /markdown API call with the same access token that the other API calls are using, the system is still broken. The system should only have read access to the API, and so is provided a read-only access token. It is now failing because the /markdown endpoint API call is unnecessarily requiring write access.

What is the expected correct behavior?

Calls to the /markdown endpoint work when provided with an access token that has the read_api scope only.

Relevant logs and/or screenshots

None

Output of checks

This happened on a self-hosted gitlab instance.

Results of GitLab environment info

Likely not needed. Version is 15.3.2.

Results of GitLab application Check

Likely not needed.

Possible fixes

I had a look at the corresponding merge request !93727 (merged), and cannot find any mention of scope or api or read_api in the changes made. Perhaps api read_api is the default scope for POST requests, and an exception might need to be made in this instance?