Project Access Tokens should be treated as external users
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
The bot users created for Project Access Tokens should be treated as external users and only be allowed access to their respective projects.
Currently, if I create a Project Access Token and give it, say, the read_registry scope, then that token can be used to fetch images from the registries of all internal projects. The same applies for the read_repository scope and cloning.
This goes against the description of the Project Access Tokens as being "scoped to this project" and was very unexpected! I was trying to give access to a 3rd party server to pull images from a particular project and inadvertently ended up giving it access to all our internal projects!
I can achieve the desired behavior by marking the bot user as an external user in the admin interface. I think this should be the default behavior.
UPDATE: A workaround is to configure new users to be set to external globally in the gitlab instance. This also applies to new bot users linked to access tokens.