Allow self-hosted CE / free-tier installations to disable PATs
Currently the ability to disable PATs is restricted to paid tiers: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#disable-personal-access-tokens
GitLab's PATs do not respect 2FA settings, which means PATs can be used to bypass 2FA and access the API without two factor verification. This is a serious security issue that resulted in our instance being hacked (I shared the details in this comment: #369504 (comment 1230869619))
The option to disable PATs should not be paywalled. It should be available on any self-hosted installation (including CE / the free tier). It's plugging a fundamental security hole, and I doubt making this particular option available to all users would affect Enterprise sales in any way.
By intentionally leaving this hole "unpatched" in CE it seems like the GitLab team is saying "the only way you can avoid 2FA being bypassed is by paying for Enterprise."
GitHub provide the ability to do all this on their free tier, presumably because it's the responsible thing to do. They offer these options for both classic tokens and the new fine-grained tokens, thereby fully mitigating this issue: