Token generation does not use minimal scope when scopes is empty
Summary
When creating a token through the UI, if there are no scopes selected the token gets all permissions
Steps to reproduce
- Go to project
- Create access token
- Double-check the post body:
- Observe output
Example Project
Any project
What is the current bug behavior?
The token gets highest permissions
What is the expected correct behavior?
The request should fail because no scopes are selected
Relevant logs and/or screenshots
Added above
Output of checks
This bug happens on GitLab.com
GitLab Enterprise Edition 17.0.0-pre 04be2667
Possible fixes
By selecting nothing the token gets all permissions defined by default - https://gitlab.com/gitlab-org/gitlab/-/blob/v17.0.0-ee/lib/gitlab/auth.rb?ref_type=tags#L419
A possible fix would be a 400 as to require a scope when creating the token
Edited by Filip Aleksic