Users with admin cicd variables permission unable to create variables via API

Summary

Users who have been granted a custom role that uses Developer as the base plus the Admin cicd variables permission are unable to create CI/CD variables through the API.

Steps to reproduce

Create a new Custom Role with Developer as the base permissions and select Admin cicd variables as the custom permission.
Assign that role to a user.
As that user, create a Personal Access Token with api scope.
Issue a POST through the project-level variables API to create a new variable.
Observe that a 403 Forbidden error is returned.

Example Project

This was reproduced using the tw-test-bed/custom-role-cicd project (GitLab.com admin required).

What is the current bug behavior?

Users who are granted the Admin cicd variables custom permission are unable to create CI/CD variables through the API.

What is the expected correct behavior?

Users who are granted the Admin cicd variables custom permission should be able to create CI/CD variables through the API, as they can through the UI.

Relevant logs and/or screenshots

Example API call:

curl --location --request POST 'https://gitlab.com/api/v4/projects/63169746/variables?key=testvar2&value=123456' \
--header 'Authorization: Bearer REDACTED'

Output:

"message": "403 Forbidden"

Output of checks

This bug happens on GitLab.com

Edited Nov 06, 2024 by Tristan