Merge create and update permission into one in Gitlab Secrets manager
Problem Statement
Currently, users need both create AND update permissions to create a secret in GitLab Secrets Manager. This creates an unintuitive user experience where:
- Creating a new secret requires the
updatepermission (which semantically doesn't make sense) - The permission model is confusing - users expect
createpermission alone should be sufficient to create secrets - The frontend and backend need to be updated to handle these permissions together
Proposed Solution
1. Consolidate Permissions into Actions
Backend Changes:
- Introduce a new
actionsparameter/field to replace the existingpermissionsfield - Use an enum instead of an array of strings for better type safety and validation
- Combine
createandupdateinto a single logical action
Why "actions" instead of "permissions"?
- More descriptive of what users are actually doing with secrets (read, create, delete)
- Avoids redundancy with the entity name (e.g., "SecretsPermission.permissions" is redundant)
- Better semantic clarity
2. Implement in New Renamed Endpoints
As part of #577341 (closed), project secrets permissions endpoints are being renamed from Permissions to ProjectSecretsPermissions for consistency with GroupSecretsPermissions.
Implementation strategy:
- Introduce the new
actionsattribute in the new renamed endpoints (ProjectSecretsPermissions) - Keep the old endpoints (
Permissions) untouched for backward compatibility - This allows a clean migration path without breaking existing frontend code
3. Update Response Format
Current behavior:
- Mutations accept an array of strings:
["read", "create", "update", "delete"] - Query response stringifies the array (e.g.,
"read,create,update,delete") - Frontend has to parse the stringified data
Proposed behavior:
- Use enum for actions
- Return array format in query responses (no stringification)
- Simplifies frontend data handling
Technical Details
Referenced in:
- MR !213562 (merged) - Implement update group secrets permission mutation
- Related to #577341 (closed) - Group secrets permissions implementation
Edited by Shabini Rajadas