Add backend changes for MVC on advanced token scopes
What does this MR do and why?
This MR is the second of a series to prepare to introduce a work in progress feature to add advanced scopes to personal access tokens.
It was recommended that I split this up in a previous draft MR here: !150045 (closed)
This is the backend part with the addition of the appropriate feature flags.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
It prepares for the following changes:
How to set up and validate locally
Note: You will need to merge the frontend changes from !154170 to be able to actually use the feature.
-
In rails console enable the experiment for a selected user (this will do the user with id, typically root):
user = User.find(1) Feature.enable(:advanced_token_scopes, user) -
Visit the personal access token while logged in as that user: http://127.0.0.1:3000/-/user_settings/personal_access_tokens
-
Click the
Add new tokenbutton. -
Enter an example regexp for the token in the
Advanced scopestextbox, such as:^GET$|^POST$ ^/api/v4/projects/9/issues$ ^GET$ ^/api/v4/projects/9/issues/\d*$ -
You can validate that the token only has access to what it is supposed to with the regexp with example for the previous regex:
curl -H "Authorization: Bearer YOUR_PAT" \ -X GET "https://http://127.0.0.1:3000/api/v4/projects/9/issues"