Set user_type and group_id for personal_access_tokens on model layer (!205197) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR moves application logic that sets user_type and group_id for new personal_access_tokens from

app/services/personal_access_tokens/create_service.rb
app/services/personal_access_tokens/rotate_service.rb

to personal_access_tokens model layer to prevent bypassing setting those atttributes.

In #558105 (comment 2753586158) we discovered that the application does not use the service classes to create new personal_access_tokens in some cases. Also, in documentation we have lots of instructions that use personal_access_tokens model directly to create the token.

This removes some changes that were added in !201921 (merged) and contains changes from !204078 (merged).

References

Screenshots or screen recordings

Before	After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Sep 16, 2025 by Bogdan Denkovych

Set user_type and group_id for personal_access_tokens on model layer

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports