Destroy granular scopes with personal access tokens (!207530) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

When personal_access_tokens are destroyed, destroy personal_access_token_granular_scopes and granular_scopes too.

On personal_access_token_granular_scopes a foreign key with cascading delete exists for both granular_scopes and personal_access_tokens.

For granular_scopes no foreign keys exist to either personal_access_tokens or personal_access_token_granular_scopes, so we need to add an ActiveRecord dependent: :destroy callback to the Authz::PersonalAccessTokenGranularScope model to destroy the scopes when destroying a token. Because the callback won't be triggered unless the callback is also defined on PersonalAccessToken, we added it there too, despite a FK with cascading delete exists.

References

Issue: #566607

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 05, 2025 by Alex Buijs

Destroy granular scopes with personal access tokens

What does this MR do and why?

References

MR acceptance checklist

Merge request reports