Add granular pats decorator for wiki REST endpoints
What does this MR do and why?
Make following endpoints granular PATs compliant
Group endpoints
GET /groups/:id/wikis
GET /groups/:id/wikis/:slug
POST /projects/:id/wikis
PUT /groups/:id/wikis/:slug
DELETE /groups/:id/wikis/:slug
POST /groups/:id/wikis/attachmentsProject endpoints
GET /projects/:id/wikis
GET /projects/:id/wikis/:slug
POST /projects/:id/wikis
PUT /projects/:id/wikis/:slug
DELETE /projects/:id/wikis/:slug
POST /projects/:id/wikis/attachmentsReferences
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- In Rails console, create a granular PAT for a user and copy a URL to create an issue with the token:
# Enable feature flag
Feature.enable(:authorize_granular_pats)
user = User.first
# Create granular token
token = PersonalAccessTokens::CreateService.new(
current_user: user,
target_user: user,
organization_id: user.organization_id,
params: { expires_at: 1.month.from_now, name: 'gPAT', granular: true }
).execute[:personal_access_token]
# Get a project, ensure they have avatars
project = user.projects.first
# Add granular scopes for read_avatar permission (one at a time)
project_scope = Authz::GranularScope.new(namespace: project.project_namespace, permissions: [:read_wiki])
Authz::GranularScopeService.new(token).add_granular_scopes(project_scope)
# Copy project avatar URL
IO.popen('pbcopy', 'w') { |f| f.puts "curl http://#{Gitlab.host_with_port}/api/v4/projects/#{project.id}/wikis -X GET -H \"PRIVATE-TOKEN: #{token.token}\"" }- Similarly test for other endpoints mentioned in description.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #574464 (closed)
Edited by Ayush Billore