Add granular pats decorator for jobs REST endpoints
What does this MR do and why?
Make following endpoints granular PATs compliant
GET /projects/:id/jobs
GET /projects/:id/jobs/:job_id
GET /projects/:id/jobs/:job_id/trace
POST /projects/:id/jobs/:job_id/cancel
POST /projects/:id/jobs/:job_id/retry
POST /projects/:id/jobs/:job_id/play
POST /projects/:id/jobs/:job_id/eraseReferences
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- In Rails console, create a granular PAT for a user and copy a URL to create an issue with the token:
# Enable feature flag
Feature.enable(:authorize_granular_pats)
user = User.first
# Create granular token
token = PersonalAccessTokens::CreateService.new(
current_user: user,
target_user: user,
organization_id: user.organization_id,
params: { expires_at: 1.month.from_now, scopes: ['granular'], granular: true, name: 'gPAT' }
).execute[:personal_access_token]
# Get a project
project = user.projects.first
project_scope = Authz::GranularScope.new(namespace: project.project_namespace, permissions: [:read_job])
Authz::GranularScopeService.new(token).add_granular_scopes(project_scope)
# Copy project avatar URL
IO.popen('pbcopy', 'w') { |f| f.puts "curl http://#{Gitlab.host_with_port}/api/v4/projects/#{project.id}/jobs -X GET -H \"PRIVATE-TOKEN: #{token.token}\"" }- Paste the URL in another terminal. It should succeed.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #575287
Edited by Ayush Billore