Enable granular PATs for MR diffs

Duo Developerrequested to merge
duo/feature/583236-enable-granular-pats-mr-diffs into master

Relates to issue #583236

Changes

This MR implements granular Personal Access Token (PAT) permissions for all Merge Request Diffs REST API endpoints.

Permission Definition

  • Created new permission read_merge_request_diff in config/authz/permissions/merge_request_diff/read.yml
  • Description: "Grants the ability to read merge request diffs and versions"
  • Feature category: code_review_workflow
  • Boundary: project

API Endpoints Modified (5 total)

lib/api/merge_requests.rb (3 endpoints):

  • GET /projects/:id/merge_requests/:merge_request_iid/changes
  • GET /projects/:id/merge_requests/:merge_request_iid/diffs
  • GET /projects/:id/merge_requests/:merge_request_iid/raw_diffs

lib/api/merge_request_diffs.rb (2 endpoints):

  • GET /projects/:id/merge_requests/:merge_request_iid/versions
  • GET /projects/:id/merge_requests/:merge_request_iid/versions/:version_id

All endpoints now include authorization decorator:

route_setting :authorization, permissions: :read_merge_request_diff, boundary_type: :project

Tests Added

Added authorization tests for all 5 endpoints using the shared example pattern:

  • 3 tests in spec/requests/api/merge_requests_spec.rb
  • 2 tests in spec/requests/api/merge_request_diffs_spec.rb

All tests verify granular token permission enforcement using:

it_behaves_like 'authorizing granular token permissions', :read_merge_request_diff
Edited by Matthew MacRae-Bovell

Merge request reports