Skip to content

Add policy for Personal Access Tokens

Max Woolf requested to merge mw/create_pat_policies into master

What does this MR do?

Adds a policy for PersonalAccessTokens that can be used in future developments of a PAT API.

The basic premise is that users can view their own PATs, and administrators can view anybody's PATs.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Relates to #227264 (closed)

Edited by Max Woolf

Merge request reports