Fix return value when PAT called by id through API not exists
What does this MR do and why?
This is an addendum to this MR and is intended to fix a wrong behavior. The desired behavior when requesting a Personal Access Token via ID through the API should be as follows:
(Commented by @nmalcolm here in the original MR
@mwoolf Ah that's a good point then. I'm easy TBH - as long as the user is authorized (i.e. admin) then a
404for not found is fine; they should never get a401in that case. So we'd end up with the following scenarios:
| Scenario | Non-Admin | Admin |
|---|---|---|
| Accessing their own token | 200 |
200 |
| Accessing their own expired token - expiration is irrelevant? | 200 |
200 |
| Accessing a token they don't own | 401 |
200 |
| Accessing a token that doesn't exist (e.g. a bad ID, or their own token which has been deleted) | 401 |
404 |
The current behavior and thus the bug differs in the last listed point.
| Scenario | Non-Admin | Admin |
|---|---|---|
| Accessing a token that doesn't exist (e.g. a bad ID, or their own token which has been deleted) | 401 |
401 |
This MR fixes the wrong behavior.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Andreas Deicha