Allow tokens with any scope to use the self-revocation API (!94463) · Merge requests · GitLab.org / GitLab

Fabian Schneider requested to merge fabsrc/gitlab:369103-allow-token-self-revocation-with-any-scope into master Aug 06, 2022

What does this MR do and why?

Closes #369103 (closed)

Personal access tokens can be self-revoked by using the /api/v4/personal_access_tokens/self endpoint only if the token has the api scope. With this change, the token can also be self-revoked if the token does not have the api scope.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Create a personal access token without the api scope

Self-revoke the token using the /api/v4/personal_access_tokens/self API endpoint, e.g.

curl -X DELETE  --header "private-token: $PRIVATE_TOKEN" http://localhost:3000/api/v4/personal_access_tokens/self

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Implements #369103 (closed)

Edited Aug 18, 2022 by Hannah Sutor

Allow tokens with any scope to use the self-revocation API

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports