Allow tokens with any scope to use the self-revocation API
What does this MR do and why?
Closes #369103 (closed)
Personal access tokens can be self-revoked by using the /api/v4/personal_access_tokens/self
endpoint only if the token has the api
scope.
With this change, the token can also be self-revoked if the token does not have the api
scope.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
-
Create a personal access token without the
api
scope -
Self-revoke the token using the
/api/v4/personal_access_tokens/self
API endpoint, e.g.curl -X DELETE --header "private-token: $PRIVATE_TOKEN" http://localhost:3000/api/v4/personal_access_tokens/self
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Implements #369103 (closed)
Edited by Hannah Sutor