<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=594677) </details> <!--IssueSummary end--> ## Summary The custom attributes REST API endpoints in [`lib/api/custom_attributes_endpoints.rb`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/custom_attributes_endpoints.rb) have authorization checks at multiple layers: 1. `route_setting :authorization` (declarative route-level) 2. `authorize!` (imperative Grape endpoint-level) 3. Service-level checks in `CustomAttributes::UpsertService` and `CustomAttributes::DestroyService` These should be reviewed for consistency across all endpoints (GET, PUT, DELETE) for all attributable types (users, projects, groups). ### Known inconsistency The `DELETE /:id/custom_attributes/:key` endpoint has a permission mismatch: - `route_setting` declares `:delete_custom_attribute` ([line 101](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/custom_attributes_endpoints.rb#L101)) - `authorize!` checks `:update_custom_attribute` ([line 105](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/custom_attributes_endpoints.rb#L105)) These should be consistent. ## Context Found during review of !217699 by @vwolanyk. The inconsistency predates that MR.