diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
commit | 05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2 (patch) | |
tree | 11d0f2a6ec31c7793c184106cedc2ded3d9a2cc5 /app/models/personal_access_token.rb | |
parent | ec73467c23693d0db63a797d10194da9e72a74af (diff) | |
download | gitlab-ce-05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2.tar.gz |
Add latest changes from gitlab-org/gitlab@15-8-stable-eev15.8.0-rc42
Diffstat (limited to 'app/models/personal_access_token.rb')
-rw-r--r-- | app/models/personal_access_token.rb | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb index 887ef36cc17..0da205f86a5 100644 --- a/app/models/personal_access_token.rb +++ b/app/models/personal_access_token.rb @@ -21,6 +21,11 @@ class PersonalAccessToken < ApplicationRecord after_initialize :set_default_scopes, if: :persisted? before_save :ensure_token + # During the implementation of Admin Mode for API, tokens of + # administrators should automatically get the `admin_mode` scope as well + # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692 + before_create :add_admin_mode_scope, if: :user_admin? + scope :active, -> { not_revoked.not_expired } scope :expiring_and_not_notified, ->(date) { where(["revoked = false AND expire_notification_delivered = false AND expires_at >= CURRENT_DATE AND expires_at <= ?", date]) } scope :expired_today_and_not_notified, -> { where(["revoked = false AND expires_at = CURRENT_DATE AND after_expiry_notification_delivered = false"]) } @@ -79,7 +84,12 @@ class PersonalAccessToken < ApplicationRecord protected def validate_scopes - unless revoked || scopes.all? { |scope| Gitlab::Auth.all_available_scopes.include?(scope.to_sym) } + # During the implementation of Admin Mode for API, + # the `admin_mode` scope is not yet part of `all_available_scopes` but still valid. + # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692 + valid_scopes = Gitlab::Auth.all_available_scopes + [Gitlab::Auth::ADMIN_MODE_SCOPE] + + unless revoked || scopes.all? { |scope| valid_scopes.include?(scope.to_sym) } errors.add :scopes, "can only contain available scopes" end end @@ -91,6 +101,14 @@ class PersonalAccessToken < ApplicationRecord self.scopes = Gitlab::Auth::DEFAULT_SCOPES if self.scopes.empty? end + + def user_admin? + user.admin? # rubocop: disable Cop/UserAdmin + end + + def add_admin_mode_scope + self.scopes += [Gitlab::Auth::ADMIN_MODE_SCOPE.to_s] + end end PersonalAccessToken.prepend_mod_with('PersonalAccessToken') |