Add latest changes from gitlab-org/gitlab@master

2 files changed, 22 insertions, 3 deletions

diff --git a/lib/api/deploy_tokens.rb b/lib/api/deploy_tokens.rb
index bf82c63260d..3224157ca05 100644
--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -4,8 +4,6 @@ module API
   class DeployTokens < Grape::API
     include PaginationParams
 
-    before { authenticated_as_admin! }
-
     desc 'Return all deploy tokens' do
       detail 'This feature was introduced in GitLab 12.9.'
       success Entities::DeployToken
@@ -14,7 +12,27 @@ module API
       use :pagination
     end
     get 'deploy_tokens' do
+      authenticated_as_admin!
+
       present paginate(DeployToken.all), with: Entities::DeployToken
     end
+
+    params do
+      requires :id, type: Integer, desc: 'The ID of a project'
+    end
+    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      params do
+        use :pagination
+      end
+      desc 'List deploy tokens for a project' do
+        detail 'This feature was introduced in GitLab 12.9'
+        success Entities::DeployToken
+      end
+      get ':id/deploy_tokens' do
+        authorize!(:read_deploy_token, user_project)
+
+        present paginate(user_project.deploy_tokens), with: Entities::DeployToken
+      end
+    end
   end
 end
diff --git a/lib/api/entities/deploy_token.rb b/lib/api/entities/deploy_token.rb
index cac6846a845..9c5bf54e299 100644
--- a/lib/api/entities/deploy_token.rb
+++ b/lib/api/entities/deploy_token.rb
@@ -3,7 +3,8 @@
 module API
   module Entities
     class DeployToken < Grape::Entity
-      expose :id, :name, :username, :expires_at, :token, :scopes
+      # exposing :token is a security risk and should be avoided
+      expose :id, :name, :username, :expires_at, :scopes
     end
   end
 end