summaryrefslogtreecommitdiff
path: root/app/models/personal_access_token.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/models/personal_access_token.rb')
-rw-r--r--app/models/personal_access_token.rb20
1 files changed, 19 insertions, 1 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb
index 887ef36cc17..0da205f86a5 100644
--- a/app/models/personal_access_token.rb
+++ b/app/models/personal_access_token.rb
@@ -21,6 +21,11 @@ class PersonalAccessToken < ApplicationRecord
after_initialize :set_default_scopes, if: :persisted?
before_save :ensure_token
+ # During the implementation of Admin Mode for API, tokens of
+ # administrators should automatically get the `admin_mode` scope as well
+ # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692
+ before_create :add_admin_mode_scope, if: :user_admin?
+
scope :active, -> { not_revoked.not_expired }
scope :expiring_and_not_notified, ->(date) { where(["revoked = false AND expire_notification_delivered = false AND expires_at >= CURRENT_DATE AND expires_at <= ?", date]) }
scope :expired_today_and_not_notified, -> { where(["revoked = false AND expires_at = CURRENT_DATE AND after_expiry_notification_delivered = false"]) }
@@ -79,7 +84,12 @@ class PersonalAccessToken < ApplicationRecord
protected
def validate_scopes
- unless revoked || scopes.all? { |scope| Gitlab::Auth.all_available_scopes.include?(scope.to_sym) }
+ # During the implementation of Admin Mode for API,
+ # the `admin_mode` scope is not yet part of `all_available_scopes` but still valid.
+ # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692
+ valid_scopes = Gitlab::Auth.all_available_scopes + [Gitlab::Auth::ADMIN_MODE_SCOPE]
+
+ unless revoked || scopes.all? { |scope| valid_scopes.include?(scope.to_sym) }
errors.add :scopes, "can only contain available scopes"
end
end
@@ -91,6 +101,14 @@ class PersonalAccessToken < ApplicationRecord
self.scopes = Gitlab::Auth::DEFAULT_SCOPES if self.scopes.empty?
end
+
+ def user_admin?
+ user.admin? # rubocop: disable Cop/UserAdmin
+ end
+
+ def add_admin_mode_scope
+ self.scopes += [Gitlab::Auth::ADMIN_MODE_SCOPE.to_s]
+ end
end
PersonalAccessToken.prepend_mod_with('PersonalAccessToken')
View Lorry Controller Status