diff options
Diffstat (limited to 'app/models/personal_access_token.rb')
-rw-r--r-- | app/models/personal_access_token.rb | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb index 887ef36cc17..0da205f86a5 100644 --- a/app/models/personal_access_token.rb +++ b/app/models/personal_access_token.rb @@ -21,6 +21,11 @@ class PersonalAccessToken < ApplicationRecord after_initialize :set_default_scopes, if: :persisted? before_save :ensure_token + # During the implementation of Admin Mode for API, tokens of + # administrators should automatically get the `admin_mode` scope as well + # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692 + before_create :add_admin_mode_scope, if: :user_admin? + scope :active, -> { not_revoked.not_expired } scope :expiring_and_not_notified, ->(date) { where(["revoked = false AND expire_notification_delivered = false AND expires_at >= CURRENT_DATE AND expires_at <= ?", date]) } scope :expired_today_and_not_notified, -> { where(["revoked = false AND expires_at = CURRENT_DATE AND after_expiry_notification_delivered = false"]) } @@ -79,7 +84,12 @@ class PersonalAccessToken < ApplicationRecord protected def validate_scopes - unless revoked || scopes.all? { |scope| Gitlab::Auth.all_available_scopes.include?(scope.to_sym) } + # During the implementation of Admin Mode for API, + # the `admin_mode` scope is not yet part of `all_available_scopes` but still valid. + # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692 + valid_scopes = Gitlab::Auth.all_available_scopes + [Gitlab::Auth::ADMIN_MODE_SCOPE] + + unless revoked || scopes.all? { |scope| valid_scopes.include?(scope.to_sym) } errors.add :scopes, "can only contain available scopes" end end @@ -91,6 +101,14 @@ class PersonalAccessToken < ApplicationRecord self.scopes = Gitlab::Auth::DEFAULT_SCOPES if self.scopes.empty? end + + def user_admin? + user.admin? # rubocop: disable Cop/UserAdmin + end + + def add_admin_mode_scope + self.scopes += [Gitlab::Auth::ADMIN_MODE_SCOPE.to_s] + end end PersonalAccessToken.prepend_mod_with('PersonalAccessToken') |