1 files changed, 11 insertions, 7 deletions

diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index caa881eeeab..4c6254c9e69 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -92,10 +92,10 @@ module Gitlab
       # We only allow Private Access Tokens with `api` scope to be used by web
       # requests on RSS feeds or ICS files for backwards compatibility.
       # It is also used by GraphQL/API requests.
-      def find_user_from_web_access_token(request_format)
+      def find_user_from_web_access_token(request_format, scopes: [:api])
         return unless access_token && valid_web_access_format?(request_format)
 
-        validate_access_token!(scopes: [:api])
+        validate_access_token!(scopes: scopes)
 
         ::PersonalAccessTokens::LastUsedService.new(access_token).execute
 
@@ -194,11 +194,15 @@ module Gitlab
 
       def access_token
         strong_memoize(:access_token) do
-          # The token can be a PAT or an OAuth (doorkeeper) token
-          # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token
-          # (e.g. NPM client registry auth), this case will be properly handled
-          # by find_personal_access_token
-          find_oauth_access_token || find_personal_access_token
+          if try(:namespace_inheritable, :authentication)
+            access_token_from_namespace_inheritable
+          else
+            # The token can be a PAT or an OAuth (doorkeeper) token
+            # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token
+            # (e.g. NPM client registry auth), this case will be properly handled
+            # by find_personal_access_token
+            find_oauth_access_token || find_personal_access_token
+          end
         end
       end