diff options
Diffstat (limited to 'lib/gitlab/auth/auth_finders.rb')
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index caa881eeeab..4c6254c9e69 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -92,10 +92,10 @@ module Gitlab # We only allow Private Access Tokens with `api` scope to be used by web # requests on RSS feeds or ICS files for backwards compatibility. # It is also used by GraphQL/API requests. - def find_user_from_web_access_token(request_format) + def find_user_from_web_access_token(request_format, scopes: [:api]) return unless access_token && valid_web_access_format?(request_format) - validate_access_token!(scopes: [:api]) + validate_access_token!(scopes: scopes) ::PersonalAccessTokens::LastUsedService.new(access_token).execute @@ -194,11 +194,15 @@ module Gitlab def access_token strong_memoize(:access_token) do - # The token can be a PAT or an OAuth (doorkeeper) token - # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token - # (e.g. NPM client registry auth), this case will be properly handled - # by find_personal_access_token - find_oauth_access_token || find_personal_access_token + if try(:namespace_inheritable, :authentication) + access_token_from_namespace_inheritable + else + # The token can be a PAT or an OAuth (doorkeeper) token + # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token + # (e.g. NPM client registry auth), this case will be properly handled + # by find_personal_access_token + find_oauth_access_token || find_personal_access_token + end end end |