From 56a61b24575775bb91c019f8886e9f45a05bfb62 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 5 Dec 2022 09:08:32 +0000
Subject: Add latest changes from gitlab-org/gitlab@15-5-stable-ee

---
 app/services/resource_access_tokens/create_service.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb
index b8a210c0a95..c6948536053 100644
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -13,6 +13,7 @@ module ResourceAccessTokens
       return error("User does not have permission to create #{resource_type} access token") unless has_permission_to_create?
 
       access_level = params[:access_level] || Gitlab::Access::MAINTAINER
+      return error("Could not provision owner access to project access token") if do_not_allow_owner_access_level_for_project_bot?(access_level)
 
       user = create_user
 
@@ -107,7 +108,7 @@ module ResourceAccessTokens
     end
 
     def create_membership(resource, user, access_level)
-      resource.add_member(user, access_level, current_user: current_user, expires_at: params[:expires_at])
+      resource.add_member(user, access_level, expires_at: params[:expires_at])
     end
 
     def log_event(token)
@@ -121,6 +122,12 @@ module ResourceAccessTokens
     def success(access_token)
       ServiceResponse.success(payload: { access_token: access_token })
     end
+
+    def do_not_allow_owner_access_level_for_project_bot?(access_level)
+      resource.is_a?(Project) &&
+        access_level == Gitlab::Access::OWNER &&
+        !current_user.can?(:manage_owners, resource)
+    end
   end
 end
 
-- 
cgit v1.2.1