Assign PATs to emails and not to accounts

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

I was recently able to push commits to a private repo from an email id that wasn't given access to that repo.

Consider the following sequence of events -

1. I open a Gitlab account with email - a@email.com (my primary email)
2. I add a secondary email - b@email.com
3. A private repository "Private Repo A" provides access to me on my primary email id - a@email.com
4. I create a PAT for my laptop.

Now, I open my IDE (Android Studio in my case) and clone "Private Repo A". On being prompted for my password, I pass my PAT and the cloning proceeds without an issue.

Here is the problem -

Now, when I commit and then try to push by editing my email, the repo will accept not just a@email.com (which was actually granted access) but even b@email.com. This is because it only checks whether my PAT is valid and not whether the commit email was even granted access in the first place.

The solution seems simple - each PAT (Personal Access Token) should be scoped to an email id (which could be primary or any of the secondary email ids) and not to the account itself. This prevents other emails from accidentally pushing commits to the repo. Unless I am missing something obvious, or my conceptual understanding of PATs is different from what they actually are, I feel this is a huge security flaw.