feat: Enable granular PAT permissions for Protected Tags API
Relates to issue #583242
Summary
This MR implements granular Personal Access Token (PAT) permissions for the Protected Tags REST API endpoints, enabling fine-grained access control for protected tag operations.
Changes
Permission Definitions (3 new permissions)
- read_protected_tag - Grants the ability to read protected tags via API
- create_protected_tag - Grants the ability to create protected tags via API
- delete_protected_tag - Grants the ability to delete protected tags via API
Files Created (6 YAML configuration files)
Permission Definitions:
config/authz/permissions/protected_tag/read.ymlconfig/authz/permissions/protected_tag/create.ymlconfig/authz/permissions/protected_tag/delete.yml
Assignable Permission Groups:
4. config/authz/permission_groups/assignable_permissions/repositories/protected_tag/read.yml
5. config/authz/permission_groups/assignable_permissions/repositories/protected_tag/create.yml
6. config/authz/permission_groups/assignable_permissions/repositories/protected_tag/delete.yml
Files Modified (2 files)
API Implementation:
-
lib/api/protected_tags.rb- Addedroute_setting :authorizationdecorators to all 4 endpoints:- GET
/projects/:id/protected_tags→ requiresread_protected_tag - GET
/projects/:id/protected_tags/:name→ requiresread_protected_tag - POST
/projects/:id/protected_tags→ requirescreate_protected_tag - DELETE
/projects/:id/protected_tags/:name→ requiresdelete_protected_tag
- GET
Test Coverage:
-
spec/requests/api/protected_tags_spec.rb- Added authorization test blocks for all 4 endpoints using shared examples to verify permission enforcement
Technical Details
All permissions follow GitLab's naming conventions:
- Singular form naming (e.g.,
protected_tagnotprotected_tags) - Feature category:
source_code_management - Boundary type:
project
Testing
Run the test suite:
bundle exec rspec spec/requests/api/protected_tags_spec.rbEdited by Matthew MacRae-Bovell