Draft: feat: enable granular PATs for repositories endpoints
Relates to issue #583243
Changes
This MR implements granular Personal Access Token (PAT) permissions for all Repositories REST API endpoints, enabling fine-grained access control for repository operations.
Permission YAML Files Created (3 files)
-
config/authz/permissions/repository/read.yml-read_repositorypermission for read operations -
config/authz/permissions/repository_health/read.yml-read_repository_healthpermission for health checks -
config/authz/permissions/repository/update.yml-update_repositorypermission for write operations
All permission files follow the established conventions:
- Singular naming convention
- Feature category:
source_code_management - Boundary type:
project -
available_for_tokens: trueenabled
API Authorization Decorators (10 endpoints)
Modified lib/api/repositories.rb to add route_setting :authorization decorators:
Read Repository Permission:
GET /projects/:id/repository/treeGET /projects/:id/repository/blobs/:sha/rawGET /projects/:id/repository/blobs/:shaGET /projects/:id/repository/archiveGET /projects/:id/repository/compareGET /projects/:id/repository/contributorsGET /projects/:id/repository/merge_baseGET /projects/:id/repository/changelog
Read Repository Health Permission:
GET /projects/:id/repository/health
Update Repository Permission:
POST /projects/:id/repository/changelog
Test Coverage (10 test blocks)
Modified spec/requests/api/repositories_spec.rb to add comprehensive authorization tests using the it_behaves_like 'authorizing granular token permissions' shared example pattern for all 10 endpoints.
Impact
This implementation allows users to create Personal Access Tokens with specific repository permissions (read, health check, update) rather than requiring broad access, significantly improving security and enabling more granular access control for repository operations.