Draft: feat: enable granular PATs for Snippets
Relates to issue #583245
Changes
This MR implements granular Personal Access Token (PAT) permissions for all Snippets REST API endpoints, enabling fine-grained access control for snippet operations.
Permission Definition Files (6 files created)
Created permission YAML files in config/authz/permissions/snippet/:
-
read.yml -
read_snippetpermission for viewing snippets -
create.yml -
create_snippetpermission for creating new snippets -
update.yml -
update_snippetpermission for modifying snippets -
delete.yml -
delete_snippetpermission for deleting snippets -
read_all.yml -
read_all_snippetspermission for viewing all snippets (admin-level) -
read_user_agent_detail.yml -
read_snippet_user_agent_detailpermission for accessing user agent details
All permissions use:
- Feature category:
source_code_management - Boundary type:
instance
API Endpoint Authorization (10 endpoints protected)
Added route_setting :authorization decorators to all endpoints in lib/api/snippets.rb:
-
GET /snippets→read_snippet -
GET /snippets/public→read_snippet -
GET /snippets/all→read_all_snippets -
GET /snippets/:id→read_snippet -
POST /snippets→create_snippet -
PUT /snippets/:id→update_snippet -
DELETE /snippets/:id→delete_snippet -
GET /snippets/:id/raw→read_snippet -
GET /snippets/:id/files/:ref/:file_path/raw→read_snippet -
GET /snippets/:id/user_agent_detail→read_snippet_user_agent_detail
Test Coverage (10 test blocks added)
Added comprehensive authorization tests in spec/requests/api/snippets_spec.rb using the shared example 'authorizing granular token permissions' for all 10 endpoints. Each test validates that the appropriate permission is enforced at the instance boundary level.
Summary
- Files Created: 6 permission YAML files
- Files Modified: 2 (API file + spec file)
- Endpoints Protected: 10 REST API endpoints
- Permissions Defined: 6 granular permissions
- Test Coverage: 10 authorization test blocks
Edited by Matthew MacRae-Bovell