Draft: feat: enable granular PATs for approval rules
Relates to issue #583250
Changes
This MR implements granular Personal Access Token (PAT) permissions for Approval Rules REST API endpoints at both project and group levels.
Permission Definitions
Created new directory config/authz/permissions/approval_rule/ with 4 permission YAML files:
-
read.yml -
read_approval_rulepermission (project & group boundaries) -
create.yml -
create_approval_rulepermission (project & group boundaries) -
update.yml -
update_approval_rulepermission (project & group boundaries) -
delete.yml -
delete_approval_rulepermission (project boundary only)
All permissions have feature_category: source_code_management and available_for_tokens: true.
API Endpoint Updates
Project Approval Rules (ee/lib/api/project_approval_rules.rb):
-
GET /projects/:id/approval_rules→read_approval_rule -
GET /projects/:id/approval_rules/:approval_rule_id→read_approval_rule -
POST /projects/:id/approval_rules→create_approval_rule -
PUT /projects/:id/approval_rules/:approval_rule_id→update_approval_rule -
DELETE /projects/:id/approval_rules/:approval_rule_id→delete_approval_rule
Group Approval Rules (ee/lib/api/group_approval_rules.rb):
-
GET /groups/:id/approval_rules→read_approval_rule -
POST /groups/:id/approval_rules→create_approval_rule -
PUT /groups/:id/approval_rules/:approval_rule_id→update_approval_rule
Test Coverage
Added comprehensive authorization tests using the authorizing granular token permissions shared example pattern:
- ee/spec/requests/api/project_approval_rules_spec.rb - 5 authorization test blocks
- ee/spec/requests/api/group_approval_rules_spec.rb - 3 authorization test blocks
Files Modified
-
New Directory:
config/authz/permissions/approval_rule/ - New Files (4): read.yml, create.yml, update.yml, delete.yml
-
Modified Files (4):
ee/lib/api/project_approval_rules.rbee/lib/api/group_approval_rules.rbee/spec/requests/api/project_approval_rules_spec.rbee/spec/requests/api/group_approval_rules_spec.rb
Edited by Matthew MacRae-Bovell