Allow an admin user to access any user's private token using the `sudo` parameter
Summary
- In #20911 / !6047 (merged), the
private_token
field was removed from the /user
API.
- This was done to prevent API consumers which were given access using a personal access token from "upgrading" their access to a private token, thereby continuing to have access even if the personal access token was revoked.
- This caused a breaking change for a customer - the client application expects to receive a user's private token when accessing the
/user
endpoint with the sudo
parameter set.
- We can enable the
private_token
field only when the sudo
parameter is set (and the current user is an admin), which should resolve the breaking change, while preventing the original vulnerability.
Steps to reproduce
- Make an API call to the
/user
endpoint as an admin user, and with the sudo
parameter set
Expected behavior
- The
private_token
of the user referenced in the sudo
parameter must be present in the API response
Actual behavior
- The
private_token
of the user referenced in the sudo
parameter is absent
/cc @dblessing @davidd2k @stanhu