Exclusivity of Project Bots [BE]
Summary
Currently, Project Bots can be added to other Projects via Add member UI and API . Scoping access token to particular projects issue will resolve this problem at the access token level. However, the bot can still be manually added as a member to another project.
This issue is to prevent the bots from being shared across multiple projects.
The feature is currently behind the resource_access_token
feature flag with default off.
Steps to reproduce
- Create a Project Access Token
- The Project Bot shows up in the member list
- Note the project bot username
- Go to another project, and add the bot as a member
What is the expected correct behavior?
Project Bots should not be shared across multiple projects. Same should be applicable for Group Bots too (whenever applicable).
Possible fixes
Prevent project bot from being added as a member to any other projects (UI + API). The only way of adding project bots to a project will be via project access tokens.
Edited by Peter Hegman