Implement Admin Mode for API
What does this MR do and why?
This MR is based on !107875 (merged).
This MR is part of the implementation plan in #42692 (comment 1222832412) to extend the Admin Mode feature to the API access using a personal access token (PAT).
This MR:
- adds a new
:admin_mode_for_api
feature flag. - implements Admin Mode for API:
- If the feature flag is enabled:
- Users can select the
admin_mode
scope when creating a personal access token (UI & API). - If the Admin Mode setting is enabled, all API endpoints for admins require the
admin_mode
scope in the PAT. - If the Admin Mode setting is disabled, the API endpoints for admins don't require the
admin_mode
scope in the PAT.
- Users can select the
- If the feature flag is disabled:
- Users can't select the
admin_mode
scope when creating a personal access token (UI & API). - The API endpoints for admins don't require the
admin_mode
scope in the PAT (regardless of the Admin Mode setting).
- Users can't select the
- If the feature flag is enabled:
- disables the feature flag for all API specs at the moment. (All API specs will be adapted continuously in separate MRs. The feature flag is disabled for these specs as long as they are not yet adapted.)
Further information:
- Issue: #42692 (closed)
/cc @bufferoverflow
Screenshots
How to set up and validate locally
- Enable feature flag
Feature.enable(:admin_mode_for_api)
- Sign in as administrator
- Create a personal access token (
PAT_with
) with theadmin_mode
scope. - Create a personal access token (
PAT_without
) without theadmin_mode
scope. - Call an API endpoint for admins with
PAT_with
andPAT_without
:
$ curl --header "PRIVATE-TOKEN: <PAT_with>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
$ curl --header "PRIVATE-TOKEN: <PAT_without>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
- Navigate to to the Admin Area and enabled Admin Mode.
- Call an API endpoint for admins with
PAT_with
andPAT_without
:
$ curl --header "PRIVATE-TOKEN: <PAT_with>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
$ curl --header "PRIVATE-TOKEN: <PAT_without>" "http://localhost:3000/api/v4/application/appearance"
{"message":"403 Forbidden"}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jonas Wälter