Putting CI/CD settings behind appropriate permission levels
What does this MR do and why?
Currently we return sensitive information in our REST endpoints for CI/CD Settings.
Adding a check so that only maintainers and up are returned these settings. This is similar to the behaviour in the UI where only maintainers and up can view admin settings.
Screenshots or screen recordings
Settings are not returned in the Projects API
How to set up and validate locally
- Create access tokens for the project via Settings -> Access Tokens on the sidebar of a project
- Using
Bearer token
authorization try reporter or lower level access tokens - There should no longer be ci/cd setting fields returned
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #387741 (closed)
Edited by Max Fan