Admin mode issues: Admin user can see pipeline trigger token from other project
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.
What does this MR do and why?
According to the GitLab permission documentation page, GitLab administrators have all permissions. Therfore, it should also be possible to see / reveal the correct values of the pipeline trigger tokens when accesing any project as an admin user with admin mode enabled. This helps admin users to reproduce certain situations and support requests where the pipeline trigger token is necessary.
This MR allows admin users (with enabled admin mode) to access the full value of the pipeline trigger token.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
Screenshots or screen recordings
The following screenshots show the table of pipeline trigger tokens accessed by an admin user with admin mode enabled.
Before (branch master) |
After (this MR branch) |
|---|---|
 |
 |
How to set up and validate locally
Step as non-admin user
- In a new browser window, sign in as a non-admin user
- As the non-admin user, create a pipeline trigger token in the ci/cd settings
- Remember the value of the pipeline trigger token as it will be important later
Step as admin user
- Open a fresh browser session (private brwoser window or other browser) and sign in with an admin user
- As the admin user, enter the admin mode (otherwise you will not be able to access the project's ci/cd settings)
- As the admin user, go the ci/cd section and expand the section "Pipeline trigger tokens" => you should see the active pipeline trigger tokens
- Click the button "Edit" for the pipeline trigger token and look at the token value => you will notice that the token value is not the actual token value that was created before
Related to #499152