The source project of this merge request has been removed.
api: Allow non-admin user to get GPG public keys
What does this MR do?
Removes the requirement of administration privileges for the endpoint
GET /users/:id/gpg_keys
With this change the scope read_user
is now required.
Screenshots
No visual changes/effects.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
I believe that exposing public GPG keys for tokens that have the read_user
permission does not pose a significant security threat. GitHub, for example, even exposes them publicly: https://github.com/m-bymike.gpg
@gitlab-com/gl-security/appsec, this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security -> I cannot label the MR. -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
P.S.: This is my first MR for GitLab, please excuse newbie issues...
Edited by 🤖 GitLab Bot 🤖