diff options
Diffstat (limited to 'app/services/resource_access_tokens/create_service.rb')
-rw-r--r-- | app/services/resource_access_tokens/create_service.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb index 1c496aa5e77..824b1a8c377 100644 --- a/app/services/resource_access_tokens/create_service.rb +++ b/app/services/resource_access_tokens/create_service.rb @@ -17,6 +17,8 @@ module ResourceAccessTokens access_level = params[:access_level] || Gitlab::Access::MAINTAINER return error("Could not provision owner access to project access token") if do_not_allow_owner_access_level_for_project_bot?(access_level) + return error("Access level of the token can't be greater the access level of the user who created the token") unless validate_access_level(access_level) + return error(s_('AccessTokens|Access token limit reached')) if reached_access_token_limit? user = create_user @@ -125,6 +127,14 @@ module ResourceAccessTokens ServiceResponse.success(payload: { access_token: access_token }) end + def validate_access_level(access_level) + return true unless resource.is_a?(Project) + return true if current_user.bot? + return true if current_user.can?(:manage_owners, resource) + + current_user.authorized_project?(resource, access_level.to_i) + end + def do_not_allow_owner_access_level_for_project_bot?(access_level) resource.is_a?(Project) && access_level.to_i == Gitlab::Access::OWNER && |