Skip to content

feat: add canManageTokens capability#834

Open
LudvigAnderson wants to merge 1 commit into
NorthernTechHQ:mainfrom
LudvigAnderson:feat/add-token-management
Open

feat: add canManageTokens capability#834
LudvigAnderson wants to merge 1 commit into
NorthernTechHQ:mainfrom
LudvigAnderson:feat/add-token-management

Conversation

@LudvigAnderson

Copy link
Copy Markdown

Introduce a tokenManagement permission area and a canManageTokens user capability, mirroring the existing canManageUsers. It is derived from the ManageTokens permission set, and — since the personal access token endpoints currently also live in the Basic set — from Basic as well, so it resolves to true for all built-in roles and any custom role granted Basic today, while already covering ManageTokens-only roles (e.g. the CI built-in role) for when tokens are split out of Basic.

Ticket: MEN-8386

Btw this is essentially all Claude because I'm not so familiar with this repo, but I open a PR for it in case it's useful.

@LudvigAnderson
LudvigAnderson requested a review from a team as a code owner July 15, 2026 14:27
Introduce a `tokenManagement` permission area and a `canManageTokens`
user capability, mirroring the existing `canManageUsers`. It is derived
from the `ManageTokens` permission set, and — since the personal access
token endpoints currently also live in the `Basic` set — from `Basic`
as well, so it resolves to true for all built-in roles and any custom
role granted `Basic` today, while already covering `ManageTokens`-only
roles (e.g. the CI built-in role) for when tokens are split out of
`Basic`.

Ticket: MEN-8386
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Ludvig Szklarz Anderson <ludvig.s.anderson@northern.tech>
@LudvigAnderson
LudvigAnderson force-pushed the feat/add-token-management branch from a06c065 to 62c3d42 Compare July 15, 2026 14:40
@LudvigAnderson

Copy link
Copy Markdown
Author

@mineralsfree This is related to the discussion from the server team meeting today. The frontend was changed so that it's like {canManageUsers && <AccessTokenManagement />}, so I was thinking maybe it's better if nt-gui has this stuff so that one can instead use something like canManageTokens in the frontend.

Of course for the security issue, there should be backend change as well to the APIs, but yeah feel free to review whether these additions look reasonable or it's all just garbage 😄

@mineralsfree

Copy link
Copy Markdown
Contributor

I've created the revert PR in mender-server that will unblock current customers: mendersoftware/mender-server#2068

I think it will go through faster so it can land on next hosted release.

As for this changes, I afraid I won't be able to check/test it until I am back from PTO 🌞

@LudvigAnderson

Copy link
Copy Markdown
Author

Thanks a lot for the quick fix! Regarding this one, don't worry about it, enjoy your PTO! 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants