feat: add canManageTokens capability#834
Conversation
Introduce a `tokenManagement` permission area and a `canManageTokens` user capability, mirroring the existing `canManageUsers`. It is derived from the `ManageTokens` permission set, and — since the personal access token endpoints currently also live in the `Basic` set — from `Basic` as well, so it resolves to true for all built-in roles and any custom role granted `Basic` today, while already covering `ManageTokens`-only roles (e.g. the CI built-in role) for when tokens are split out of `Basic`. Ticket: MEN-8386 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Ludvig Szklarz Anderson <ludvig.s.anderson@northern.tech>
a06c065 to
62c3d42
Compare
|
@mineralsfree This is related to the discussion from the server team meeting today. The frontend was changed so that it's like Of course for the security issue, there should be backend change as well to the APIs, but yeah feel free to review whether these additions look reasonable or it's all just garbage 😄 |
|
I've created the revert PR in mender-server that will unblock current customers: mendersoftware/mender-server#2068 I think it will go through faster so it can land on next hosted release. As for this changes, I afraid I won't be able to check/test it until I am back from PTO 🌞 |
|
Thanks a lot for the quick fix! Regarding this one, don't worry about it, enjoy your PTO! 🙌 |
Introduce a
tokenManagementpermission area and acanManageTokensuser capability, mirroring the existingcanManageUsers. It is derived from theManageTokenspermission set, and — since the personal access token endpoints currently also live in theBasicset — fromBasicas well, so it resolves to true for all built-in roles and any custom role grantedBasictoday, while already coveringManageTokens-only roles (e.g. the CI built-in role) for when tokens are split out ofBasic.Ticket: MEN-8386
Btw this is essentially all Claude because I'm not so familiar with this repo, but I open a PR for it in case it's useful.