Non-owner users can't issue access tokens on repositories
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
New
|
Undecided
|
Unassigned |
Bug Description
I am interested in a setup where users can issue access tokens for HTTPS authentication even if they do not own a specific repository (they have read access, for example).
Here is a clear use case. User A owns a private repository R, A adds user B to subscribers (for access to Merge requests, for example), and sets a permission rule in R for B to write to a specific branch. Once this is done, user B cannot set its own access token to take advantage of authentication with access tokens. Navigating +access-tokens as user B in the UI returns:
Not allowed here
Sorry, you don't have permission to access this page or the information in this page is not shared with you.
You are logged in as B.
In other words. A user, subscribed to a private repository, can access that via git via ssh, but not via HTTPS.
We need to look whether this is just not exposed via API, or whether this is really not implemented, and check the Launchpad backlog whether this is a known issue, and whether there have been reasons for not implementing it.
Background:
In that use case Launchpad should be an implementation detail, and transparent to the user.