Skip to content

Site admins cannot add access tokens for any user by default

Warren Gifford requested to merge core/CheckSiteAdminOrSameUser-audit into main

Created by: ryanslade

By default, when any user can create access tokens, do not allow site admins to create tokens for other users. This would allow them to potentially use the access token to gain access to the user's private code.

Update usages of CheckSiteAdminOrSameUser and switch to CheckSameUser where it might expose private code.

Part of https://github.com/sourcegraph/sourcegraph/issues/20983

Merge request reports

Loading