From 69e79c2417768d587d46f165f061d291264b9a8d Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@gitlab.com>
Date: Fri, 26 Jul 2024 09:41:33 +0000
Subject: [PATCH] Add Disable Personal Access Tokens setting to Admin Settings
UI
Adds the existing Disable Personal Access Tokens setting to the
Admin area general settings UI under Visibility and Access Controls.
Changelog: added
EE: true
---
.../_visibility_and_access.html.haml | 2 ++
doc/user/profile/personal_access_tokens.md | 8 +++++++
.../admin/application_settings_controller.rb | 3 ++-
.../_disable_personal_access_tokens.html.haml | 8 +++++++
ee/spec/features/admin/admin_settings_spec.rb | 23 +++++++++++++++++++
locale/gitlab.pot | 3 +++
6 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 ee/app/views/admin/application_settings/_disable_personal_access_tokens.html.haml
diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml
index 8d0b8c17bd29..a00c45298840 100644
--- a/app/views/admin/application_settings/_visibility_and_access.html.haml
+++ b/app/views/admin/application_settings/_visibility_and_access.html.haml
@@ -48,6 +48,8 @@
= f.label field_name, "#{type.upcase} SSH keys", class: 'label-bold'
= f.select field_name, key_restriction_options_for_select(type), {}, class: 'form-control'
+ = render_if_exists 'admin/application_settings/disable_personal_access_tokens', form: f
+
.form-group
%label.label-bold= s_('AdminSettings|Feed token')
= f.gitlab_ui_checkbox_component :disable_feed_token, s_('AdminSettings|Disable feed token')
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index be2785406944..30d674e75b4f 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -97,6 +97,14 @@ Prerequisites:
In GitLab 15.7 and later, you can [use the application settings API to disable personal access tokens](../../api/settings.md#list-of-settings-that-can-be-accessed-via-api-calls).
+In GitLab 17.3 and later, you can disable personal access tokens in the Admin UI:
+
+1. On the left sidebar, at the bottom, select **Admin**.
+1. Select **Settings > General**.
+1. Expand **Visibility and access controls**.
+1. Select the **Disable personal access tokens** checkbox.
+1. Select **Save changes**.
+
### Disable personal access tokens for enterprise users
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/369504) in GitLab 16.11 [with a flag](../../administration/feature_flags.md) named `enterprise_disable_personal_access_tokens`. Disabled by default.
diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb
index 36e1cd55996f..1a1ce83ace7d 100644
--- a/ee/app/controllers/ee/admin/application_settings_controller.rb
+++ b/ee/app/controllers/ee/admin/application_settings_controller.rb
@@ -131,7 +131,8 @@ def visible_application_setting_attributes
:lock_maven_package_requests_forwarding],
default_branch_protection_restriction_in_groups: :group_owners_can_manage_default_branch_protection,
group_ip_restriction: :globally_allowed_ips,
- service_accounts: :service_access_tokens_expiration_enforced
+ service_accounts: :service_access_tokens_expiration_enforced,
+ disable_personal_access_tokens: :disable_personal_access_tokens
}.each do |license_feature, attribute_names|
if License.feature_available?(license_feature)
attrs += Array.wrap(attribute_names)
diff --git a/ee/app/views/admin/application_settings/_disable_personal_access_tokens.html.haml b/ee/app/views/admin/application_settings/_disable_personal_access_tokens.html.haml
new file mode 100644
index 000000000000..67cc0bdfa24b
--- /dev/null
+++ b/ee/app/views/admin/application_settings/_disable_personal_access_tokens.html.haml
@@ -0,0 +1,8 @@
+- return unless ::License.feature_available?(:disable_personal_access_tokens)
+
+- form = local_assigns.fetch(:form)
+
+.form-group
+ %h5= _('Personal access tokens')
+ = form.gitlab_ui_checkbox_component :disable_personal_access_tokens,
+ _('Disable personal access tokens')
diff --git a/ee/spec/features/admin/admin_settings_spec.rb b/ee/spec/features/admin/admin_settings_spec.rb
index 250057f96cff..4f1a71b1cc9e 100644
--- a/ee/spec/features/admin/admin_settings_spec.rb
+++ b/ee/spec/features/admin/admin_settings_spec.rb
@@ -248,6 +248,29 @@
end
end
+ context 'Disable personal access tokens', feature_category: :system_access do
+ it 'does not show the setting when the feature is not licensed' do
+ stub_licensed_features(disable_personal_access_tokens: false)
+
+ expect(page).not_to have_css('#application_setting_disable_personal_access_tokens')
+ end
+
+ it 'enables personal access tokens' do
+ current_settings.update_attribute(:disable_personal_access_tokens, true)
+
+ visit general_admin_application_settings_path
+
+ within_testid('admin-visibility-access-settings') do
+ uncheck _('Disable personal access tokens')
+ click_button _('Save changes')
+ end
+
+ expect(page).to have_content _('Application settings saved successfully')
+ expect(find('#application_setting_disable_personal_access_tokens')).not_to be_checked
+ expect(current_settings.disable_personal_access_tokens).to eq(false)
+ end
+ end
+
context 'package registry settings', feature_category: :package_registry do
before do
visit ci_cd_admin_application_settings_path
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 738a101c82dd..29a849d8839f 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -19073,6 +19073,9 @@ msgstr ""
msgid "Disable group runners"
msgstr ""
+msgid "Disable personal access tokens"
+msgstr ""
+
msgid "Disable two-factor authentication"
msgstr ""
--
GitLab