Details
-
Suggestion
-
Resolution: Unresolved
-
None
Description
Issue Summary
Modify the current requirement for the repository:admin/project:admin scope when fetching data (for example branch restrictions) using the API to use repository:read/project:read instead.
Expected Results
For a GET call such as fetching branch restrictions, it is more intuitive and in line with the principle of least privilege to require only the repository:read scope. This scope should be sufficient to read the branch restrictions without granting full admin permissions. The same applies to API calls, which require project:admin permission for example List explicit group permissions for a project
Actual Results
When users try to fetch branch restrictions using the API, the app password necessitates the repository:admin scope or project:admin scope