[Project-scoped API tokens] aren't available to maintainers

[webknjaz]

Describe the bug

When I use a "bot" account with "Maintainer" level access to projects, there are no projects to select from in the form for the token creation.

Expected behavior

Since this "bot" can upload dists using user/password auth, it should also have similar privileges set when using tokens.

To Reproduce

Go to https://pypi.org/manage/account/token and try selecting a project where you have only "Maintainer"-level access, not "Owner".

My Platform

N/A

Additional context

N/A

[brainwane]

Yup, I can confirm this. If I am logged in as a user who has maintainer-level collaborator status on a project, that project does not appear in the Scope dropdown list at manage/account/token/.

This is a bug IMO and we should fix it before further publicizing the feature (per rollout tracked in #5661).

Thanks for finding and reporting this bug @webknjaz! 🏆

[woodruffw]

Hmm, yeah, this is probably just a matter of how/which projects we iterate over for the user.

I'll check this out, thanks @webknjaz!

[webknjaz]

just a matter of how/which projects we iterate over

That's my guess too.

[woodruffw]

Yeah, here's the root-cause: We use the user_projects helper in manage/views.py, which returns projects based on just ownership:

def user_projects(request):
    """ Return all the projects for which the user is a sole owner """
    projects_owned = (
        request.db.query(Project.id)
        .join(Role.project)
        .filter(Role.role_name == "Owner", Role.user == request.user)
        .subquery()
    )

    with_sole_owner = (
        request.db.query(Role.project_id)
        .join(projects_owned)
        .filter(Role.role_name == "Owner")
        .group_by(Role.project_id)
        .having(func.count(Role.project_id) == 1)
        .subquery()
    )

    return {
        "projects_owned": (
            request.db.query(Project)
            .join(projects_owned, Project.id == projects_owned.c.id)
            .order_by(Project.name)
            .all()
        ),
        "projects_sole_owned": (
            request.db.query(Project).join(with_sole_owner).order_by(Project.name).all()
        ),
    }

We could either amend that helper to include a sub-dict for maintainer roles as well, or add a new helper just for macaroons that returns just project names for those two roles.