Limiting secret tokens to certain projects

[saitho]

If I got that right a secret token is used to access the new Redmine endpoint for updating the merge request info. The issue is determined using the redmine issue id specified in merge request.

We have a use case where we're using an external version control system which should ideally not be able to assign merge requests to issues that are not located in a certain redmine project (in case of typos etc).

Is there a way we can do that? :)

[tf]

Not at the moment. I see different options, though:

• One could adjust the controller that receives webhooks to read a list of allowed projects from a query parameter in the webhook url. That way incorrect associations would not be possible. Still, from an authorization point of view anyone with a secret token could create webhooks to attach merge requests to arbitrary projects.

• On the other hand, one could add a project level setting to Redmine to store a list of allowed external projects to handle webhooks for (e.g. by specifying a URL prefix). That way Redmine admins would have full control. One could additionally restrict the list of Redmine projects where merge requests can be associated to those for which the project module is enabled. This would make the change (mostly) backward compatible while still restricting access to Redmine projects to those that have the project module enabled and either explicitly allow a certain external project or allow arbitrary external projects by keeping the list empty.

• Or one could also reuse the list of repositories associated with the Redmine project (e.g. via Redmine Git Remote). I'm not sure, though, if this might create unwanted dependencies to other Redmine plugins. Also it would need to be optional since, for example in our case, we do not import repositories into Redmine's repository browser.