Open isrealbm opened 3 days ago
Hello @isrealbm,
Thank you for reporting this issue. We're actively investigating and will implement a fix soon. We appreciate your help in improving Plane. We'll update you once the problem is resolved.
We have identified that API tokens are generated at the user level, meaning that a token is associated directly with a user rather than a specific workspace. Consequently, if a user has access to a particular workspace, their API token enables them to access resources across all workspaces to which they have been granted access.
Currently, the process of creating API tokens is managed through the workspace settings interface. This has led to some confusion among users, as it creates the impression that tokens are tied to specific workspaces. However, our underlying validation logic operates differently. When an API request is made, our system verifies whether the user associated with the token has access to the requested workspace, without regard to the workspace in which the token was originally created.
To improve clarity, we are considering to change the UI of the API tokens from workspace setting to user settings. This adjustment could help users understand API token are more like personal access token to access all the resources the user has access to.
Is there an existing issue for this?
Current behavior
I use 2 api keys to read the data, everything works but I can read data of other workspaces without provide right API key.
Steps to reproduce
Environment
Production
Browser
None
Variant
Self-hosted
Version
Version: v0.22.0