From 4499ab310f49ac5eaea60991623200f95b6feb89 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Mar 06 2017 19:18:42 +0000
Subject: Regular users should only be allowed to have limited project-less API token


Basically, we do not want people to generate API tokens that could flag
any PR on any project, potentially leading to invalid flag or abuse of
the system.

---

diff --git a/pagure/default_config.py b/pagure/default_config.py
index 9ac9d43..62f639f 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -226,10 +226,15 @@ ACLS = {
 CROSS_PROJECT_ACLS = [
     'create_project',
     'fork_project',
+]
+
+# ACLs with which admins are allowed to create project-less API tokens
+ADMIN_API_ACLS = [
     'issue_comment',
     'issue_create',
     'pull_request_flag',
     'pull_request_comment',
+    'pull_request_merge',
 ]
 
 # Bootstrap URLS