feat: add canReadAllProjectEvents and canManageDevBranches token flags

zajca · zajca · commit a53160335cba · 2026-03-24T19:21:09.000+01:00
Implement two new boolean permission flags for non-admin Storage API tokens:

- canReadAllProjectEvents: grants read-only access to all project events
  (not just own-token events), without requiring admin token
- canManageDevBranches: grants ability to create/delete dev branches
  without requiring admin token (blocked in SOX projects)

Both flags are:
- Set at creation time only (not updatable)
- Mutually exclusive with canCreateJobs and canManageProtectedDefaultBranch
- Backward compatible (default false, DB migration with DEFAULT 0)

Security: canManageDevBranches is blocked in SOX/protected-branch projects
at the CreateTokenVoter level. Main branch deletion is protected in
CanDeleteDevBranch voter.

Includes DB migration, unit tests, E2E tests, and PHP client support.
diff --git a/src/Keboola/StorageApi/Options/TokenCreateOptions.php b/src/Keboola/StorageApi/Options/TokenCreateOptions.php
@@ -14,6 +14,10 @@ class TokenCreateOptions extends TokenAbstractOptions
 
     private bool $canCreateJobs = false;
 
+    private bool $canReadAllProjectEvents = false;
+
+    private bool $canManageDevBranches = false;
+
     /**
      * @return int|null
      */
@@ -72,6 +76,28 @@ public function canCreateJobs(): bool
         return $this->canCreateJobs;
     }
 
+    public function setCanReadAllProjectEvents(bool $canReadAllProjectEvents = true): self
+    {
+        $this->canReadAllProjectEvents = $canReadAllProjectEvents;
+        return $this;
+    }
+
+    public function canReadAllProjectEvents(): bool
+    {
+        return $this->canReadAllProjectEvents;
+    }
+
+    public function setCanManageDevBranches(bool $canManageDevBranches = true): self
+    {
+        $this->canManageDevBranches = $canManageDevBranches;
+        return $this;
+    }
+
+    public function canManageDevBranches(): bool
+    {
+        return $this->canManageDevBranches;
+    }
+
     /**
      * @param bool $forJson return structure for form-data (false) or for JSON (true)
      */
@@ -95,6 +121,14 @@ public function toParamsArray(bool $forJson = false): array
             $params['canCreateJobs'] = $this->canCreateJobs();
         }
 
+        if ($this->canReadAllProjectEvents()) {
+            $params['canReadAllProjectEvents'] = $this->canReadAllProjectEvents();
+        }
+
+        if ($this->canManageDevBranches()) {
+            $params['canManageDevBranches'] = $this->canManageDevBranches();
+        }
+
         return $params;
     }
 }
