0

In GitLab project, who has the master permission in the project can able to view the admin`s access token in project --> settings --> integration --> hook --> edit path.

hook: enter image description here Editing the hook: enter image description here

How this admin`s access token visible to another user? How to hide this?

Arunkumar
  • 73
  • 1
  • 11
  • 1
    Thats not the admin access token but the authentification token of the webhook for the specific project. There for it is perfectly sane that the project master can see the token. – secustor Jan 10 '18 at 15:58
  • @secustor I am using that token for other API operation too, That is taken from an admin account. – Arunkumar Jan 11 '18 at 04:48

1 Answers1

1

That totally contradicts the purpose of tokens, therefore there is no such feature.

Tokens should be in every case unique and the awarded rights as small as possible.

If you use the personal token of an admin as webhook secret, the target will be enabled to read out, in the best case, all your users data. In the case you enabled the API access for the token, it can change the instance at will, eg. delete projects.

TLDR: do NOT use the same tokens multiple times.

secustor
  • 3,001
  • 2
  • 14
  • 20