API enforces usage of private token


We are developing a benchmarking platform and one component of this platform is a Gitlab instance. We are using the Gitlab API for the communication between Gitlab and other components (especially to request information about the projects of our users).
Our current Gitlab version is 10.0.2. We are using a Java library that communicates with Gitlab via the API version 3 for the communication but the problem occurs in version 4 as well (tested it manually). For the authentication, we are using the personal access token of the user (in our case, an admin account).

Problem description

The Gitlab API desciption states that

Instead of using your private token which grants full access to your account, personal access tokens could be a better fit because of their granular permissions.
Once you have your token, pass it to the API using either the private_token parameter or the PRIVATE-TOKEN header.

This works perfect for the most of the methods we are using. However, we have a situation in which we would like to get all projects a given user can see. Since we are using an admin account for authentication, we can see all projects and all users. However, when we try to use the list all projects method together with the sudo attribute (which would perfectly fit our use case) the API returns the error message

{"message":"403 Forbidden  - Private token must be specified in order to use sudo"}

Please note that the API does not state, that our user does not have the admin rights necessary to use the sudo attribute. The method is working with the private token of our admin.


Is it known or maybe even a desired feature that the private token is necessary for using sudo methods and the personal access tokens are not working (even if they are access token of an administrator giving access to the API)?
If yes, it should be described in the documentation (I couldn’t find it there). If no, I would be happy if this could be fixed :smiley:

1 Like

It turns out to be a bug that already has been reported at https://gitlab.com/gitlab-org/gitlab-ce/issues/38447