read_user scope does not grant permission to use /api/v3/user
Summary
OAuth read_user scope does not grant permission to use /api/v3/user anymore. It worked in the past, so this is a regression.
Steps to reproduce
- Obtain an OAuth access token with "read_user" permission (and no "api" permission).
- Try to access "/api/v3/user" with this token.
What is the current bug behavior?
403 Forbidden with this content:
{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api"}
What is the expected correct behavior?
User data is returned.
Output of checks
This bug happens on GitLab.com
Edited by username-removed-427747