PersonalAccessToken can be restricted to project from controller

app/controllers/profiles/personal_access_tokens_controller.rb

@@ -37,7 +37,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
   end
   def personal_access_token_params
-    params.require(:personal_access_token).permit(:name, :expires_at, scopes: [])
+    params.require(:personal_access_token).permit(:name, :expires_at, scopes: [], project_ids: [])
   end
   # rubocop: disable CodeReuse/ActiveRecord

spec/controllers/profiles/personal_access_tokens_controller_spec.rb

@@ -33,6 +33,23 @@ describe Profiles::PersonalAccessTokensController do
       expect(created_token).not_to be_nil
       expect(created_token.expires_at).to eq(expires_at)
     end
+
+    it "tokens are not restricted by project by default" do
+      post :create, personal_access_token: token_attributes
+
+      expect(created_token).not_to be_restricted_by_resource
+    end
+
+    it "allows creation of tokens restricted by project" do
+      allowed_project = create(:project)
+      restricted_project = create(:project)
+
+      post :create, personal_access_token: token_attributes.merge(project_ids: [allowed_project.id])
+
+      expect(created_token).to be_restricted_by_resource
+      expect(created_token.allows_resource?(allowed_project)).to be_truthy
+      expect(created_token.allows_resource?(restricted_project)).to be_falsey
+    end
   end
   describe '#index' do

spec/models/personal_access_token_spec.rb

@@ -26,6 +26,14 @@ describe PersonalAccessToken do
     end
   end
+  describe '.create' do
+    it 'can be restricted to projects' do
+      token = create(:personal_access_token, projects: create_list(:project, 2))
+
+      expect(token.projects.count).to eq 2
+    end
+  end
+
   describe ".active?" do
     let(:active_personal_access_token) { build(:personal_access_token) }
     let(:revoked_personal_access_token) { build(:personal_access_token, :revoked) }