clearer access tokens allow check on dotcom (#63368)

Previously, the code would prevent us from using the AccessTokensAdmin
config setting on dotcom entirely, instead of just restricting it when
site admins create an access token for a different user, which was the
intent.


## Test plan

CI

Author: sqs

cmd/frontend/graphqlbackend/access_tokens.go

@@ -29,13 +29,6 @@ type createAccessTokenInput struct {
 }
 
 func (r *schemaResolver) CreateAccessToken(ctx context.Context, args *createAccessTokenInput) (*createAccessTokenResult, error) {
-	// 🚨 SECURITY: Creating access tokens for any user by site admins is not
-	// allowed on Sourcegraph.com. This check is mostly the defense for a
-	// misconfiguration of the site configuration.
-	if dotcom.SourcegraphDotComMode() && conf.AccessTokensAllow() == conf.AccessTokensAdmin {
-		return nil, errors.Errorf("access token configuration value %q is disabled on Sourcegraph.com", conf.AccessTokensAllow())
-	}
-
 	userID, err := UnmarshalUserID(args.User)
 	if err != nil {
 		return nil, err
@@ -56,6 +49,16 @@ func (r *schemaResolver) CreateAccessToken(ctx context.Context, args *createAcce
 		if err := auth.CheckCurrentUserIsSiteAdmin(ctx, r.db); err != nil {
 			return nil, errors.New("Access token creation has been restricted to admin users. Contact an admin user to create a new access token.")
 		}
+
+		// 🚨 SECURITY: Creating access tokens for other users by site admins is not allowed on
+		// Sourcegraph.com. This check is mostly the defense for a misconfiguration of the site
+		// configuration.
+		if dotcom.SourcegraphDotComMode() {
+			if err := auth.CheckSameUser(ctx, userID); err != nil {
+				return nil, errors.New("access token creation for other users is disabled on Sourcegraph.com")
+			}
+		}
+
 	case conf.AccessTokensNone:
 	default:
 		return nil, errors.New("Access token creation is disabled. Contact an admin user to enable.")

cmd/frontend/graphqlbackend/access_tokens_test.go

@@ -375,8 +375,12 @@ func TestMutation_CreateAccessToken(t *testing.T) {
 		assert.Equal(t, want, got)
 	})
 
-	t.Run("disable create access token for any user on Sourcegraph.com", func(t *testing.T) {
+	t.Run("prevent create access token for other user on Sourcegraph.com", func(t *testing.T) {
+		users := dbmocks.NewMockUserStore()
+		users.GetByCurrentAuthUserFunc.SetDefaultReturn(&types.User{ID: 1, SiteAdmin: true}, nil)
+
 		db := dbmocks.NewMockDB()
+		db.UsersFunc.SetDefaultReturn(users)
 
 		conf.Get().AuthAccessTokens = &schema.AuthAccessTokens{Allow: string(conf.AccessTokensAdmin)}
 		defer func() { conf.Get().AuthAccessTokens = nil }()
@@ -386,13 +390,13 @@ func TestMutation_CreateAccessToken(t *testing.T) {
 		ctx := actor.WithActor(context.Background(), &actor.Actor{UID: 1})
 		_, err := newSchemaResolver(db, gitserver.NewTestClient(t)).CreateAccessToken(ctx,
 			&createAccessTokenInput{
-				User:            MarshalUserID(1),
+				User:            MarshalUserID(2),
 				Scopes:          []string{authz.ScopeUserAll},
 				DurationSeconds: &defaultTokenDuration,
 			},
 		)
 		got := fmt.Sprintf("%v", err)
-		want := `access token configuration value "site-admin-create" is disabled on Sourcegraph.com`
+		want := `access token creation for other users is disabled on Sourcegraph.com`
 		assert.Equal(t, want, got)
 	})
 }