Warehouse: [Project-scoped API tokens] aren't available to maintainers

Yup, I can confirm this. If I am logged in as a user who has maintainer-level collaborator status on a project, that project does not appear in the Scope dropdown list at manage/account/token/.

This is a bug IMO and we should fix it before further publicizing the feature (per rollout tracked in #5661).

Thanks for finding and reporting this bug @webknjaz! :trophy:

Hmm, yeah, this is probably just a matter of how/which projects we iterate over for the user.

I'll check this out, thanks @webknjaz!

just a matter of how/which projects we iterate over

That's my guess too.

Yeah, here's the root-cause: We use the user_projects helper in manage/views.py, which returns projects based on just ownership:

def user_projects(request):
    """ Return all the projects for which the user is a sole owner """
    projects_owned = (
        request.db.query(Project.id)
        .join(Role.project)
        .filter(Role.role_name == "Owner", Role.user == request.user)
        .subquery()
    )

    with_sole_owner = (
        request.db.query(Role.project_id)
        .join(projects_owned)
        .filter(Role.role_name == "Owner")
        .group_by(Role.project_id)
        .having(func.count(Role.project_id) == 1)
        .subquery()
    )

    return {
        "projects_owned": (
            request.db.query(Project)
            .join(projects_owned, Project.id == projects_owned.c.id)
            .order_by(Project.name)
            .all()
        ),
        "projects_sole_owned": (
            request.db.query(Project).join(with_sole_owner).order_by(Project.name).all()
        ),
    }

We could either amend that helper to include a sub-dict for maintainer roles as well, or add a new helper just for macaroons that returns just project names for those two roles.