Add cr remarks

changelogs/unreleased/20440-limit-the-api-scope-of-personal-access-tokens.yml

 ---
-title: Add read_api read only scope
+title: Add read_api scope to personal access tokens for granting read only API access
 merge_request: 28944
 author:
 type: added

doc/user/profile/personal_access_tokens.md

@@ -43,6 +43,7 @@ the following table.
 | ------------------ | ------------- | ----------- |
 | `read_user`        | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Allows access to the read-only endpoints under `/users`. Essentially, any of the `GET` requests in the [Users API][users] are allowed. |
 | `api`              | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
+| `read_api`           | [GitLab 12.10](https://https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944)  | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_registry`    | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845)   | Allows to read (pull) [container registry] images if a project is private and authorization is required. |
 | `sudo`             | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838)  | Allows performing API actions as any user in the system (if the authenticated user is an admin). |
 | `read_repository`  | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894)  | Allows read-only access (pull) to the repository through `git clone`. |

spec/requests/api/api_spec.rb

@@ -11,7 +11,7 @@ describe API::API do
     # to represent any API endpoint
     let(:user) { create(:user, last_activity_on: Date.yesterday) }
 
-    it 'updates the users last_activity_on date' do
+    it 'updates the users last_activity_on to the current date' do
       expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
     end
 
@@ -25,7 +25,7 @@ describe API::API do
   end
 
   describe 'User with only read_api scope personal access token' do
-    # It does not matter which endpoint is used because this should
+    # It does not matter which endpoint is used because this should behave
     # in the same way for every request. `/groups` is used as an example
     # to represent any API endpoint
 
@@ -45,9 +45,9 @@ describe API::API do
       end
 
       it 'does not authorize user for post request' do
-        group_attributes = attributes_for_group_api
+        params = attributes_for_group_api
 
-        post api("/groups", personal_access_token: token), params: group_attributes
+        post api("/groups", personal_access_token: token), params: params
 
         expect(response).to have_gitlab_http_status(:forbidden)
       end