Fix pages abilities

app/controllers/projects/pages_controller.rb

@@ -1,7 +1,8 @@
 class Projects::PagesController < Projects::ApplicationController
   layout 'project_settings'
 
-  before_action :authorize_update_pages!
+  before_action :authorize_read_pages!, only: [:show]
+  before_action :authorize_update_pages!, except: [:show]
 
   def show
     @domains = @project.pages_domains.order(:domain)

app/policies/project_policy.rb

@@ -110,6 +110,8 @@ class ProjectPolicy < BasePolicy
     can! :admin_pipeline
     can! :admin_environment
     can! :admin_deployment
+    can! :admin_pages
+    can! :read_pages
     can! :update_pages
   end
 

app/views/projects/pages/_destroy.haml

@@ -7,3 +7,5 @@
         Removing the pages will prevent from exposing them to outside world.
       .form-actions
         = link_to 'Remove pages', namespace_project_pages_path(@project.namespace, @project), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-remove"
+- else
+  .nothing-here-block Only the project owner can remove pages

app/views/projects/pages/_list.html.haml

@@ -1,4 +1,4 @@
-- if @domains.any?
+- if can?(current_user, :update_pages, @project) && @domains.any?
   .panel.panel-default
     .panel-heading
       Domains (#{@domains.count})

app/views/projects/pages/_no_domains.html.haml

@@ -1,6 +1,7 @@
-.panel.panel-default
+- if can?(current_user, :update_pages, @project)
-  .panel-heading
+  .panel.panel-default
-    Domains
+    .panel-heading
-  .nothing-here-block
+      Domains
-    Support for domains and certificates is disabled.
+    .nothing-here-block
-    Ask your system's administrator to enable it.
+      Support for domains and certificates is disabled.
+      Ask your system's administrator to enable it.

app/views/projects/pages/show.html.haml

@@ -2,7 +2,7 @@
 %h3.page_title
   Pages
 
-  - if Gitlab.config.pages.external_http || Gitlab.config.pages.external_https
+  - if can?(current_user, :update_pages, @project) && (Gitlab.config.pages.external_http || Gitlab.config.pages.external_https)
     = link_to new_namespace_project_pages_domain_path(@project.namespace, @project), class: 'btn btn-new pull-right', title: 'New Domain' do
       %i.fa.fa-plus
       New Domain

doc/user/permissions.md

@@ -62,11 +62,14 @@ The following table depicts the various user permission levels in a project.
 | Manage runners                        |         |            |             | ✓        | ✓      |
 | Manage build triggers                 |         |            |             | ✓        | ✓      |
 | Manage variables                      |         |            |             | ✓        | ✓      |
+| Manage pages                          |         |            |             | ✓        | ✓      |
+| Manage pages domains and certificates |         |            |             | ✓        | ✓      |
 | Switch visibility level               |         |            |             |          | ✓      |
 | Transfer project to another namespace |         |            |             |          | ✓      |
 | Remove project                        |         |            |             |          | ✓      |
 | Force push to protected branches [^3] |         |            |             |          |        |
 | Remove protected branches [^3]        |         |            |             |          |        |
+| Remove pages                          |         |            |             |          | ✓      |
 
 ## Group