Allow Developer role to delete tags via container registry api
This brings the API permissions in line with the UI permissions
This commit is contained in:
parent
8ace9d91b5
commit
a881a592d1
|
@ -3,7 +3,7 @@
|
|||
module Projects
|
||||
module Registry
|
||||
class TagsController < ::Projects::Registry::ApplicationController
|
||||
before_action :authorize_update_container_image!, only: [:destroy]
|
||||
before_action :authorize_destroy_container_image!, only: [:destroy]
|
||||
|
||||
def index
|
||||
respond_to do |format|
|
||||
|
|
|
@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
|
|||
enable :resolve_note
|
||||
enable :create_container_image
|
||||
enable :update_container_image
|
||||
enable :destroy_container_image
|
||||
enable :create_environment
|
||||
enable :create_deployment
|
||||
enable :create_release
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Allow developer role to delete docker tags via container registry API
|
||||
merge_request: 29512
|
||||
author:
|
||||
type: fixed
|
|
@ -115,12 +115,8 @@ module API
|
|||
authorize! :read_container_image, repository
|
||||
end
|
||||
|
||||
def authorize_update_container_image!
|
||||
authorize! :update_container_image, repository
|
||||
end
|
||||
|
||||
def authorize_destroy_container_image!
|
||||
authorize! :admin_container_image, repository
|
||||
authorize! :destroy_container_image, repository
|
||||
end
|
||||
|
||||
def authorize_admin_container_image!
|
||||
|
|
|
@ -39,7 +39,7 @@ describe ProjectPolicy do
|
|||
admin_milestone admin_merge_request update_merge_request create_commit_status
|
||||
update_commit_status create_build update_build create_pipeline
|
||||
update_pipeline create_merge_request_from create_wiki push_code
|
||||
resolve_note create_container_image update_container_image
|
||||
resolve_note create_container_image update_container_image destroy_container_image
|
||||
create_environment create_deployment create_release update_release
|
||||
]
|
||||
end
|
||||
|
|
|
@ -201,10 +201,10 @@ describe API::ContainerRegistry do
|
|||
describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
|
||||
subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
|
||||
|
||||
it_behaves_like 'being disallowed', :developer
|
||||
it_behaves_like 'being disallowed', :reporter
|
||||
|
||||
context 'for maintainer' do
|
||||
let(:api_user) { maintainer }
|
||||
context 'for developer' do
|
||||
let(:api_user) { developer }
|
||||
|
||||
before do
|
||||
stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)
|
||||
|
|
Loading…
Reference in New Issue