Allow Developer role to delete tags via container registry api

This brings the API permissions in line with the UI permissions
2019-06-17 11:13:03 +00:00 · 2019-06-17 11:13:03 +00:00 · a881a592d1
parent 8ace9d91b5
commit a881a592d1
6 changed files with 12 additions and 10 deletions
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@ -3,7 +3,7 @@
 module Projects
  module Registry
    class TagsController < ::Projects::Registry::ApplicationController
-      before_action :authorize_update_container_image!, only: [:destroy]
+      before_action :authorize_destroy_container_image!, only: [:destroy]

      def index
        respond_to do |format|
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
    enable :resolve_note
    enable :create_container_image
    enable :update_container_image
+    enable :destroy_container_image
    enable :create_environment
    enable :create_deployment
    enable :create_release
--- a/changelogs/unreleased/container-registry-api-perms-58271.yml
+++ b/changelogs/unreleased/container-registry-api-perms-58271.yml
@ -0,0 +1,5 @@
+---
+title: Allow developer role to delete docker tags via container registry API
+merge_request: 29512
+author:
+type: fixed
--- a/lib/api/container_registry.rb
+++ b/lib/api/container_registry.rb
@ -115,12 +115,8 @@ module API
        authorize! :read_container_image, repository
      end

-      def authorize_update_container_image!
-        authorize! :update_container_image, repository
-      end
-
      def authorize_destroy_container_image!
-        authorize! :admin_container_image, repository
+        authorize! :destroy_container_image, repository
      end

      def authorize_admin_container_image!
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@ -39,7 +39,7 @@ describe ProjectPolicy do
      admin_milestone admin_merge_request update_merge_request create_commit_status
      update_commit_status create_build update_build create_pipeline
      update_pipeline create_merge_request_from create_wiki push_code
-      resolve_note create_container_image update_container_image
+      resolve_note create_container_image update_container_image destroy_container_image
      create_environment create_deployment create_release update_release
    ]
  end
--- a/spec/requests/api/container_registry_spec.rb
+++ b/spec/requests/api/container_registry_spec.rb
@ -201,10 +201,10 @@ describe API::ContainerRegistry do
  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }

-    it_behaves_like 'being disallowed', :developer
+    it_behaves_like 'being disallowed', :reporter

-    context 'for maintainer' do
-      let(:api_user) { maintainer }
+    context 'for developer' do
+      let(:api_user) { developer }

      before do
        stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)