From a881a592d12444cfd407987e171d97b9609441a4 Mon Sep 17 00:00:00 2001 From: Jason Goodman Date: Mon, 17 Jun 2019 11:13:03 +0000 Subject: [PATCH] Allow Developer role to delete tags via container registry api This brings the API permissions in line with the UI permissions --- app/controllers/projects/registry/tags_controller.rb | 2 +- app/policies/project_policy.rb | 1 + .../unreleased/container-registry-api-perms-58271.yml | 5 +++++ lib/api/container_registry.rb | 6 +----- spec/policies/project_policy_spec.rb | 2 +- spec/requests/api/container_registry_spec.rb | 6 +++--- 6 files changed, 12 insertions(+), 10 deletions(-) create mode 100644 changelogs/unreleased/container-registry-api-perms-58271.yml diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb index 567d750caae..bf1d8d8b5fc 100644 --- a/app/controllers/projects/registry/tags_controller.rb +++ b/app/controllers/projects/registry/tags_controller.rb @@ -3,7 +3,7 @@ module Projects module Registry class TagsController < ::Projects::Registry::ApplicationController - before_action :authorize_update_container_image!, only: [:destroy] + before_action :authorize_destroy_container_image!, only: [:destroy] def index respond_to do |format| diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 728a3040227..a3632640ede 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy enable :resolve_note enable :create_container_image enable :update_container_image + enable :destroy_container_image enable :create_environment enable :create_deployment enable :create_release diff --git a/changelogs/unreleased/container-registry-api-perms-58271.yml b/changelogs/unreleased/container-registry-api-perms-58271.yml new file mode 100644 index 00000000000..0d1036a7788 --- /dev/null +++ b/changelogs/unreleased/container-registry-api-perms-58271.yml @@ -0,0 +1,5 @@ +--- +title: Allow developer role to delete docker tags via container registry API +merge_request: 29512 +author: +type: fixed diff --git a/lib/api/container_registry.rb b/lib/api/container_registry.rb index e4493910196..7d9b5e1a598 100644 --- a/lib/api/container_registry.rb +++ b/lib/api/container_registry.rb @@ -115,12 +115,8 @@ module API authorize! :read_container_image, repository end - def authorize_update_container_image! - authorize! :update_container_image, repository - end - def authorize_destroy_container_image! - authorize! :admin_container_image, repository + authorize! :destroy_container_image, repository end def authorize_admin_container_image! diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index ed0e82ef179..4b723a52b51 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -39,7 +39,7 @@ describe ProjectPolicy do admin_milestone admin_merge_request update_merge_request create_commit_status update_commit_status create_build update_build create_pipeline update_pipeline create_merge_request_from create_wiki push_code - resolve_note create_container_image update_container_image + resolve_note create_container_image update_container_image destroy_container_image create_environment create_deployment create_release update_release ] end diff --git a/spec/requests/api/container_registry_spec.rb b/spec/requests/api/container_registry_spec.rb index ea035a8be4a..4ad15ed6bea 100644 --- a/spec/requests/api/container_registry_spec.rb +++ b/spec/requests/api/container_registry_spec.rb @@ -201,10 +201,10 @@ describe API::ContainerRegistry do describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) } - it_behaves_like 'being disallowed', :developer + it_behaves_like 'being disallowed', :reporter - context 'for maintainer' do - let(:api_user) { maintainer } + context 'for developer' do + let(:api_user) { developer } before do stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)