If user can push to docker then it can delete too
Extends the permission of $CI_REGISTRY_USER to allow them to delete tags in addition to just pushing. https://gitlab.com/gitlab-org/gitlab-ce/issues/40096
This commit is contained in:
parent
3feab2348f
commit
f5b2899422
|
@ -124,13 +124,21 @@ module Auth
|
|||
build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
|
||||
when 'push'
|
||||
build_can_push?(requested_project) || user_can_push?(requested_project)
|
||||
when '*', 'delete'
|
||||
when 'delete'
|
||||
build_can_delete?(requested_project) || user_can_admin?(requested_project)
|
||||
when '*'
|
||||
user_can_admin?(requested_project)
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
def build_can_delete?(requested_project)
|
||||
# Build can delete only from the project from which it originates
|
||||
has_authentication_ability?(:build_destroy_container_image) &&
|
||||
requested_project == project
|
||||
end
|
||||
|
||||
def registry
|
||||
Gitlab.config.registry
|
||||
end
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Allow $CI_REGISTRY_USER to delete tags
|
||||
merge_request: 31796
|
||||
author:
|
||||
type: added
|
|
@ -265,7 +265,8 @@ module Gitlab
|
|||
:read_project,
|
||||
:build_download_code,
|
||||
:build_read_container_image,
|
||||
:build_create_container_image
|
||||
:build_create_container_image,
|
||||
:build_destroy_container_image
|
||||
]
|
||||
end
|
||||
|
||||
|
|
|
@ -587,7 +587,8 @@ describe Gitlab::Auth do
|
|||
:read_project,
|
||||
:build_download_code,
|
||||
:build_read_container_image,
|
||||
:build_create_container_image
|
||||
:build_create_container_image,
|
||||
:build_destroy_container_image
|
||||
]
|
||||
end
|
||||
|
||||
|
|
|
@ -476,7 +476,7 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
let(:current_user) { create(:user) }
|
||||
|
||||
let(:authentication_abilities) do
|
||||
[:build_read_container_image, :build_create_container_image]
|
||||
[:build_read_container_image, :build_create_container_image, :build_destroy_container_image]
|
||||
end
|
||||
|
||||
before do
|
||||
|
@ -507,19 +507,19 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
end
|
||||
end
|
||||
|
||||
context 'disallow to delete images' do
|
||||
context 'allow to delete images since registry 2.7' do
|
||||
let(:current_params) do
|
||||
{ scopes: ["repository:#{current_project.full_path}:*"] }
|
||||
{ scopes: ["repository:#{current_project.full_path}:delete"] }
|
||||
end
|
||||
|
||||
it_behaves_like 'an inaccessible' do
|
||||
it_behaves_like 'a deletable since registry 2.7' do
|
||||
let(:project) { current_project }
|
||||
end
|
||||
end
|
||||
|
||||
context 'disallow to delete images since registry 2.7' do
|
||||
context 'disallow to delete images' do
|
||||
let(:current_params) do
|
||||
{ scopes: ["repository:#{current_project.full_path}:delete"] }
|
||||
{ scopes: ["repository:#{current_project.full_path}:*"] }
|
||||
end
|
||||
|
||||
it_behaves_like 'an inaccessible' do
|
||||
|
|
Loading…
Reference in New Issue