Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9e318bd9
Commit
9e318bd9
authored
May 13, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix container registry permissions
parent
575a73c8
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
21 additions
and
2 deletions
+21
-2
app/models/ability.rb
app/models/ability.rb
+1
-0
app/services/jwt/container_registry_authentication_service.rb
...services/jwt/container_registry_authentication_service.rb
+5
-1
app/services/projects/destroy_service.rb
app/services/projects/destroy_service.rb
+1
-1
spec/services/jwt/container_registry_authentication_service_spec.rb
...ces/jwt/container_registry_authentication_service_spec.rb
+14
-0
No files found.
app/models/ability.rb
View file @
9e318bd9
...
@@ -61,6 +61,7 @@ class Ability
...
@@ -61,6 +61,7 @@ class Ability
:read_merge_request
,
:read_merge_request
,
:read_note
,
:read_note
,
:read_commit_status
,
:read_commit_status
,
:read_container_registry
,
:download_code
:download_code
]
]
...
...
app/services/jwt/container_registry_authentication_service.rb
View file @
9e318bd9
...
@@ -3,6 +3,8 @@ module JWT
...
@@ -3,6 +3,8 @@ module JWT
AUDIENCE
=
'container_registry'
AUDIENCE
=
'container_registry'
def
execute
def
execute
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
if
params
[
:offline_token
]
if
params
[
:offline_token
]
return
error
(
'forbidden'
,
403
)
unless
current_user
return
error
(
'forbidden'
,
403
)
unless
current_user
end
end
...
@@ -65,9 +67,11 @@ module JWT
...
@@ -65,9 +67,11 @@ module JWT
end
end
def
can_access?
(
requested_project
,
requested_action
)
def
can_access?
(
requested_project
,
requested_action
)
return
false
unless
requested_project
.
container_registry_enabled?
case
requested_action
case
requested_action
when
'pull'
when
'pull'
requested_project
.
public?
||
requested_project
==
project
||
can?
(
current_user
,
:read_container_registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:read_container_registry
,
requested_project
)
when
'push'
when
'push'
requested_project
==
project
||
can?
(
current_user
,
:create_container_registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:create_container_registry
,
requested_project
)
else
else
...
...
app/services/projects/destroy_service.rb
View file @
9e318bd9
...
@@ -64,7 +64,7 @@ module Projects
...
@@ -64,7 +64,7 @@ module Projects
end
end
def
remove_registry_tags
def
remove_registry_tags
return
unless
Gitlab
.
config
.
registry
.
enabled
return
true
unless
Gitlab
.
config
.
registry
.
enabled
project
.
container_registry_repository
.
delete_tags
project
.
container_registry_repository
.
delete_tags
end
end
...
...
spec/services/jwt/container_registry_authentication_service_spec.rb
View file @
9e318bd9
...
@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
...
@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:registry_settings
)
do
let
(
:registry_settings
)
do
{
{
enabled:
true
,
issuer:
'rspec'
,
issuer:
'rspec'
,
key:
nil
key:
nil
}
}
...
@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
...
@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
it_behaves_like
'a forbidden'
it_behaves_like
'a forbidden'
end
end
end
end
end
context
'for project without container registry'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
,
container_registry_enabled:
false
)
}
before
{
project
.
update
(
container_registry_enabled:
false
)
}
context
'disallow when pulling'
do
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
end
it_behaves_like
'a forbidden'
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment