Allow Developer role to delete tags via container registry api

This brings the API permissions in line with the UI permissions

Allow Developer role to delete tags via container registry api
This brings the API permissions in line with the UI permissions
a881a592 · Jason Goodman · Kamil Trzciński · 8ace9d91 · a881a592 · a881a592
Commit a881a592 authored Jun 17, 2019 by Jason Goodman Committed by Kamil Trzciński Jun 17, 2019
6 changed files
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -3,7 +3,7 @@
 module Projects
  module Registry
    class TagsController < ::Projects::Registry::ApplicationController
-      before_action :authorize_update_container_image!, only: [:destroy]
+      before_action :authorize_destroy_container_image!, only: [:destroy]
      def index
        respond_to do |format|

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
    enable :resolve_note
    enable :create_container_image
    enable :update_container_image
+    enable :destroy_container_image
    enable :create_environment
    enable :create_deployment
    enable :create_release

--- a/changelogs/unreleased/container-registry-api-perms-58271.yml
+++ b/changelogs/unreleased/container-registry-api-perms-58271.yml
+---
+title: Allow developer role to delete docker tags via container registry API
+merge_request: 29512
+author:
+type: fixed
--- a/lib/api/container_registry.rb
+++ b/lib/api/container_registry.rb
@@ -115,12 +115,8 @@ module API
        authorize! :read_container_image, repository
      end
-      def authorize_update_container_image!
-        authorize! :update_container_image, repository
-      end
      def authorize_destroy_container_image!
-        authorize! :admin_container_image, repository
+        authorize! :destroy_container_image, repository
      end
      def authorize_admin_container_image!

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -39,7 +39,7 @@ describe ProjectPolicy do
      admin_milestone admin_merge_request update_merge_request create_commit_status
      update_commit_status create_build update_build create_pipeline
      update_pipeline create_merge_request_from create_wiki push_code
-      resolve_note create_container_image update_container_image
+      resolve_note create_container_image update_container_image destroy_container_image
      create_environment create_deployment create_release update_release
    ]
  end

--- a/spec/requests/api/container_registry_spec.rb
+++ b/spec/requests/api/container_registry_spec.rb
@@ -201,10 +201,10 @@ describe API::ContainerRegistry do
  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
-    it_behaves_like 'being disallowed', :developer
+    it_behaves_like 'being disallowed', :reporter
-    context 'for maintainer' do
+    context 'for developer' do
-      let(:api_user) { maintainer }
+      let(:api_user) { developer }
      before do
        stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)