Commit f5b28994 authored by Giorgenes Gelatti's avatar Giorgenes Gelatti Committed by Thong Kuah

If user can push to docker then it can delete too

Extends the permission of $CI_REGISTRY_USER to allow them
to delete tags in addition to just pushing.

https://gitlab.com/gitlab-org/gitlab-ce/issues/40096
parent 3feab234
......@@ -124,13 +124,21 @@ module Auth
build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
when 'push'
build_can_push?(requested_project) || user_can_push?(requested_project)
when '*', 'delete'
when 'delete'
build_can_delete?(requested_project) || user_can_admin?(requested_project)
when '*'
user_can_admin?(requested_project)
else
false
end
end
def build_can_delete?(requested_project)
# Build can delete only from the project from which it originates
has_authentication_ability?(:build_destroy_container_image) &&
requested_project == project
end
def registry
Gitlab.config.registry
end
......
---
title: Allow $CI_REGISTRY_USER to delete tags
merge_request: 31796
author:
type: added
......@@ -265,7 +265,8 @@ module Gitlab
:read_project,
:build_download_code,
:build_read_container_image,
:build_create_container_image
:build_create_container_image,
:build_destroy_container_image
]
end
......
......@@ -587,7 +587,8 @@ describe Gitlab::Auth do
:read_project,
:build_download_code,
:build_read_container_image,
:build_create_container_image
:build_create_container_image,
:build_destroy_container_image
]
end
......
......@@ -476,7 +476,7 @@ describe Auth::ContainerRegistryAuthenticationService do
let(:current_user) { create(:user) }
let(:authentication_abilities) do
[:build_read_container_image, :build_create_container_image]
[:build_read_container_image, :build_create_container_image, :build_destroy_container_image]
end
before do
......@@ -507,19 +507,19 @@ describe Auth::ContainerRegistryAuthenticationService do
end
end
context 'disallow to delete images' do
context 'allow to delete images since registry 2.7' do
let(:current_params) do
{ scopes: ["repository:#{current_project.full_path}:*"] }
{ scopes: ["repository:#{current_project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible' do
it_behaves_like 'a deletable since registry 2.7' do
let(:project) { current_project }
end
end
context 'disallow to delete images since registry 2.7' do
context 'disallow to delete images' do
let(:current_params) do
{ scopes: ["repository:#{current_project.full_path}:delete"] }
{ scopes: ["repository:#{current_project.full_path}:*"] }
end
it_behaves_like 'an inaccessible' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment