Add new ’admin_tag’ permission52954-allow-developers-to-delete-tags

12 files changed, 17 insertions, 12 deletions

diff --git a/app/controllers/projects/tags_controller.rb b/app/controllers/projects/tags_controller.rb
index 5b679392db7..7d9387b1d94 100644
--- a/app/controllers/projects/tags_controller.rb
+++ b/app/controllers/projects/tags_controller.rb
@@ -8,7 +8,7 @@ class Projects::TagsController < Projects::ApplicationController
   # Authorize
   before_action :require_non_empty_project
   before_action :authorize_download_code!
-  before_action :authorize_push_code!, only: [:new, :create, :destroy]
+  before_action :authorize_admin_tag!, only: [:new, :create, :destroy]
 
   # rubocop: disable CodeReuse/ActiveRecord
   def index
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b3e29e775fc..08bfe5d14ee 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -297,6 +297,7 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror
+  rule { can?(:push_code) }.enable :admin_tag
 
   rule { archived }.policy do
     prevent :push_code
diff --git a/app/views/projects/tags/_tag.html.haml b/app/views/projects/tags/_tag.html.haml
index 2111d078c69..b1432917f1d 100644
--- a/app/views/projects/tags/_tag.html.haml
+++ b/app/views/projects/tags/_tag.html.haml
@@ -26,7 +26,7 @@
   .row-fixed-content.controls.flex-row
     = render 'projects/buttons/download', project: @project, ref: tag.name, pipeline: @tags_pipelines[tag.name]
 
-    - if can?(current_user, :push_code, @project)
+    - if can?(current_user, :admin_tag, @project)
       = link_to edit_project_tag_release_path(@project, tag.name), class: 'btn btn-edit has-tooltip', title: s_('TagsPage|Edit release notes'), data: { container: "body" } do
         = icon("pencil")
       = link_to project_tag_path(@project, tag.name), class: "btn btn-remove remove-row has-tooltip prepend-left-10 #{protected_tag?(@project, tag) ? 'disabled' : ''}", title: s_('TagsPage|Delete tag'), method: :delete, data: { confirm: s_('TagsPage|Deleting the %{tag_name} tag cannot be undone. Are you sure?') % { tag_name: tag.name }, container: 'body' }, remote: true do
diff --git a/app/views/projects/tags/index.html.haml b/app/views/projects/tags/index.html.haml
index 2e78b0bff3e..1f0de1e2603 100644
--- a/app/views/projects/tags/index.html.haml
+++ b/app/views/projects/tags/index.html.haml
@@ -24,7 +24,7 @@
           - tags_sort_options_hash.each do |value, title|
             %li
               = link_to title, filter_tags_path(sort: value), class: ("is-active" if @sort == value)
-      - if can?(current_user, :push_code, @project)
+      - if can?(current_user, :admin_tag, @project)
         = link_to new_project_tag_path(@project), class: 'btn btn-success new-tag-btn' do
           = s_('TagsPage|New tag')
       = link_to project_tags_path(@project, rss_url_options), title: _("Tags feed"), class: 'btn d-none d-sm-inline-block has-tooltip' do
diff --git a/app/views/projects/tags/show.html.haml b/app/views/projects/tags/show.html.haml
index 526c12397b5..02f6ef02843 100644
--- a/app/views/projects/tags/show.html.haml
+++ b/app/views/projects/tags/show.html.haml
@@ -19,7 +19,7 @@
         = s_("TagsPage|Can't find HEAD commit for this tag")
 
     .nav-controls
-      - if can?(current_user, :push_code, @project)
+      - if can?(current_user, :admin_tag, @project)
         = link_to edit_project_tag_release_path(@project, @tag.name), class: 'btn btn-edit controls-item has-tooltip', title: s_('TagsPage|Edit release notes') do
           = icon("pencil")
       = link_to project_tree_path(@project, @tag.name), class: 'btn controls-item has-tooltip', title: s_('TagsPage|Browse files') do
@@ -28,7 +28,7 @@
         = icon('history')
       .btn-container.controls-item
         = render 'projects/buttons/download', project: @project, ref: @tag.name
-      - if can?(current_user, :push_code, @project)
+      - if can?(current_user, :admin_tag, @project)
         .btn-container.controls-item-full
           = link_to project_tag_path(@project, @tag.name), class: "btn btn-remove remove-row has-tooltip #{protected_tag?(@project, @tag) ? 'disabled' : ''}", title: s_('TagsPage|Delete tag'), method: :delete, data: { confirm: s_('TagsPage|Deleting the %{tag_name} tag cannot be undone. Are you sure?') % { tag_name: @tag.name } } do
             %i.fa.fa-trash-o
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 00bcf6b055b..fd258e3edbc 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -235,6 +235,10 @@ module API
       authorize! :push_code, user_project
     end
 
+    def authorize_admin_tag
+      authorize! :admin_tag, user_project
+    end
+
     def authorize_admin_project
       authorize! :admin_project, user_project
     end
diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index f5359fd316c..796b1450602 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -55,7 +55,7 @@ module API
         optional :release_description, type: String, desc: 'Specifying release notes stored in the GitLab database (deprecated in GitLab 11.7)'
       end
       post ':id/repository/tags' do
-        authorize_push_project
+        authorize_admin_tag
 
         result = ::Tags::CreateService.new(user_project, current_user)
           .execute(params[:tag_name], params[:ref], params[:message])
@@ -87,7 +87,7 @@ module API
         requires :tag_name, type: String, desc: 'The name of the tag'
       end
       delete ':id/repository/tags/:tag_name', requirements: TAG_ENDPOINT_REQUIREMENTS do
-        authorize_push_project
+        authorize_admin_tag
 
         tag = user_project.repository.find_tag(params[:tag_name])
         not_found!('Tag') unless tag
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index acb807005c2..ced0612a7a3 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -19,7 +19,7 @@ module Gitlab
         return unless tag_name
 
         logger.log_timed(LOG_MESSAGES[:tag_checks]) do
-          if tag_exists? && user_access.cannot_do_action?(:push_code)
+          if tag_exists? && user_access.cannot_do_action?(:admin_tag)
             raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]
           end
         end
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 9ef23cf849f..097b502316e 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -45,7 +45,7 @@ module Gitlab
       if protected?(ProtectedTag, project, ref)
         protected_tag_accessible_to?(ref, action: :create)
       else
-        user.can?(:push_code, project)
+        user.can?(:admin_tag, project)
       end
     end
 
diff --git a/spec/lib/gitlab/checks/tag_check_spec.rb b/spec/lib/gitlab/checks/tag_check_spec.rb
index b2bafd28c2b..80e9eb504ad 100644
--- a/spec/lib/gitlab/checks/tag_check_spec.rb
+++ b/spec/lib/gitlab/checks/tag_check_spec.rb
@@ -9,7 +9,7 @@ describe Gitlab::Checks::TagCheck do
     let(:ref) { 'refs/tags/v1.0.0' }
 
     it 'raises an error when user does not have access' do
-      allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)
+      allow(user_access).to receive(:can_do_action?).with(:admin_tag).and_return(false)
 
       expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to change existing tags on this project.')
     end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 4b723a52b51..73d0ba614c5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -40,7 +40,7 @@ describe ProjectPolicy do
       update_commit_status create_build update_build create_pipeline
       update_pipeline create_merge_request_from create_wiki push_code
       resolve_note create_container_image update_container_image destroy_container_image
-      create_environment create_deployment create_release update_release
+      create_environment create_deployment create_release update_release admin_tag
     ]
   end
 
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index d898319e709..c4f4a2cb889 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -10,7 +10,7 @@ describe API::Tags do
   let(:current_user) { nil }
 
   before do
-    project.add_maintainer(user)
+    project.add_developer(user)
   end
 
   describe 'GET /projects/:id/repository/tags' do