Allow Developer role to delete tags via container registry api

This brings the API permissions in line with the UI permissions

6 files changed, 12 insertions, 10 deletions

diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb
index 567d750caae..bf1d8d8b5fc 100644
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -3,7 +3,7 @@
 module Projects
   module Registry
     class TagsController < ::Projects::Registry::ApplicationController
-      before_action :authorize_update_container_image!, only: [:destroy]
+      before_action :authorize_destroy_container_image!, only: [:destroy]
 
       def index
         respond_to do |format|
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 728a3040227..a3632640ede 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
     enable :resolve_note
     enable :create_container_image
     enable :update_container_image
+    enable :destroy_container_image
     enable :create_environment
     enable :create_deployment
     enable :create_release
diff --git a/changelogs/unreleased/container-registry-api-perms-58271.yml b/changelogs/unreleased/container-registry-api-perms-58271.yml
new file mode 100644
index 00000000000..0d1036a7788
--- /dev/null
+++ b/changelogs/unreleased/container-registry-api-perms-58271.yml
@@ -0,0 +1,5 @@
+---
+title: Allow developer role to delete docker tags via container registry API
+merge_request: 29512
+author:
+type: fixed
diff --git a/lib/api/container_registry.rb b/lib/api/container_registry.rb
index e4493910196..7d9b5e1a598 100644
--- a/lib/api/container_registry.rb
+++ b/lib/api/container_registry.rb
@@ -115,12 +115,8 @@ module API
         authorize! :read_container_image, repository
       end
 
-      def authorize_update_container_image!
-        authorize! :update_container_image, repository
-      end
-
       def authorize_destroy_container_image!
-        authorize! :admin_container_image, repository
+        authorize! :destroy_container_image, repository
       end
 
       def authorize_admin_container_image!
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index ed0e82ef179..4b723a52b51 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -39,7 +39,7 @@ describe ProjectPolicy do
       admin_milestone admin_merge_request update_merge_request create_commit_status
       update_commit_status create_build update_build create_pipeline
       update_pipeline create_merge_request_from create_wiki push_code
-      resolve_note create_container_image update_container_image
+      resolve_note create_container_image update_container_image destroy_container_image
       create_environment create_deployment create_release update_release
     ]
   end
diff --git a/spec/requests/api/container_registry_spec.rb b/spec/requests/api/container_registry_spec.rb
index ea035a8be4a..4ad15ed6bea 100644
--- a/spec/requests/api/container_registry_spec.rb
+++ b/spec/requests/api/container_registry_spec.rb
@@ -201,10 +201,10 @@ describe API::ContainerRegistry do
   describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
     subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
 
-    it_behaves_like 'being disallowed', :developer
+    it_behaves_like 'being disallowed', :reporter
 
-    context 'for maintainer' do
-      let(:api_user) { maintainer }
+    context 'for developer' do
+      let(:api_user) { developer }
 
       before do
         stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)