diff options
author | Jason Goodman <jgoodman@gitlab.com> | 2019-06-14 14:40:30 -0400 |
---|---|---|
committer | Jason Goodman <jgoodman@gitlab.com> | 2019-06-14 14:40:30 -0400 |
commit | 4271f8feefad6c89997c0827793052f5938de7b2 (patch) | |
tree | 8baeec6678b847f2d67f68e585a5e5359a56125a | |
parent | bc42df87c5208bfe78076a05722e674bf5a0f07d (diff) | |
download | gitlab-ce-container-registry-api-perms-58271.tar.gz |
Prevent Developer role from bulk deleting docker tags via APIcontainer-registry-api-perms-58271
Allow Maintainer
-rw-r--r-- | lib/api/container_registry.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/container_registry_spec.rb | 8 |
2 files changed, 5 insertions, 5 deletions
diff --git a/lib/api/container_registry.rb b/lib/api/container_registry.rb index b71a1119e51..7d9b5e1a598 100644 --- a/lib/api/container_registry.rb +++ b/lib/api/container_registry.rb @@ -66,7 +66,7 @@ module API optional :older_than, type: String, desc: 'Delete older than: 1h, 1d, 1month' end delete ':id/registry/repositories/:repository_id/tags', requirements: REGISTRY_ENDPOINT_REQUIREMENTS do - authorize_destroy_container_image! + authorize_admin_container_image! CleanupContainerRepositoryWorker.perform_async(current_user.id, repository.id, declared_params.except(:repository_id)) # rubocop: disable CodeReuse/ActiveRecord diff --git a/spec/requests/api/container_registry_spec.rb b/spec/requests/api/container_registry_spec.rb index cafd5d26c3e..4ad15ed6bea 100644 --- a/spec/requests/api/container_registry_spec.rb +++ b/spec/requests/api/container_registry_spec.rb @@ -122,14 +122,14 @@ describe API::ContainerRegistry do describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags' do subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags", api_user), params: params } - it_behaves_like 'being disallowed', :reporter do + it_behaves_like 'being disallowed', :developer do let(:params) do { name_regex: 'v10.*' } end end - context 'for developer' do - let(:api_user) { developer } + context 'for maintainer' do + let(:api_user) { maintainer } context 'without required parameters' do let(:params) { } @@ -157,7 +157,7 @@ describe API::ContainerRegistry do it 'schedules cleanup of tags repository' do expect(CleanupContainerRepositoryWorker).to receive(:perform_async) - .with(developer.id, root_repository.id, worker_params) + .with(maintainer.id, root_repository.id, worker_params) subject |