diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 09:08:42 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 09:08:42 +0000 |
commit | b76ae638462ab0f673e5915986070518dd3f9ad3 (patch) | |
tree | bdab0533383b52873be0ec0eb4d3c66598ff8b91 /app/services/auth/container_registry_authentication_service.rb | |
parent | 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff) | |
download | gitlab-ce-b76ae638462ab0f673e5915986070518dd3f9ad3.tar.gz |
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index d42dcb2fd00..a2683647c72 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -21,7 +21,7 @@ module Auth return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability? - unless scopes.any? || current_user || project + unless scopes.any? || current_user || deploy_token || project return error('DENIED', status: 403, message: 'access forbidden') end @@ -124,7 +124,6 @@ module Auth end def migration_eligible(project, actions) - return unless actions.include?('push') return unless Feature.enabled?(:container_registry_migration_phase1) # The migration process will start by allowing only specific test and gitlab-org projects using the @@ -178,8 +177,7 @@ module Auth end def can_user?(ability, project) - user = current_user.is_a?(User) ? current_user : nil - can?(user, ability, project) + can?(current_user, ability, project) end def build_can_pull?(requested_project) @@ -202,16 +200,16 @@ module Auth def deploy_token_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && - current_user.is_a?(DeployToken) && - current_user.has_access_to?(requested_project) && - current_user.read_registry? + deploy_token.present? && + deploy_token.has_access_to?(requested_project) && + deploy_token.read_registry? end def deploy_token_can_push?(requested_project) has_authentication_ability?(:create_container_image) && - current_user.is_a?(DeployToken) && - current_user.has_access_to?(requested_project) && - current_user.write_registry? + deploy_token.present? && + deploy_token.has_access_to?(requested_project) && + deploy_token.write_registry? end ## @@ -250,6 +248,10 @@ module Auth {} end + def deploy_token + params[:deploy_token] + end + def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions) return if requested_actions == authorized_actions |