Fix container registry permissions

2 files changed, 6 insertions, 2 deletions

diff --git a/app/services/jwt/container_registry_authentication_service.rb b/app/services/jwt/container_registry_authentication_service.rb
index 91bad347278..b60cd3c57e5 100644
--- a/app/services/jwt/container_registry_authentication_service.rb
+++ b/app/services/jwt/container_registry_authentication_service.rb
@@ -3,6 +3,8 @@ module JWT
     AUDIENCE = 'container_registry'
 
     def execute
+      return error('not found', 404) unless registry.enabled
+
       if params[:offline_token]
         return error('forbidden', 403) unless current_user
       end
@@ -65,9 +67,11 @@ module JWT
     end
 
     def can_access?(requested_project, requested_action)
+      return false unless requested_project.container_registry_enabled?
+
       case requested_action
       when 'pull'
-        requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        requested_project == project || can?(current_user, :read_container_registry, requested_project)
       when 'push'
         requested_project == project || can?(current_user, :create_container_registry, requested_project)
       else
diff --git a/app/services/projects/destroy_service.rb b/app/services/projects/destroy_service.rb
index 0ff2bc3cb81..d3920ac8baa 100644
--- a/app/services/projects/destroy_service.rb
+++ b/app/services/projects/destroy_service.rb
@@ -64,7 +64,7 @@ module Projects
     end
 
     def remove_registry_tags
-      return unless Gitlab.config.registry.enabled
+      return true unless Gitlab.config.registry.enabled
 
       project.container_registry_repository.delete_tags
     end