diff options
author | Giorgenes Gelatti <ggelatti@gitlab.com> | 2019-09-03 02:41:22 +0000 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2019-09-03 02:41:22 +0000 |
commit | f5b2899422c8934339fd05ff94b2fdce0e812240 (patch) | |
tree | 7be7365b6f9749d49adcff3c57f5c9596f41027a /app | |
parent | 3feab2348f6045a0d30512bcac771650ac03c68c (diff) | |
download | gitlab-ce-f5b2899422c8934339fd05ff94b2fdce0e812240.tar.gz |
If user can push to docker then it can delete too
Extends the permission of $CI_REGISTRY_USER to allow them
to delete tags in addition to just pushing.
https://gitlab.com/gitlab-org/gitlab-ce/issues/40096
Diffstat (limited to 'app')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 0a069320936..9e7319c1d9b 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -124,13 +124,21 @@ module Auth build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) when 'push' build_can_push?(requested_project) || user_can_push?(requested_project) - when '*', 'delete' + when 'delete' + build_can_delete?(requested_project) || user_can_admin?(requested_project) + when '*' user_can_admin?(requested_project) else false end end + def build_can_delete?(requested_project) + # Build can delete only from the project from which it originates + has_authentication_ability?(:build_destroy_container_image) && + requested_project == project + end + def registry Gitlab.config.registry end |