summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/projects/registry/tags_controller.rb2
-rw-r--r--app/policies/project_policy.rb1
-rw-r--r--changelogs/unreleased/container-registry-api-perms-58271.yml5
-rw-r--r--lib/api/container_registry.rb6
-rw-r--r--spec/policies/project_policy_spec.rb2
-rw-r--r--spec/requests/api/container_registry_spec.rb6
6 files changed, 12 insertions, 10 deletions
diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb
index 567d750caae..bf1d8d8b5fc 100644
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -3,7 +3,7 @@
module Projects
module Registry
class TagsController < ::Projects::Registry::ApplicationController
- before_action :authorize_update_container_image!, only: [:destroy]
+ before_action :authorize_destroy_container_image!, only: [:destroy]
def index
respond_to do |format|
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 728a3040227..a3632640ede 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
enable :resolve_note
enable :create_container_image
enable :update_container_image
+ enable :destroy_container_image
enable :create_environment
enable :create_deployment
enable :create_release
diff --git a/changelogs/unreleased/container-registry-api-perms-58271.yml b/changelogs/unreleased/container-registry-api-perms-58271.yml
new file mode 100644
index 00000000000..0d1036a7788
--- /dev/null
+++ b/changelogs/unreleased/container-registry-api-perms-58271.yml
@@ -0,0 +1,5 @@
+---
+title: Allow developer role to delete docker tags via container registry API
+merge_request: 29512
+author:
+type: fixed
diff --git a/lib/api/container_registry.rb b/lib/api/container_registry.rb
index e4493910196..7d9b5e1a598 100644
--- a/lib/api/container_registry.rb
+++ b/lib/api/container_registry.rb
@@ -115,12 +115,8 @@ module API
authorize! :read_container_image, repository
end
- def authorize_update_container_image!
- authorize! :update_container_image, repository
- end
-
def authorize_destroy_container_image!
- authorize! :admin_container_image, repository
+ authorize! :destroy_container_image, repository
end
def authorize_admin_container_image!
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index ed0e82ef179..4b723a52b51 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -39,7 +39,7 @@ describe ProjectPolicy do
admin_milestone admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request_from create_wiki push_code
- resolve_note create_container_image update_container_image
+ resolve_note create_container_image update_container_image destroy_container_image
create_environment create_deployment create_release update_release
]
end
diff --git a/spec/requests/api/container_registry_spec.rb b/spec/requests/api/container_registry_spec.rb
index ea035a8be4a..4ad15ed6bea 100644
--- a/spec/requests/api/container_registry_spec.rb
+++ b/spec/requests/api/container_registry_spec.rb
@@ -201,10 +201,10 @@ describe API::ContainerRegistry do
describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
- it_behaves_like 'being disallowed', :developer
+ it_behaves_like 'being disallowed', :reporter
- context 'for maintainer' do
- let(:api_user) { maintainer }
+ context 'for developer' do
+ let(:api_user) { developer }
before do
stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)