1 files changed, 12 insertions, 4 deletions

diff --git a/app/controllers/groups/settings/repository_controller.rb b/app/controllers/groups/settings/repository_controller.rb
index b0431c31179..cb62ea2a543 100644
--- a/app/controllers/groups/settings/repository_controller.rb
+++ b/app/controllers/groups/settings/repository_controller.rb
@@ -5,8 +5,9 @@ module Groups
     class RepositoryController < Groups::ApplicationController
       layout 'group_settings'
       skip_cross_project_access_check :show
-      before_action :authorize_create_deploy_token!
-      before_action :define_deploy_token_variables
+      before_action :authorize_create_deploy_token!, only: :create_deploy_token
+      before_action :authorize_access!, only: :show
+      before_action :define_deploy_token_variables, if: -> { can?(current_user, :create_deploy_token, @group) }
       before_action do
         push_frontend_feature_flag(:ajax_new_deploy_token, @group)
       end
@@ -16,13 +17,13 @@ module Groups
 
       def create_deploy_token
         result = Groups::DeployTokens::CreateService.new(@group, current_user, deploy_token_params).execute
-        @new_deploy_token = result[:deploy_token]
 
         if result[:status] == :success
+          @created_deploy_token = result[:deploy_token]
           respond_to do |format|
             format.json do
               # IMPORTANT: It's a security risk to expose the token value more than just once here!
-              json = API::Entities::DeployTokenWithToken.represent(@new_deploy_token).as_json
+              json = API::Entities::DeployTokenWithToken.represent(@created_deploy_token).as_json
               render json: json, status: result[:http_status]
             end
             format.html do
@@ -31,6 +32,7 @@ module Groups
             end
           end
         else
+          @new_deploy_token = result[:deploy_token]
           respond_to do |format|
             format.json { render json: { message: result[:message] }, status: result[:http_status] }
             format.html do
@@ -43,6 +45,10 @@ module Groups
 
       private
 
+      def authorize_access!
+        authorize_admin_group!
+      end
+
       def define_deploy_token_variables
         @deploy_tokens = @group.deploy_tokens.active
 
@@ -55,3 +61,5 @@ module Groups
     end
   end
 end
+
+Groups::Settings::RepositoryController.prepend_mod