diff options
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 629c1cbdc5c..4a699fe3213 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -135,7 +135,7 @@ module Auth when 'pull' build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) when 'push' - build_can_push?(requested_project) || user_can_push?(requested_project) + build_can_push?(requested_project) || user_can_push?(requested_project) || deploy_token_can_push?(requested_project) when 'delete' build_can_delete?(requested_project) || user_can_admin?(requested_project) when '*' @@ -185,6 +185,13 @@ module Auth current_user.read_registry? end + def deploy_token_can_push?(requested_project) + has_authentication_ability?(:create_container_image) && + current_user.is_a?(DeployToken) && + current_user.has_access_to?(requested_project) && + current_user.write_registry? + end + ## # We still support legacy pipeline triggers which do not have associated # actor. New permissions model and new triggers are always associated with |