3 files changed, 6 insertions, 11 deletions

diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 76e7473e92c..0caa5f4f439 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -23,8 +23,7 @@ class JwtController < ApplicationController
     @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities)
 
     authenticate_with_http_basic do |login, password|
-      project = find_project_related(password)
-      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
+      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
 
       if @authentication_result.failed? ||
           (@authentication_result.actor.present? && !user_or_deploy_token)
@@ -59,10 +58,6 @@ class JwtController < ApplicationController
     params.permit(:service, :scope, :account, :client_id)
   end
 
-  def find_project_related(password)
-    DeployToken.active.find_by(token: password)&.project
-  end
-
   def user_or_deploy_token
     @authentication_result.actor.is_a?(User) || @authentication_result.actor.is_a?(DeployToken)
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b1ed034cd00..2f9dd0384bc 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -143,9 +143,9 @@ class ProjectPolicy < BasePolicy
   end
 
   # These abilities are not allowed to admins that are not members of the project,
-  # that's why they are defined separatly.
+  # that's why they are defined separately.
   rule { guest & can?(:download_code) }.enable :build_download_code
-  rule { guest & can?(:read_container_image) }.enable :build_read_container_image
+  rule { guest & can?(:read_container_image) }.enable :project_read_container_image
 
   rule { can?(:reporter_access) }.policy do
     enable :download_code
@@ -179,7 +179,7 @@ class ProjectPolicy < BasePolicy
 
     enable :fork_project
     enable :build_download_code
-    enable :build_read_container_image
+    enable :project_read_container_image
     enable :request_access
   end
 
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 2b77f6be72a..d70ac7b1b3d 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -127,8 +127,8 @@ module Auth
       # Build can:
       # 1. pull from its own project (for ex. a build)
       # 2. read images from dependent projects if creator of build is a team member
-      has_authentication_ability?(:build_read_container_image) &&
-        (requested_project == project || can?(current_user, :build_read_container_image, requested_project))
+      has_authentication_ability?(:project_read_container_image) &&
+        (requested_project == project || can?(current_user, :project_read_container_image, requested_project))
     end
 
     def user_can_admin?(requested_project)