2 files changed, 13 insertions, 11 deletions

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index a792db027ff..6a55c50c3f3 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -78,7 +78,7 @@ module Gitlab
           service = project.public_send("#{underscored_service}_service")
 
           if service && service.activated? && service.valid_token?(password)
-            Result.new(nil, project, :ci, restricted_capabilities)
+            Result.new(nil, project, :ci, build_capabilities)
           end
         end
       end
@@ -124,25 +124,27 @@ module Gitlab
 
         if build.user
           # If user is assigned to build, use restricted credentials of user
-          Result.new(build.user, build.project, :build, restricted_capabilities)
+          Result.new(build.user, build.project, :build, build_capabilities)
         else
           # Otherwise use generic CI credentials (backward compatibility)
-          Result.new(nil, build.project, :ci, restricted_capabilities)
+          Result.new(nil, build.project, :ci, build_capabilities)
         end
       end
 
       private
 
-      def restricted_capabilities
+      def build_capabilities
         [
           :read_project,
-          :restricted_download_code,
-          :restricted_read_container_image
+          :build_download_code,
+          :build_read_container_image,
+          :build_create_container_image
         ]
       end
 
       def read_capabilities
-        restricted_capabilities + [
+        [
+          :read_project,
           :download_code,
           :read_container_image
         ]
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 10ef4a1e3cf..63b707db814 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -61,19 +61,19 @@ module Gitlab
     end
 
     def user_download_access_check
-      unless privileged_user_can_download_code? || restricted_user_can_download_code?
+      unless user_can_download_code? || build_can_download_code?
         return build_status_object(false, "You are not allowed to download code from this project.")
       end
 
       build_status_object(true)
     end
 
-    def privileged_user_can_download_code?
+    def user_can_download_code?
       capabilities.include?(:download_code) && user_access.can_do_action?(:download_code)
     end
 
-    def restricted_user_can_download_code?
-      capabilities.include?(:restricted_download_code) && user_access.can_do_action?(:restricted_download_code)
+    def build_can_download_code?
+      capabilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
     end
 
     def user_push_access_check(changes)