diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb index 567d750caae686de47be20a4b8a06744f220dada..bf1d8d8b5fc9a6cbd8ba92405847e492a3c962ce 100644 --- a/app/controllers/projects/registry/tags_controller.rb +++ b/app/controllers/projects/registry/tags_controller.rb @@ -3,7 +3,7 @@ module Projects module Registry class TagsController < ::Projects::Registry::ApplicationController - before_action :authorize_update_container_image!, only: [:destroy] + before_action :authorize_destroy_container_image!, only: [:destroy] def index respond_to do |format| diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 728a3040227fdb6be865b7164f6091b7e8b9673e..a3632640ede6aae0aa27f5c41513683c2933eec9 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy enable :resolve_note enable :create_container_image enable :update_container_image + enable :destroy_container_image enable :create_environment enable :create_deployment enable :create_release diff --git a/changelogs/unreleased/container-registry-api-perms-58271.yml b/changelogs/unreleased/container-registry-api-perms-58271.yml new file mode 100644 index 0000000000000000000000000000000000000000..0d1036a77886e8bbf22fb07748123887eff7bd51 --- /dev/null +++ b/changelogs/unreleased/container-registry-api-perms-58271.yml @@ -0,0 +1,5 @@ +--- +title: Allow developer role to delete docker tags via container registry API +merge_request: 29512 +author: +type: fixed diff --git a/lib/api/container_registry.rb b/lib/api/container_registry.rb index e44939101963a132393115c40cff90a4505827f8..7d9b5e1a598017841ce2f90febff6474ccc32a87 100644 --- a/lib/api/container_registry.rb +++ b/lib/api/container_registry.rb @@ -115,12 +115,8 @@ module API authorize! :read_container_image, repository end - def authorize_update_container_image! - authorize! :update_container_image, repository - end - def authorize_destroy_container_image! - authorize! :admin_container_image, repository + authorize! :destroy_container_image, repository end def authorize_admin_container_image! diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index ed0e82ef179a1d3a5830c92c24fcfad632a083f3..4b723a52b515875ef763c0844197d523d7261c14 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -39,7 +39,7 @@ describe ProjectPolicy do admin_milestone admin_merge_request update_merge_request create_commit_status update_commit_status create_build update_build create_pipeline update_pipeline create_merge_request_from create_wiki push_code - resolve_note create_container_image update_container_image + resolve_note create_container_image update_container_image destroy_container_image create_environment create_deployment create_release update_release ] end diff --git a/spec/requests/api/container_registry_spec.rb b/spec/requests/api/container_registry_spec.rb index ea035a8be4a215750be688aad0d11faef3c509be..4ad15ed6bea1a47feb0506be70423eb92d324a5c 100644 --- a/spec/requests/api/container_registry_spec.rb +++ b/spec/requests/api/container_registry_spec.rb @@ -201,10 +201,10 @@ describe API::ContainerRegistry do describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) } - it_behaves_like 'being disallowed', :developer + it_behaves_like 'being disallowed', :reporter - context 'for maintainer' do - let(:api_user) { maintainer } + context 'for developer' do + let(:api_user) { developer } before do stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)