Commit 9e318bd9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Fix container registry permissions

parent 575a73c8
......@@ -61,6 +61,7 @@ class Ability
:read_merge_request,
:read_note,
:read_commit_status,
:read_container_registry,
:download_code
]
......
......@@ -3,6 +3,8 @@ module JWT
AUDIENCE = 'container_registry'
def execute
return error('not found', 404) unless registry.enabled
if params[:offline_token]
return error('forbidden', 403) unless current_user
end
......@@ -65,9 +67,11 @@ module JWT
end
def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled?
case requested_action
when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project)
else
......
......@@ -64,7 +64,7 @@ module Projects
end
def remove_registry_tags
return unless Gitlab.config.registry.enabled
return true unless Gitlab.config.registry.enabled
project.container_registry_repository.delete_tags
end
......
......@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
let(:registry_settings) do
{
enabled: true,
issuer: 'rspec',
key: nil
}
......@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
it_behaves_like 'a forbidden'
end
end
end
context 'for project without container registry' do
let(:project) { create(:empty_project, :public, container_registry_enabled: false) }
before { project.update(container_registry_enabled: false) }
context 'disallow when pulling' do
let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull" }
end
it_behaves_like 'a forbidden'
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment