Merge branch 'container-registry-api-perms-58271' into 'master'

Align Container Registry API Delete Permissions with UI See merge request gitlab-org/gitlab-ce!29512

Merge branch 'container-registry-api-perms-58271' into 'master'
Align Container Registry API Delete Permissions with UI See merge request gitlab-org/gitlab-ce!29512
2a8f44d1 · Kamil Trzciński · 8ace9d91 · a881a592 · 2a8f44d1 · 2a8f44d1
Commit 2a8f44d1 authored Jun 17, 2019 by Kamil Trzciński
6 changed files
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -3,7 +3,7 @@
 module Projects
  module Registry
    class TagsController < ::Projects::Registry::ApplicationController
-      before_action :authorize_update_container_image!, only: [:destroy]
+      before_action :authorize_destroy_container_image!, only: [:destroy]

      def index
        respond_to do |format|

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,7 @@ class ProjectPolicy < BasePolicy
    enable :resolve_note
    enable :create_container_image
    enable :update_container_image
+    enable :destroy_container_image
    enable :create_environment
    enable :create_deployment
    enable :create_release

--- a/changelogs/unreleased/container-registry-api-perms-58271.yml
+++ b/changelogs/unreleased/container-registry-api-perms-58271.yml
+---
+title: Allow developer role to delete docker tags via container registry API
+merge_request: 29512
+author:
+type: fixed
--- a/lib/api/container_registry.rb
+++ b/lib/api/container_registry.rb
@@ -115,12 +115,8 @@ module API
        authorize! :read_container_image, repository
      end

-      def authorize_update_container_image!
-        authorize! :update_container_image, repository
-      end
-
      def authorize_destroy_container_image!
-        authorize! :admin_container_image, repository
+        authorize! :destroy_container_image, repository
      end

      def authorize_admin_container_image!

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -39,7 +39,7 @@ describe ProjectPolicy do
      admin_milestone admin_merge_request update_merge_request create_commit_status
      update_commit_status create_build update_build create_pipeline
      update_pipeline create_merge_request_from create_wiki push_code
-      resolve_note create_container_image update_container_image
+      resolve_note create_container_image update_container_image destroy_container_image
      create_environment create_deployment create_release update_release
    ]
  end

--- a/spec/requests/api/container_registry_spec.rb
+++ b/spec/requests/api/container_registry_spec.rb
@@ -201,10 +201,10 @@ describe API::ContainerRegistry do
  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }

-    it_behaves_like 'being disallowed', :developer
+    it_behaves_like 'being disallowed', :reporter

-    context 'for maintainer' do
-      let(:api_user) { maintainer }
+    context 'for developer' do
+      let(:api_user) { developer }

      before do
        stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)