Commit 94a6ab5a authored by Kerri Miller's avatar Kerri Miller

Merge branch '282499-deploy-token-read-package' into 'master'

Update deploy token package permissions

See merge request gitlab-org/gitlab!47675
parents 871933eb 824b53e4
......@@ -194,6 +194,7 @@ class GroupPolicy < BasePolicy
rule { write_package_registry_deploy_token }.policy do
enable :create_package
enable :read_package
enable :read_group
end
......
......@@ -568,6 +568,7 @@ class ProjectPolicy < BasePolicy
rule { write_package_registry_deploy_token }.policy do
enable :create_package
enable :read_package
enable :read_project
end
......
---
title: Fix deploy token permissions for write_package_registry
merge_request: 47675
author:
type: fixed
......@@ -876,6 +876,7 @@ RSpec.describe GroupPolicy do
let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
it { is_expected.to be_allowed(:create_package) }
it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_group) }
it { is_expected.to be_disallowed(:destroy_package) }
end
......
......@@ -697,6 +697,7 @@ RSpec.describe ProjectPolicy do
let(:deploy_token) { create(:deploy_token, write_package_registry: true) }
it { is_expected.to be_allowed(:create_package) }
it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:destroy_package) }
end
......
......@@ -92,17 +92,32 @@ RSpec.describe API::MavenPackages do
end
shared_examples 'downloads with a deploy token' do
it 'allows download with deploy token' do
context 'successful download' do
subject do
download_file(
package_file.file_name,
{},
Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token
)
end
it 'allows download with deploy token' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'allows download with deploy token with only write_package_registry scope' do
deploy_token.update!(read_package_registry: false)
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
end
end
shared_examples 'downloads with a job token' do
context 'with a running job' do
......@@ -355,6 +370,15 @@ RSpec.describe API::MavenPackages do
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'returns the file with only write_package_registry scope' do
deploy_token_for_group.update!(read_package_registry: false)
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment