diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:30:51 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:30:51 +0300 |
commit | e74db6bfa85dbeb243dafcdbf03c0e5aff3f6069 (patch) | |
tree | b10184090863fcb73ebcc444cc6123cdfd7f9520 /app/policies | |
parent | 5370ec1c3d27d646be672039e78161d22b1e2a80 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/project_policy.rb | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6ddd83544bc..2594310c498 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -59,7 +59,13 @@ class ProjectPolicy < BasePolicy desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do - !access_allowed_to?(:container_registry) + if user.is_a?(DeployToken) + (!user.read_registry? && !user.write_registry?) || + user.revoked? || + !project.container_registry_enabled? + else + !access_allowed_to?(:container_registry) + end end desc "Container registry is enabled for everyone with access to the project" @@ -88,6 +94,16 @@ class ProjectPolicy < BasePolicy user.is_a?(DeployKey) && user.can_push_to?(project) end + desc "Deploy token with read_container_image scope" + condition(:read_container_image_deploy_token) do + user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry? + end + + desc "Deploy token with create_container_image scope" + condition(:create_container_image_deploy_token) do + user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry? + end + desc "Deploy token with read_package_registry scope" condition(:read_package_registry_deploy_token) do user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry @@ -697,6 +713,14 @@ class ProjectPolicy < BasePolicy enable :push_code end + rule { read_container_image_deploy_token }.policy do + enable :read_container_image + end + + rule { create_container_image_deploy_token }.policy do + enable :create_container_image + end + rule { read_package_registry_deploy_token }.policy do enable :read_package enable :read_project |