Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

1 files changed, 25 insertions, 1 deletions

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 6ddd83544bc..2594310c498 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -59,7 +59,13 @@ class ProjectPolicy < BasePolicy
 
   desc "Container registry is disabled"
   condition(:container_registry_disabled, scope: :subject) do
-    !access_allowed_to?(:container_registry)
+    if user.is_a?(DeployToken)
+      (!user.read_registry? && !user.write_registry?) ||
+      user.revoked? ||
+      !project.container_registry_enabled?
+    else
+      !access_allowed_to?(:container_registry)
+    end
   end
 
   desc "Container registry is enabled for everyone with access to the project"
@@ -88,6 +94,16 @@ class ProjectPolicy < BasePolicy
     user.is_a?(DeployKey) && user.can_push_to?(project)
   end
 
+  desc "Deploy token with read_container_image scope"
+  condition(:read_container_image_deploy_token) do
+    user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry?
+  end
+
+  desc "Deploy token with create_container_image scope"
+  condition(:create_container_image_deploy_token) do
+    user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry?
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
@@ -697,6 +713,14 @@ class ProjectPolicy < BasePolicy
     enable :push_code
   end
 
+  rule { read_container_image_deploy_token }.policy do
+    enable :read_container_image
+  end
+
+  rule { create_container_image_deploy_token }.policy do
+    enable :create_container_image
+  end
+
   rule { read_package_registry_deploy_token }.policy do
     enable :read_package
     enable :read_project