Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/services/auth
diff options
context:
space:
mode:
authorKamil Trzcinski <ayufan@ayufan.eu>2016-09-13 16:27:05 +0300
committerKamil Trzcinski <ayufan@ayufan.eu>2016-09-13 16:27:05 +0300
commit571226f166f638f821ce84b90bce9cec1e5d5d06 (patch)
tree27cefbdc529510f757df251f125e344c7deeaf7c /app/services/auth
parent505dc808b3c0dc98413506446d368b91b56ff682 (diff)
Make result to return project and capabilities granted
Diffstat (limited to 'app/services/auth')
-rw-r--r--app/services/auth/container_registry_authentication_service.rb23
1 files changed, 9 insertions, 14 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 270d5a11d9e..cba0e2297a8 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -4,8 +4,8 @@ module Auth
AUDIENCE = 'container_registry'
- def execute(access_type: access_type)
- @access_type = access_type
+ def execute(capabilities: capabilities)
+ @capabilities = capabilities
return error('not found', 404) unless registry.enabled
@@ -91,33 +91,28 @@ module Auth
private
def restricted_user_can_pull?(requested_project)
- return false unless restricted?
-
# Restricted can:
# 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if he is a team member
- requested_project == project || can?(current_user, :restricted_read_container_image, requested_project)
+ requested_project == project ||
+ has_ability?(:restricted_read_container_image, requested_project)
end
def privileged_user_can_pull?(requested_project)
- full? && can?(current_user, :read_container_image, requested_project)
+ has_ability?(:read_container_image, requested_project)
end
def restricted_user_can_push?(requested_project)
# Restricted can push only to project to from which he originates
- restricted? && requested_project == project
+ requested_project == project
end
def privileged_user_can_push?(requested_project)
- full? && can?(current_user, :create_container_image, requested_project)
- end
-
- def full?
- @access_type == :full
+ has_ability?(:create_container_image, requested_project)
end
- def restricted?
- @access_type == :restricted
+ def has_ability?(ability, requested_project)
+ @capabilities.include?(ability) && can?(current_user, ability, requested_project)
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-09 20:23:04 +0300