diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:30:51 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:30:51 +0300 |
commit | e74db6bfa85dbeb243dafcdbf03c0e5aff3f6069 (patch) | |
tree | b10184090863fcb73ebcc444cc6123cdfd7f9520 /app | |
parent | 5370ec1c3d27d646be672039e78161d22b1e2a80 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'app')
4 files changed, 29 insertions, 7 deletions
diff --git a/app/assets/javascripts/projects/settings/access_dropdown.js b/app/assets/javascripts/projects/settings/access_dropdown.js index 7fb7a416dca..79dfa166b1a 100644 --- a/app/assets/javascripts/projects/settings/access_dropdown.js +++ b/app/assets/javascripts/projects/settings/access_dropdown.js @@ -537,7 +537,7 @@ export default class AccessDropdown { return ` <li> <a href="#" class="${isActiveClass}"> - <strong>${key.title}</strong> + <strong>${escape(key.title)}</strong> <p> ${sprintf( __('Owned by %{image_tag}'), diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb index bed0eab5a58..1ac4cbac1da 100644 --- a/app/models/clusters/applications/runner.rb +++ b/app/models/clusters/applications/runner.rb @@ -3,7 +3,7 @@ module Clusters module Applications class Runner < ApplicationRecord - VERSION = '0.41.0' + VERSION = '0.42.1' self.table_name = 'clusters_applications_runners' diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6ddd83544bc..2594310c498 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -59,7 +59,13 @@ class ProjectPolicy < BasePolicy desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do - !access_allowed_to?(:container_registry) + if user.is_a?(DeployToken) + (!user.read_registry? && !user.write_registry?) || + user.revoked? || + !project.container_registry_enabled? + else + !access_allowed_to?(:container_registry) + end end desc "Container registry is enabled for everyone with access to the project" @@ -88,6 +94,16 @@ class ProjectPolicy < BasePolicy user.is_a?(DeployKey) && user.can_push_to?(project) end + desc "Deploy token with read_container_image scope" + condition(:read_container_image_deploy_token) do + user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry? + end + + desc "Deploy token with create_container_image scope" + condition(:create_container_image_deploy_token) do + user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry? + end + desc "Deploy token with read_package_registry scope" condition(:read_package_registry_deploy_token) do user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry @@ -697,6 +713,14 @@ class ProjectPolicy < BasePolicy enable :push_code end + rule { read_container_image_deploy_token }.policy do + enable :read_container_image + end + + rule { create_container_image_deploy_token }.policy do + enable :create_container_image + end + rule { read_package_registry_deploy_token }.policy do enable :read_package enable :read_project diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 6d6d8641d9d..e806bef46fe 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -215,15 +215,13 @@ module Auth def deploy_token_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && deploy_token.present? && - deploy_token.has_access_to?(requested_project) && - deploy_token.read_registry? + can?(deploy_token, :read_container_image, requested_project) end def deploy_token_can_push?(requested_project) has_authentication_ability?(:create_container_image) && deploy_token.present? && - deploy_token.has_access_to?(requested_project) && - deploy_token.write_registry? + can?(deploy_token, :create_container_image, requested_project) end ## |