diff options
author | Kamil TrzciĆski <ayufan@ayufan.eu> | 2018-04-05 16:49:18 +0300 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-07 05:20:16 +0300 |
commit | 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch) | |
tree | 314df7454174092bee8f1ea83d6bda53d760959e /lib/gitlab/auth.rb | |
parent | 171b2625b128e5954ce0a150a4fc923a22164e4e (diff) |
Support Deploy Tokens properly without hacking abilities
Diffstat (limited to 'lib/gitlab/auth.rb')
-rw-r--r-- | lib/gitlab/auth.rb | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 35458f607c6..336cdbab5f0 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -26,7 +26,7 @@ module Gitlab lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || personal_access_token_check(password) || - deploy_token_check(project, password) || + deploy_token_check(login, password) || user_with_password_for_git(login, password) || Gitlab::Auth::Result.new @@ -176,18 +176,18 @@ module Gitlab # Project is always sent when using read_scope, # but is not sent when using read_registry scope # (since jwt is not context aware of the project) - def deploy_token_check(project, password) + def deploy_token_check(login, password) return unless password.present? token = - if project.present? - DeployToken.active.find_by(project: project, token: password) - else - DeployToken.active.find_by(token: password) - end - - if token && valid_scoped_token?(token, available_scopes) - Gitlab::Auth::Result.new(token, token.project, :deploy_token, abilities_for_scopes(token.scopes)) + DeployToken.active.find_by(token: password) + + return unless token + return unless login != "gitlab+deploy-token-#{token.id}" + + scopes = abilities_for_scopes(token.scopes) + if valid_scoped_token?(token, scopes) + Gitlab::Auth::Result.new(token, token.project, :deploy_token, scopes) end end @@ -242,7 +242,7 @@ module Gitlab [ :read_project, :build_download_code, - :project_read_container_image, + :build_read_container_image, :build_create_container_image ] end |