diff options
| author | Sean McGivern <sean@mcgivern.me.uk> | 2017-11-24 12:09:38 +0300 |
|---|---|---|
| committer | Tiago <tiagonbotelho@hotmail.com> | 2017-11-28 15:28:31 +0300 |
| commit | b44f26ee957d0a02ceefb6c66a2523c8fd2d3d54 (patch) | |
| tree | 1b1f9ecb63c8e86570417b960f31a2c4f2ee21cc /lib | |
| parent | 1c21cb2bcc95e5a8015f5a3b3b824ed223a2d84a (diff) | |
Merge branch 'dm-fix-registry-with-sudo-token' into 'master'
Fix pulling and pushing using a personal access token with the sudo scope
Closes #40466
See merge request gitlab-org/gitlab-ce!15571
(cherry picked from commit 89c9d2ad6b792885d234f153f2e13ee96639e4f8)
453b1780 Fix pulling and pushing using a personal access token with the sudo scope
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth.rb | 25 |
1 files changed, 10 insertions, 15 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index cbbc51db99e..0e7958ef90f 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -128,7 +128,7 @@ module Gitlab token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) if token && valid_scoped_token?(token, available_scopes) - Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes)) + Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) end end @@ -140,10 +140,15 @@ module Gitlab AccessTokenValidationService.new(token).include_any_scope?(scopes) end - def abilities_for_scope(scopes) - scopes.map do |scope| - self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend - end.flatten.uniq + def abilities_for_scopes(scopes) + abilities_by_scope = { + api: full_authentication_abilities, + read_registry: [:read_container_image] + } + + scopes.flat_map do |scope| + abilities_by_scope.fetch(scope.to_sym, []) + end.uniq end def lfs_token_check(login, password, project) @@ -222,16 +227,6 @@ module Gitlab :admin_container_image ] end - alias_method :api_scope_authentication_abilities, :full_authentication_abilities - - def read_registry_scope_authentication_abilities - [:read_container_image] - end - - # The currently used auth method doesn't allow any actions for this scope - def read_user_scope_authentication_abilities - [] - end def available_scopes(current_user = nil) scopes = API_SCOPES + registry_scopes |