2 files changed, 3 insertions, 2 deletions

diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index b47b2ff4c3f..8dae821a10e 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -34,7 +34,7 @@ class DeployToken < ActiveRecord::Base
   end
 
   def has_access_to?(requested_project)
-    project == requested_project
+    active? && project == requested_project
   end
 
   # This is temporal. Currently we limit DeployToken
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 8f050072f74..f28cddb2af3 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -149,7 +149,8 @@ module Auth
     def deploy_token_can_pull?(requested_project)
       has_authentication_ability?(:read_container_image) &&
         current_user.is_a?(DeployToken) &&
-        current_user.has_access_to?(requested_project)
+        current_user.has_access_to?(requested_project) &&
+        current_user.read_registry?
     end
 
     ##