diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-13 15:27:05 +0200 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-13 15:27:05 +0200 |
| commit | 571226f166f638f821ce84b90bce9cec1e5d5d06 (patch) | |
| tree | 27cefbdc529510f757df251f125e344c7deeaf7c /app/services/auth | |
| parent | 505dc808b3c0dc98413506446d368b91b56ff682 (diff) | |
| download | gitlab-ce-571226f166f638f821ce84b90bce9cec1e5d5d06.tar.gz | |
Make result to return project and capabilities granted
Diffstat (limited to 'app/services/auth')
| -rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 23 |
1 files changed, 9 insertions, 14 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 270d5a11d9e..cba0e2297a8 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -4,8 +4,8 @@ module Auth AUDIENCE = 'container_registry' - def execute(access_type: access_type) - @access_type = access_type + def execute(capabilities: capabilities) + @capabilities = capabilities return error('not found', 404) unless registry.enabled @@ -91,33 +91,28 @@ module Auth private def restricted_user_can_pull?(requested_project) - return false unless restricted? - # Restricted can: # 1. pull from it's own project (for ex. a build) # 2. read images from dependent projects if he is a team member - requested_project == project || can?(current_user, :restricted_read_container_image, requested_project) + requested_project == project || + has_ability?(:restricted_read_container_image, requested_project) end def privileged_user_can_pull?(requested_project) - full? && can?(current_user, :read_container_image, requested_project) + has_ability?(:read_container_image, requested_project) end def restricted_user_can_push?(requested_project) # Restricted can push only to project to from which he originates - restricted? && requested_project == project + requested_project == project end def privileged_user_can_push?(requested_project) - full? && can?(current_user, :create_container_image, requested_project) - end - - def full? - @access_type == :full + has_ability?(:create_container_image, requested_project) end - def restricted? - @access_type == :restricted + def has_ability?(ability, requested_project) + @capabilities.include?(ability) && can?(current_user, ability, requested_project) end end end |