Add auth check to delete tag endpoint (!166606) · Merge requests · GitLab.org / GitLab

Joe Woodward requested to merge fix/tag-api-delete-auth into master Sep 19, 2024

What does this MR do and why?

Fixes Delete Tag endpoint should return forbidden whe... (#494977 - closed)

Add auth check to delete tag endpoint

Prior to this change the delete tag endpoint did not enforce protected tag logic. Our protected tags UI only allows maintainers and owners to delete tags which are protected, however, our API allowed anyone who can push to attempt to delete the tag. We were not at risk as the logic downstream will reject the change during the tag_check phase, however, it meant that users would see a 500 error instead of a nice 403 error.

This change adds a new policy for the Gitlab::Git::Tag model which checks if the tag is currently protected.

If the tag is not protected we allow developers+ to delete them. If the tag is protected we allow maintainers+ to delete them.

Co-authored-by: @nav-j Changelog: fixed

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited Sep 30, 2024 by Joe Woodward

Add auth check to delete tag endpoint

What does this MR do and why?

How to set up and validate locally

Merge request reports