Add auth check to delete tag endpoint
What does this MR do and why?
Fixes Delete Tag endpoint should return forbidden whe... (#494977 - closed)
Add auth check to delete tag endpoint
Prior to this change the delete tag endpoint did not enforce protected
tag logic. Our protected tags UI only allows maintainers and owners to delete tags which
are protected, however, our API allowed anyone who can push to attempt
to delete the tag. We were not at risk as the logic downstream will
reject the change during the tag_check
phase, however, it meant that
users would see a 500 error instead of a nice 403 error.
This change adds a new policy for the Gitlab::Git::Tag
model which
checks if the tag is currently protected.
If the tag is not protected we allow developers+
to delete them.
If the tag is protected we allow maintainers+
to delete them.
Co-authored-by: @nav-j Changelog: fixed
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.