Update Pages permissions checks (!172950) · Merge requests · GitLab.org / GitLab

Ben King requested to merge benjaminking-pages-permissions into master Nov 18, 2024

What does this MR do and why?

TO-DO: Documentation updates ✅

This merge request updates the code for the Pages service in GitLab. As noted in this issue, API calls for patch or delete can only be handled by an Administrator due to a check against can_read_all_resources.

This MR considers if the user can :remove_pages or :update_pages to handle the request instead.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

Source issue: #498658

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Deploy a GitLab Pages project. Ensure that Pages is active.
As the project owner, perform patch (update) and delete (remove) actions via the API endpoints.
Repeat this with a user with Maintainer permissions. The result should stay the same.
Repeat with a user with no permissions and/or Developer permissions. The user will receive a 404.

Edited Nov 19, 2024 by Ben King

Update Pages permissions checks

What does this MR do and why?

References

MR acceptance checklist

How to set up and validate locally

Merge request reports