Skip to content

Update policy for granting `build_read_container_image` to users

Reuben Pereira requested to merge 18792-correct-reads into master

What does this MR do?

We are in the process of migrating code to use ProjectFeature#container_registry_access_level instead of Project#container_registry_enabled.

With projects.container_registry_enabled, the container registry had the same visibility as the project. So if the project is public, the container registry is public. Now, with projects.container_registry_access_level, if container_registry_access_level is set to PRIVATE, the container registry should be private even if the project is public.

project_features.container_registry_access_level can currently contain the following values, ENABLED and DISABLED. This mimics the behavior of projects.container_registry_enabled. Before we start allowing the 3rd possible value (PRIVATE), we need to ensure that all locations where we check if the container registry is enabled should be changed to check if the container registry is enabled for the current user/actor.

This MR updates project_policy.rb to grant build_read_container_image permission to all signed in users (for public or internal projects) only if container registry is ENABLED.

Screenshots or Screencasts (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #18792 (closed)

Edited by Reuben Pereira

Merge request reports

Loading