Add auth check to delete tag endpoint
Prior to this change the delete tag endpoint did not enforce protected tag logic. Our protected tags UI only allows owners to delete tags which are protected, however, our API allowed anyone who can push to attempt to delete the tag. We were not exposed as the logic downstream would reject the change during the tag_check phase, however, it meant that users would see a 500 error instead of a nice 403 error. This change adds a new policy for the Gitlab::Git::Tag model which checks if the tag is currently protected. If the tag is not protected we allow developers+ to delete them. If the tag is protected we only allow owners to delete them. Co-authored-by: @nav-j Changelog: fixed
显示
- app/policies/gitlab/git/tag_policy.rb 19 个添加, 0 个删除app/policies/gitlab/git/tag_policy.rb
- app/services/tags/destroy_service.rb 15 个添加, 11 个删除app/services/tags/destroy_service.rb
- lib/api/tags.rb 3 个添加, 4 个删除lib/api/tags.rb
- spec/policies/gitlab/git/tag_policy_spec.rb 56 个添加, 0 个删除spec/policies/gitlab/git/tag_policy_spec.rb
- spec/requests/api/tags_spec.rb 46 个添加, 2 个删除spec/requests/api/tags_spec.rb
- spec/services/tags/destroy_service_spec.rb 31 个添加, 10 个删除spec/services/tags/destroy_service_spec.rb
加载中
想要评论请 注册 或 登录