diff --git a/app/graphql/mutations/namespace/package_settings/update.rb b/app/graphql/mutations/namespace/package_settings/update.rb index 934b75193d7f09acaf29de489b5479e965247450..e499e6467814668022f1deac3942ca555fa10f7c 100644 --- a/app/graphql/mutations/namespace/package_settings/update.rb +++ b/app/graphql/mutations/namespace/package_settings/update.rb @@ -8,7 +8,7 @@ class Update < Mutations::BaseMutation include Mutations::ResolvesNamespace - authorize :create_package_settings + authorize :admin_package argument :namespace_path, GraphQL::Types::ID, diff --git a/app/graphql/types/namespace/package_settings_type.rb b/app/graphql/types/namespace/package_settings_type.rb index cb546bbf3ec859722b077f01fca81613e5a10ae8..7a0abe619a5aac3864b68a1d9c62e3380dbb1fe0 100644 --- a/app/graphql/types/namespace/package_settings_type.rb +++ b/app/graphql/types/namespace/package_settings_type.rb @@ -6,7 +6,7 @@ class Namespace::PackageSettingsType < BaseObject description 'Namespace-level Package Registry settings' - authorize :read_package_settings + authorize :admin_package field :generic_duplicate_exception_regex, Types::UntrustedRegexp, null: true, description: 'When generic_duplicates_allowed is false, you can publish duplicate packages with names that match this regex. Otherwise, this setting has no effect.' field :generic_duplicates_allowed, GraphQL::Types::Boolean, null: false, description: 'Indicates whether duplicate generic packages are allowed for this namespace.' diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index eaefd7fcf8f6394b1532aa7e92a2b163b20ed11f..f4e7256773c2bab18a7fb5b06e7f109976af2773 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -139,7 +139,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :update_metrics_dashboard_annotation enable :create_custom_emoji enable :create_package - enable :create_package_settings enable :developer_access enable :admin_crm_organization enable :admin_crm_contact @@ -157,13 +156,13 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_metrics_dashboard_annotation enable :read_prometheus enable :read_package - enable :read_package_settings enable :read_crm_organization enable :read_crm_contact end rule { maintainer }.policy do enable :destroy_package + enable :admin_package enable :create_projects enable :admin_pipeline enable :admin_build diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 09b0f5d608d68a8d7e9671c34e4fb8a771ba2fa7..028247497e54ebbe2352df255407db58cdd967dc 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -14,8 +14,7 @@ class UserNamespacePolicy < ::NamespacePolicy enable :read_namespace enable :read_statistics enable :create_jira_connect_subscription - enable :create_package_settings - enable :read_package_settings + enable :admin_package end rule { ~can_create_personal_project }.prevent :create_projects diff --git a/app/services/namespaces/package_settings/update_service.rb b/app/services/namespaces/package_settings/update_service.rb index cbadbe5c907f1f9c16a4866349440246b87bd8e3..c0af090045003b303378da0a16c4e3d078e2404f 100644 --- a/app/services/namespaces/package_settings/update_service.rb +++ b/app/services/namespaces/package_settings/update_service.rb @@ -32,7 +32,7 @@ def package_settings end def allowed? - Ability.allowed?(current_user, :create_package_settings, @container) + Ability.allowed?(current_user, :admin_package, @container) end def package_settings_params diff --git a/doc/user/packages/generic_packages/index.md b/doc/user/packages/generic_packages/index.md index 9dc859a37e2d55e0d9042c35890274a071d4ec23..37e1f0c3eb12fa2521a2c4e72b0c6a2ed249e02e 100644 --- a/doc/user/packages/generic_packages/index.md +++ b/doc/user/packages/generic_packages/index.md @@ -101,7 +101,8 @@ API or the UI. #### Do not allow duplicate Generic packages -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/293755) in GitLab 13.12. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/293755) in GitLab 13.12. +> - [Required permissions](https://gitlab.com/gitlab-org/gitlab/-/issues/350682) changed from developer to maintainer in GitLab 15.0. To prevent users from publishing duplicate generic packages, you can use the [GraphQl API](../../../api/graphql/reference/index.md#packagesettings) or the UI. diff --git a/doc/user/packages/maven_repository/index.md b/doc/user/packages/maven_repository/index.md index 6a515b78fc17fbd5d3ccf75abed06367a3202947..5bac7fc546363ac107ad15fe3c615cc05c8e6f12 100644 --- a/doc/user/packages/maven_repository/index.md +++ b/doc/user/packages/maven_repository/index.md @@ -617,7 +617,8 @@ To delete these older package versions, consider using the Packages API or the U #### Do not allow duplicate Maven packages -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/296895) in GitLab 13.9. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/296895) in GitLab 13.9. +> - [Required permissions](https://gitlab.com/gitlab-org/gitlab/-/issues/350682) changed from developer to maintainer in GitLab 15.0. To prevent users from publishing duplicate Maven packages, you can use the [GraphQl API](../../../api/graphql/reference/index.md#packagesettings) or the UI. diff --git a/doc/user/permissions.md b/doc/user/permissions.md index 134bc0c4206fcbc586c89e9dce0cb4882d68d6d2..af126b0f811e6be5204b2a8c4e57121f6dd34793 100644 --- a/doc/user/permissions.md +++ b/doc/user/permissions.md @@ -390,6 +390,7 @@ The following table lists group permissions available for each role: | Publish [packages](packages/index.md) | | | ✓ | ✓ | ✓ | | Pull [packages](packages/index.md) | | ✓ | ✓ | ✓ | ✓ | | Delete [packages](packages/index.md) | | | | ✓ | ✓ | +| Create/edit/delete [Maven and generic package duplicate settings](packages/generic_packages/index.md#do-not-allow-duplicate-generic-packages) | | | | ✓ | ✓ | | Pull a Container Registry image | ✓ (7) | ✓ | ✓ | ✓ | ✓ | | Remove a Container Registry image | | | ✓ | ✓ | ✓ | | View [Group DevOps Adoption](group/devops_adoption/index.md) | | ✓ | ✓ | ✓ | ✓ | diff --git a/spec/graphql/mutations/namespace/package_settings/update_spec.rb b/spec/graphql/mutations/namespace/package_settings/update_spec.rb index 978c81fadfad2eeb4a63d22ab062c56d4910514f..631e02ff3dc1789691221a3136bc581ea239d298 100644 --- a/spec/graphql/mutations/namespace/package_settings/update_spec.rb +++ b/spec/graphql/mutations/namespace/package_settings/update_spec.rb @@ -10,7 +10,7 @@ let(:params) { { namespace_path: namespace.full_path } } - specify { expect(described_class).to require_graphql_authorizations(:create_package_settings) } + specify { expect(described_class).to require_graphql_authorizations(:admin_package) } describe '#resolve' do subject { described_class.new(object: namespace, context: { current_user: user }, field: nil).resolve(**params) } @@ -68,7 +68,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'updating the namespace package setting' - :developer | 'updating the namespace package setting' + :developer | 'denying access to namespace package setting' :reporter | 'denying access to namespace package setting' :guest | 'denying access to namespace package setting' :anonymous | 'denying access to namespace package setting' @@ -88,7 +88,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'creating the namespace package setting' - :developer | 'creating the namespace package setting' + :developer | 'denying access to namespace package setting' :reporter | 'denying access to namespace package setting' :guest | 'denying access to namespace package setting' :anonymous | 'denying access to namespace package setting' diff --git a/spec/graphql/types/namespace/package_settings_type_spec.rb b/spec/graphql/types/namespace/package_settings_type_spec.rb index b9592d230caea0f04a6bcc853509bfa8b10edca8..f63a0a7010f85e53742d36099158927f79d9a9cd 100644 --- a/spec/graphql/types/namespace/package_settings_type_spec.rb +++ b/spec/graphql/types/namespace/package_settings_type_spec.rb @@ -7,7 +7,7 @@ specify { expect(described_class.description).to eq('Namespace-level Package Registry settings') } - specify { expect(described_class).to require_graphql_authorizations(:read_package_settings) } + specify { expect(described_class).to require_graphql_authorizations(:admin_package) } describe 'maven_duplicate_exception_regex field' do subject { described_class.fields['mavenDuplicateExceptionRegex'] } diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb index f1022747fab8e8dc8a368beed719de86c36d9149..5ceea9dfb9d1aa2a047ae214427ea001ba6cd3a2 100644 --- a/spec/policies/namespaces/project_namespace_policy_spec.rb +++ b/spec/policies/namespaces/project_namespace_policy_spec.rb @@ -9,8 +9,8 @@ let(:permissions) do [:owner_access, :create_projects, :admin_namespace, :read_namespace, - :read_statistics, :transfer_projects, :create_package_settings, - :read_package_settings, :create_jira_connect_subscription] + :read_statistics, :transfer_projects, :admin_package, + :create_jira_connect_subscription] end subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 06db2f6e243051a25cf465fa3ae7ae972ae81b19..22c3f6a6d67ff4803e9878dff9abd9665acc0b50 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :create_package_settings, :read_package_settings] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] } subject { described_class.new(current_user, namespace) } diff --git a/spec/requests/api/graphql/mutations/namespace/package_settings/update_spec.rb b/spec/requests/api/graphql/mutations/namespace/package_settings/update_spec.rb index d335642d3217dec22b2fe1438bf5e01057a377c8..194e42bf59db1fc521171db99428e8bb7e316929 100644 --- a/spec/requests/api/graphql/mutations/namespace/package_settings/update_spec.rb +++ b/spec/requests/api/graphql/mutations/namespace/package_settings/update_spec.rb @@ -109,7 +109,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'accepting the mutation request updating the package settings' - :developer | 'accepting the mutation request updating the package settings' + :developer | 'denying the mutation request' :reporter | 'denying the mutation request' :guest | 'denying the mutation request' :anonymous | 'denying the mutation request' @@ -131,7 +131,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'accepting the mutation request creating the package settings' - :developer | 'accepting the mutation request creating the package settings' + :developer | 'denying the mutation request' :reporter | 'denying the mutation request' :guest | 'denying the mutation request' :anonymous | 'denying the mutation request' diff --git a/spec/services/namespaces/package_settings/update_service_spec.rb b/spec/services/namespaces/package_settings/update_service_spec.rb index 030bc03038e27840718af8d07ce2768c929b8cd3..ed385f1cd7f6800aa48d98acb39fc11329f84c8e 100644 --- a/spec/services/namespaces/package_settings/update_service_spec.rb +++ b/spec/services/namespaces/package_settings/update_service_spec.rb @@ -71,7 +71,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'updating the namespace package setting' - :developer | 'updating the namespace package setting' + :developer | 'denying access to namespace package setting' :reporter | 'denying access to namespace package setting' :guest | 'denying access to namespace package setting' :anonymous | 'denying access to namespace package setting' @@ -91,7 +91,7 @@ where(:user_role, :shared_examples_name) do :maintainer | 'creating the namespace package setting' - :developer | 'creating the namespace package setting' + :developer | 'denying access to namespace package setting' :reporter | 'denying access to namespace package setting' :guest | 'denying access to namespace package setting' :anonymous | 'denying access to namespace package setting' diff --git a/spec/support/shared_contexts/policies/group_policy_shared_context.rb b/spec/support/shared_contexts/policies/group_policy_shared_context.rb index e35f5ae9f99f72839f9f433e88b1e10371dd2b76..483bca07ba65ab8c7778b29ea856b1da325d468c 100644 --- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb +++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb @@ -33,7 +33,6 @@ read_container_image read_metrics_dashboard_annotation read_prometheus - read_package_settings read_crm_contact read_crm_organization ] @@ -46,7 +45,6 @@ update_metrics_dashboard_annotation create_custom_emoji create_package - create_package_settings read_cluster ] end @@ -54,6 +52,7 @@ let(:maintainer_permissions) do %i[ destroy_package + admin_package create_projects create_cluster update_cluster admin_cluster add_cluster ]