Dependency Proxy: Separate authorization logic for JWT and GraphQL controllers
This is a follow-up to !149977 (merged) (#434291)
🌱 Context
Dependency Proxy for Containers uses these controllers:
-
1️⃣ Groups::DependencyProxiesController
- used in rendering the Dependency Proxy UI -
2️⃣ Groups::DependencyProxyForContainersController
- used in handlingdocker login
anddocker pull
requests
Both include the module DependencyProxy::GroupAccess
and include the same before_action
filters:
included do
before_action :verify_dependency_proxy_available!
before_action :authorize_read_dependency_proxy!
end
💥 Problem
This results in unnecessary complex logic in authorize_read_dependency_proxy!
. The code that handles a web-authenticated user has to account for the case of a user that authenticated with a token, and vice-versa.
We can simplify the code if we give
!149977 (merged) refactored authorize_read_dependency_proxy!
and introduced two methods:
authorize_read_dependency_proxy_for_users!
authorize_read_dependency_proxy_for_tokens!
We should use these directly in
🚑 Solution
-
Groups::DependencyProxyController
:- add
before_action :authorize_read_dependency_proxy_for_users!
- add
-
Groups::DependencyProxyForContainersController
:- add
before_action :authorize_read_dependency_proxy_for_tokens!
- add
-
DependencyProxy::GroupAccess
:- remove
authorize_read_dependency_proxy!
method - remove
before_action :authorize_read_dependency_proxy
inincluded do..end
block
- remove
Edited by Radamanthus Batnag