Improve Protected Tag deletion error message

Summary

As of writing, Protected tags documentation states that only maintainers and owners can delete a tag which is protected. However, in reality this is not the case. We have some conflicting logic, the UI allows maintainers+ to delete the tag, however, the pre-receive hooks check if the user is allowed to create the tag so we end up in a situation where users that shouldn't be allowed to delete can attempt to and then receive a 500.

Screenshots

Add a user and No one to the Allowed to create config

protected_tags

When a maintainer that is not in this list tries to delete the protected tag they see a 500 error message.

500_error

Steps to Reproduce

  1. User A (Maintainer or Owner) creates Protected Tag named v1.0.0 and sets Allowed to create Role to No one.
  2. User B (Maintainer) deletes the protected tag v1.0.0 in the UI by following the steps here.
  3. Receive 500 error.

Proposal

  1. Update the UI logic hiding the delete tag button to check if the current user is allowed to create.
  2. Update the policy used in the tags API to check if the current user is allowed to create.
  3. Update the policy used in the tags controller to check if the current user is allowed to create.
  4. Update the documentation to reflect this correctly.
  5. Update the naming of the Allowed to create field to Allowed to create and delete

Is this a breaking change?

The documentation has been incorrect for 7 years. I would argue this isn't a breaking change as the pre-receive hook has always rejected these deletions. This is fixing a bug in the UX.

Edited by 🤖 GitLab Bot 🤖