Description:

This is an issue found in Quay Proxy Cache, when a Quay organization is set as Proxy Cache, it should be a read-only organization so no one can push to this organization or create new content within it, can only pull through the organizations in the form of a cache, but the current behavior is Quay user with write/admin role can still push images to this read-only organization successfully, pls review this issue.

The expected behaviors:

• users has read-only permission can pull an uncached image and that’ll trigger Quay to cache that image from the upstream and create a new image repo in the pull through cache organization
• users has write/admin permission cannot push a new image to create a new image repo in the pull through cache organization
• organization being set as pull through cache (proxy cache) becomes “read-only” from the client (users) perspective since it can only be updated via the image pulling and not the direct image push