Fix the required permission at the Group level for pulling packages.
Summary
With !57600 (merged), we modified the maven package finder to improve its efficiency.
One of the improvements made was to implement #287638 (closed) by using an existing finder helper.
This causes an issue for the group level maven api.
Given this situation:
Group -> Subgroup -> Project
Before !57600 (merged):
Reporters of Subgroup
could pull packages from Project
by using the group level endpoint and targeting Group
.
How is that possible?
- Users need the
read_group
permission on the target group (Group
).- This is granted by the group policy which basically says if a user has access to any of the subprojects, it has access to the root group with the
read_group
permission.
- This is granted by the group policy which basically says if a user has access to any of the subprojects, it has access to the root group with the
- Users need the
read_package
permission on the project (Project
).- This is granted by the usual role system where reporters of
Subgroup
will be reporters on the contained projects. - The above will grant the
read_package
permission
- This is granted by the usual role system where reporters of
After !57600 (merged):
The same scenario will now fail.
- Users need the
read_group
permission on the target group (Group
).- Same as before
- Users need the
read_package
permission on the project (Project
).- Same as before
- In addition, users need
read_package
on the target group (Group
)- This is a new check
-
read_package
on groups is only granted to direct reporters (or public groups).- Reporters of
Subgroup
will not have this💥
- Reporters of
Possible fixes
- We could grant
read_package
the same way thatread_group
is granted for a Group but that will open things too much to my taste. This increases the risk of leaking private objects. - We can modify the package finder helper to enforce
read_group
instead ofread_package
.- This would mimic the same set of permissions checked for Maven APIs before the MR.
- The package finder helper is also used by NuGet packages but this is fine as nuget APIs directly check the
read_package
permission on the group.
Solution (2.) is the best one.