Allow Guests to download packages from private projects
Context
You can use the GitLab Package Registry to publish and download packages, authenticating with either personal access, job, or deploy tokens.
In order to publish a package, you need Developer+ permissions. In order to download a package, you must have Reporter+ permissions for private projects and Guest+ for public projects.
Problem to solve
Guests do not currently have the ability to download packages from private, internal projects. Why is this important? Guest permissions is a valuable feature that allows GitLab customers to reduce costs and be more efficient.
Propsal
Guest users that have authenticated and have read access to a project should have read access to the packages within that project.
This originally came up in #299384 (comment 631838750) and permissions were added for guests for public projects. This issue will focus on adding permissions for private projects.
Why is this important? Packages are often assets of a Release. According to the docs, Guests should have permission to download assets from a Release. So there is a disconnect between product features.
Docs
- !66567 (merged) fixed the permissions docs to reflect that guests do have permission to download packages from public projects.
Links
- Related to #333444 (closed) which will address this for the job token
- Related to #299384 (closed) which made generic packages available for download by Guests in public projects.