Guests cannot pull an npm package from an internal group
Context
A self-managed customer is having an issue with permissions when trying to install npm packages from a group. They have an internal
project that a guest
user has access to. But, when trying to install the npm package from the group, they are receiving an error Something went wrong while fetching the packages list.
Basically, members of a sub-entity (like a sub-project) can get permissions on parent objects. This is not intuitive but that’s what this rule states: if you can read any project of a given group, you have read_group on that group.
However, given the project is set to internal
, according to the permissions breakdown, a guest should have access to pull packages.
Problem to solve
Investigate the permissions logic for the npm registry and identify that everything is working as intended.
Related to !58329 (merged)