Auditors don't have rights to read packages

Summary

According to the docs Auditor users have a read-only access to all groups, projects, and other resources.

There might be some inconsistency between the documentation and current behavior since auditors don't have rights to read packages from private groups with no membership in it:

u = User.last
u.auditor?
=> true

g = Group.last
policy = GroupPolicy.new(u, g)

policy.can?(:read_group)
=> true
policy.can?(:read_package)
=> false
policy.can?(:read_container_image)
=> true