Relax access level checks for the NuGet group level endpoint

🔥 Problem

The NuGet group level endpoint for private groups is currently requiring:

1. At least reporter access level to the target group because of a read_package check on that group.
2. At least reporter access level to the project hosting the package because of a read_package check on that project.

This is different from what the Maven Repository is doing:

1. At least reporter access level to the project hosting the package because of a read_package check on that project.

As such, for the NuGet Repository, users of the Group level endpoint need to be direct members of the target group with at least the reporter access level.

Depending on the conditions, this is not always possible to have.

See #36425 (comment 1229986536) for a detailed analysis.

🚒 Solution

The Nuget group level endpoint should strictly do the same checks as the Maven group level endpoint:

• read_group on the target group. This is automatically granted. See this rule.
• read_package on the project hosting the target package.

In other words, we should stop checking read_package on the target group.